Chinese threat actors have been exploiting zero-day vulnerabilities in SharePoint servers, known as ToolShell, affecting nearly 150 organizations worldwide. The attacks, attributed to groups like Linen Typhoon and Violet Typhoon, began as early as July 17, 2025, targeting government agencies, critical infrastructure, universities, and private enterprises. The exploitation involved chaining multiple vulnerabilities and deploying reconnaissance tools. Attackers utilized a diverse network infrastructure, including cloud services and VPNs across multiple countries, to obscure their origin. The campaign highlights the sophisticated tactics employed by Chinese actors in abusing global telecommunication and cloud infrastructure for cyber espionage operations.