Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation

March 25, 2025, 1:20 p.m.

Description

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMemory' web shells, along with a recursive HTTP tunnel tool for internal network access. Weaver Ant demonstrated advanced evasion techniques, including ETW patching, AMSI bypassing, and 'PowerShell without PowerShell' execution. The operation involved extensive reconnaissance, credential harvesting, and data exfiltration. Despite eradication attempts, the group showed remarkable persistence, adapting their tactics to regain access.

External References

https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/
https://otx.alienvault.com/pulse/67e2ab375298346f9c281119
Tags
espionage
evasion
persistence
lateral movement
china chopper
china-nexus
telecom
2025-03-25
web shells
tunneling
inmemory web shell

Date

  • Created: March 25, 2025, 1:10 p.m.
  • Published: March 25, 2025, 1:10 p.m.
  • Modified: March 25, 2025, 1:20 p.m.

Indicators

  • 076364dd23d46c40d00fc62baa9826a4c74900cc0f31605b15d92153b184dd7a
Download all indicators here!

Attack Patterns

  • INMemory web shell
  • China Chopper - S0020
  • Weaver Ant

Additional Informations

  • Telecommunications