China-based threat actors exploited the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East and various government agencies in Africa and South America shortly after its patch release. The attackers utilized multiple tools, including the Zingdoor backdoor and KrustyLoader malware, indicating a coordinated effort to access sensitive networks for espionage purposes. Evidence suggests a broader range of Chinese groups involved in these attacks, revealing significant implications for global cybersecurity.