Inside the Open Directory of the “You Dun” Threat Group
Oct. 28, 2024, 1:25 p.m.
Tags
External References
Description
An open directory exposed a Chinese-speaking threat actor's toolkit and operational history. The actor conducted extensive scanning and exploitation targeting organizations in South Korea, China, Thailand, Taiwan, and Iran using tools like WebLogicScan, Vulmap, and Xray. The Viper C2 framework and a Cobalt Strike kit with TaoWu and Ladon extensions were found. The actor also utilized the leaked LockBit 3 builder to create a custom ransomware payload with a ransom note referencing a Telegram group. The group claims to offer 'penetration testing' services but engages in illicit activities including data sales, DDoS attacks, and ransomware operations.
Date
Published: Oct. 28, 2024, 12:51 p.m.
Created: Oct. 28, 2024, 12:51 p.m.
Modified: Oct. 28, 2024, 1:25 p.m.
Indicators
https://t.me/juxingchuhai
https://t.me/You_Dun888
https://t.me/You_Dun
Attack Patterns
LockBit
You Dun
Additional Informations
Healthcare
Logistics
Education
Government
Iran, Islamic Republic of
Taiwan
China
Thailand