Starting on March 2, the day Microsoft announced the patch, the Winnti Group, also widely believed to be from China, targeted East Asian oil and construction companies using PlugX RAT and infrastructure that the group used in previous attacks.
Tonto Group, another group widely attributed to China, began using the vulnerabilities on March 3, targeting an Eastern European "consulting company specialized in software development and cybersecurity" and a procurement firm, using ShadowPad malware used by several Chinese groups.
Mikroceen, yet another group widely attributed to China began using the vulnerability chain on March 4.
ESET identified an additional cluster of ShadowPad activity that doesn't match other campaigns starting on March 3. On the same date, servers in South America were struck by a cluster of IIS-Backdoor breaches.
A group using the DLTMiner, possibly hijacking APT's web shells, appeared on March 5.