🇨🇳 CN1 malware familyExploits CVEs in the wild

Sheathminer

Also known assheathminer

Sheathminer is a China-linked espionage threat actor identified by Microsoft as also being Violet Typhoon and APT31. Microsoft reported Sheathminer as one of three distinct China-linked actors exploiting the Microsoft SharePoint ToolShell zero-day vulnerability CVE-2025-53770 in July 2025, alongside Budworm (Linen Typhoon, APT27) and Storm-2603. The reporting specifically characterizes Sheathminer/Violet Typhoon as a Chinese espionage group. The provided content does not attribute the broader post-exploitation toolset or victim set exclusively to Sheathminer, but places the actor among the Chinese groups exploiting ToolShell against targets including government and telecommunications organizations. Known aliases directly supported by the content are Violet Typhoon and APT31.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics2 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0007

Discovery

1 technique

T1083

File and Directory Discovery

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Warlock"Storm-2603 was using the exploit to deploy Warlock and another ransomware payload, LockBit."1Mar 18, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-53770ToolShell unauthenticated RCE in Microsoft SharePoint ServerIn the wildEvidence1

China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025... ToolShell affects on-premise SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

symantec blogNews

Oct 22, 2025

Warlock Ransomware: Old Actor, New Tricks?

China-linked actor reported by Microsoft as exploiting the ToolShell SharePoint zero-day (CVE-2025-53770).

symantec blogNews

Oct 22, 2025

ToolShell Used to Compromise Telecoms Company in Middle East | SECURITY.COM

Chinese espionage group explicitly identified by Microsoft as exploiting the ToolShell vulnerability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.