ACCORDING to Microsoft Threat Intelligence, ToolShell was exploited as a zero-day by Chinese-nexus actors targeting on-premises Microsoft SharePoint, enabling unauthenticated remote code execution in early exploits against North American government organisations. The CPR 2025 overview notes that in the Americas, attackers pursued high-value targets with identity-centric intrusion methods such as AiTM-enabled credential theft aimed at researchers in US think tanks.
Europe saw a mix of disruption, espionage and influence operations, with Russian-affiliated activity in Eastern Europe and Moldova’s parliamentary cycle drawing sustained pressure, alongside Chinese and Iranian-nexus actors. The year also featured campaigns like Camaro Dragon targeting European government agencies with PlugX payloads, and UAC-0050 phishing campaigns in Ukraine, while ZipLine shifted its focus to Europe, running country-by-country campaigns.
Across Asia Pacific and Central Asia, Chinese-nexus espionage persisted, using updated playbooks and backdoors such as PlugX and ShadowPad, with GoldenSMTP and other tools highlighting complex multi-stage intrusions. The report emphasises that novelty lay more in the combination of familiar techniques and infrastructure sharing than in entirely new tooling, underscoring the need for durable visibility across identity, cloud and endpoints.