🇨🇳 CN1 malware familyExploits CVEs in the wild

Budworm

Also known asbudworm

Budworm is a China-linked espionage threat actor identified by Microsoft as one of the groups exploiting the Microsoft SharePoint ToolShell zero-day vulnerability CVE-2025-53770 in July 2025. The content explicitly maps Budworm to Linen Typhoon and APT27. Microsoft described Budworm as one of at least three Chinese actors exploiting ToolShell, alongside Sheathminer (Violet Typhoon/APT31) and Storm-2603. The provided content does not attribute the broader post-exploitation toolset or victim set specifically to Budworm beyond Microsoft’s statement that Budworm was among the Chinese espionage groups exploiting the vulnerability.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics2 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0007

Discovery

1 technique

T1083

File and Directory Discovery

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Warlock"Storm-2603 was using the exploit to deploy Warlock and another ransomware payload, LockBit."1Mar 18, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-53770ToolShell unauthenticated RCE in Microsoft SharePoint ServerIn the wildEvidence1

China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025... ToolShell affects on-premise SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

symantec blogNews

Oct 22, 2025

Warlock Ransomware: Old Actor, New Tricks?

China-linked actor reported by Microsoft as exploiting the ToolShell SharePoint zero-day (CVE-2025-53770).

symantec blogNews

Oct 22, 2025

ToolShell Used to Compromise Telecoms Company in Middle East | SECURITY.COM

Chinese espionage group explicitly identified by Microsoft as exploiting the ToolShell vulnerability.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.