Tag: china chopper

8 Attack Reports | 0 Vulnerabilities

Attack reports

The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors

A sophisticated cyber intrusion campaign utilizing log poisoning and a new tool called Nezha has been uncovered. The attackers exploited a vulnerable phpMyAdmin interface to deploy a web shell, followed by the installation of Nezha, an open-source server monitoring tool repurposed for malicious act…
china chopper
web shell
remote access trojan
antsword
ghost rat
log poisoning
nezha
2025-10-09
server monitoring
Published: October 9, 2025
Downloadable IOCs: 11

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Phantom Taurus, a newly identified Chinese state-sponsored threat actor, has been conducting espionage operations targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's primary focus includes ministries of foreign affairs, embassies, and mili…
espionage
plugx
government
africa
gh0st rat
telecommunications
china chopper
middle east
chinese apt
asia
iis backdoor
2025-09-30
ntospy
specter
iiservercore
assemblyexecuter
net-star
database targeting
Published: September 30, 2025
Downloadable IOCs: 4

Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat

Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security, specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since 2019, it has demonstrated advanced capabilities in exploiting network edge device…
CVE-2024-3400
china
cyber espionage
telecommunications
china chopper
advanced persistent threat
demodex
CVE-2023-20198
2025-09-25
long-term persistence
infrastructure targeting
ministry of state security
sigrouter
CVE-2023-35082
contractor ecosystem
Published: September 25, 2025
Downloadable IOCs: 0

Echoes in the Shell: Legacy Tooling Behind Ongoing SharePoint 'ToolShell' Exploitation

Chinese nation-state actors are exploiting vulnerabilities in Microsoft SharePoint on-premises infrastructure. The attacks chain together multiple recently disclosed vulnerabilities, collectively known as 'ToolShell', to perform unauthenticated code execution, extract cryptographic keys, and deploy…
valleyrat
china chopper
sharepoint
antsword
CVE-2025-53770
CVE-2025-53771
toolshell
CVE-2025-49704
CVE-2025-49706
2025-08-11
requestrepo
Published: August 11, 2025
Linked vulnerabilities : CVE-2019-0604, CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1), CVE-2025-49704, CVE-2025-49706
Downloadable IOCs: 1

Exploits Cityworks zero-day vulnerability to deliver malware

Chinese-speaking threat actors, dubbed UAT-6382, have been exploiting a remote-code-execution vulnerability (CVE-2025-0994) in Cityworks, a popular asset management system. The attacks, which began in January 2025, target local governing bodies in the United States, focusing on utilities management…
cobalt strike
exploitation
china chopper
chinese threat actors
CVE-2025-0994
vshell
web shells
2025-05-22
antsword
tetraloader
cityworks
Published: May 22, 2025
Linked vulnerabilities : CVE-2025-0944 (CVSS 6.3)
Downloadable IOCs: 18

Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMe…
espionage
evasion
persistence
lateral movement
china chopper
china-nexus
telecom
2025-03-25
web shells
tunneling
inmemory web shell
Published: March 25, 2025
Downloadable IOCs: 1

Tropic Trooper spies on government entities in the Middle East

Tropic Trooper, a Chinese-speaking APT group active since 2011, has expanded its operations to target government entities in the Middle East. The group deployed a new variant of the China Chopper web shell on a compromised Umbraco CMS server, along with other post-exploitation tools and backdoor im…
fscan
china chopper
2024-09-05
web shell
swor
bypassgodzilla
crowdoor
umbraco cms
neo-regeorg
Published: September 5, 2024
Downloadable IOCs: 7

Chamelgang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware

In collaboration with Recorded Future, SentinelLabs has been tracking two distinct activity clusters targeting government and critical infrastructure sectors globally between 2021 and 2023.
ransomware
cobalt strike
icedid
bitlocker
2024-06-26
china chopper
wiper
conti
chamelgang
bestcrypt
beaconloader
silver sparrow
Published: June 26, 2024
Downloadable IOCs: 8
Click here to see more Attack Reports