Inside the Open Directory of the “You Dun” Threat Group

Oct. 28, 2024, 1:25 p.m.

Description

An open directory exposed a Chinese-speaking threat actor's toolkit and operational history. The actor conducted extensive scanning and exploitation targeting organizations in South Korea, China, Thailand, Taiwan, and Iran using tools like WebLogicScan, Vulmap, and Xray. The Viper C2 framework and a Cobalt Strike kit with TaoWu and Ladon extensions were found. The actor also utilized the leaked LockBit 3 builder to create a custom ransomware payload with a ransom note referencing a Telegram group. The group claims to offer 'penetration testing' services but engages in illicit activities including data sales, DDoS attacks, and ransomware operations.

External References

https://otx.alienvault.com/pulse/671f88cacb0b22d6e4c180f7
Tags
ransomware
lockbit
cobalt strike
2024-10-28
weblogic exploitation
viper c2
chinese threat actor

Date

  • Created: Oct. 28, 2024, 12:51 p.m.
  • Published: Oct. 28, 2024, 12:51 p.m.
  • Modified: Oct. 28, 2024, 1:25 p.m.

Indicators

  • https://t.me/juxingchuhai
  • https://t.me/You_Dun888
  • https://t.me/You_Dun
Download all indicators here!

Attack Patterns

  • LockBit
  • You Dun

Additional Informations

  • Healthcare
  • Logistics
  • Education
  • Government
  • Iran, Islamic Republic of
  • Taiwan
  • China
  • Thailand