icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years

Summary:
Sygnia investigated a prolonged cyber espionage campaign targeting a major telecommunications company in Asia. The threat actor, tracked as Weaver Ant, is assessed to have China-nexus ties based on their operational behavior, infrastructure, and targeting. The group maintained undetected access for over four years, primarily leveraging encrypted web shells and advanced stealth techniques. The investigation began when a previously disabled account was re-enabled by a service account, triggering alerts. Further analysis revealed a variant of the China Chopper web shell on an internal server, leading to a broader forensic hunt. Weaver Ant used two primary web shells: an AES-encrypted China Chopper variant and a custom memory-resident shell dubbed INMemory. The latter loaded malicious DLLs entirely in memory, validated commands using SHA256-matching headers, and executed code using JScriptEvaluate, all designed to avoid detection.

To move laterally, Weaver Ant used a recursive HTTP tunneling method. Public-facing web shells acted as proxies, forwarding commands to internal servers. This allowed the threat actor to pivot across segmented environments without deploying additional tools. Reconnaissance efforts included extensive use of SharpView modules to map out the Active Directory environment. Data was stored under ProgramData, zipped with PowerShell, and exfiltrated. Payload delivery followed a layered Matryoshka-style design—each web shell decrypting the next-stage payload until the final code was executed, complicating forensic efforts.

Sygnia’s team conducted a coordinated eradication effort after mapping the full scope of deployed web shells. Following cleanup, enhanced visibility mechanisms were implemented to detect any reentry attempts. As expected with a persistent threat group, Weaver Ant attempted to regain access shortly after, underscoring their determination and operational capability. Sygnia continues to monitor the situation closely, and a follow-up report is anticipated, focusing on newly observed upgrades to their toolset.


Security Officer Comments:
Attribution to a Chinese state-linked actor was supported by multiple indicators: targeting of telecom infrastructure aligns with Chinese cyber strategic interests, operations followed a GMT+8 work schedule and avoided weekends, and tools used overlapped with previously documented campaigns like DeadRinger. Notably, Weaver Ant also utilized an Operational Relay Box network, comprising compromised Zyxel routers, mostly running the VMG3625-T20A firmware controlled by telecom providers in Southeast Asia. This infrastructure was used to proxy traffic and obscure attribution by pivoting from one telecom to another.

Suggested Corrections:

Recommendations for Hunting Weaver Ant
  • Ensure IIS logging is enabled and ingested into the SIEM, with X-Forwarded-For (XFF) headers configured.
    • Monitor for any disruptions or stoppages in log ingestion.
  • Monitor for web pages creation by web server processes (i.e., ‘w3wp.exe’, ‘tomcat6.exe’).
  • Monitor for command execution originating from web server processes (i.e., ‘w3wp.exe’, ‘tomcat6.exe’).
  • Monitor for incoming HTTP requests with unusually large payloads in the request’s body.
  • Monitor for unexpected parameters names or values in incoming HTTP requests.
  • Enable PowerShell transcript logging to capture and analyze suspicious activity.
Recommendations for Defending Against Weaver Ant
  • Minimize Privileges: Restrict web-service accounts to the least privileges required.
  • Control Management Traffic: Use ACLs and firewall rules to limit management traffic between web servers and internal systems, especially for SMB and HTTP/S.
  • Enforce Credential Hygiene: Implement LAPS, gMSA, or a PIM solution to regularly rotate credentials.
  • Enhance Detection: Deploy EDR/XDR solutions to monitor memory for malicious activity, including obfuscated in-memory web shells.
  • Strengthen Web Security: Tune WAF and logging systems to detect obfuscated code signatures and behavioral patterns linked to China Chopper and INMemory web shells.

Link(s):
https://thehackernews.com/2025/03/chinese-hackers-breach-asian-telecom.html

https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/

Contact Us for Threat Assistance
Back to Current Threats