Symantec Ties China Spy Tools to Global Hacking Campaigns

Symantec researchers have uncovered significant overlaps among Chinese state-linked cyberespionage groups, revealing shared tools and infrastructure across multiple operations. The report, titled “Symantec Ties China Spynaturally,” highlights how threat actors deployed Zingdoor backdoors, ShadowPad malware, and the KrustyLoader trojan in coordinated attacks targeting global networks.

The analysis shows these malware variants operating within a broader espionage framework, suggesting collaboration or code reuse among Chinese advanced persistent threat (APT) clusters. Symantec also identified the exploitation of five vulnerabilities, including CVE-2025-22167, CVE-2025-11371, CVE-2025-54253, CVE-2025-27915, and CVE-2021-36942, as part of the campaigns.

Symantec Ties China Spynaturally to a complex and evolving threat landscape, where overlapping infrastructure and attack methods blur lines between distinct APT groups. The company warns that this confluence of tactics increases the difficulty of attribution and defense.

Read the full investigation here:

Symantec Exposes Chinese APT Overlap: Zingdoor, ShadowPad, and KrustyLoader Used in Global Espionage