APT groups from China were ranked among the top global cyber threats alongside North Korea, russia, and Iran, showcasing heightened offensive capabilities and posing significant challenges to the cybersecurity landscape. Following the recent revelation of the Operation AkaiRyū by MirrorFace (aka Earth Kasha), China-nexus attackers are striking again. This time, security researchers report about the long-lasting offensive operation by the Weaver Ant group spending years in the network of a telecommunications services provider for cyber-espionage.
Detect Weaver Ant Attacks
Amid rising geopolitical tensions, nation-backed threat actors have intensified their malicious activities, employing advanced techniques to reach their strategic objectives. Cyber espionage has become a primary focus, with operations growing increasingly targeted and covert. A recent example is the Weaver Ant APT operation, which utilized sophisticated web shell tactics to infiltrate a major telecommunications provider in Asia. This incident highlights the escalating complexity and precision of cyber threats in today’s geopolitical landscape.
To outscale emerging threats and stay on top of the potential Weaver Ant attacks, SOC Prime Platform offers a set of relevant Sigma rules addressing threat actor’s TTPs. Just hit the Explore Detections button below and immediately drill down to a dedicated set of rules.
The rules are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK® to streamline threat investigation. Detections are also enriched with extensive metadata, including CTI links, attack timelines, triage recommendations, and more.
Security professionals seeking for more detection content addressing TTPs used by nation-backed actors, can browse Threat Detection Marketplace using “APT” tag to dive into broader collection of detection algorithms and real-time threat intel backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection.
Weaver Ant Attack Analysis
The China-linked hacking group tracked by Sygnia as Weaver Ant has been observed employing advanced web shell tactics to target a major telecom provider in Asia. Attackers displayed remarkable persistence against several eradication efforts, infiltrating the network for over four years. They used an unprovisioned ORB network to proxy traffic and hide its infrastructure, primarily employing compromised Zyxel CPE routers from Southeast Asian telecom providers, which allowed them to pivot between telecoms.
Weaver Ant deployed multiple payloads, including basic web shells as channels for more advanced payloads, such as a recursive tunneling tool that facilitated HTTP tunneling to access internal resources. The latter enabled hackers to smoothly navigate various web environments and maintain operational adaptability. Weaver Ant also employed web shells for lateral movement. Weaver Ant employed defense evasion methods to stealthily exfiltrate data without detection, such as passive network traffic capturing via port mirroring. Rather than applying standalone web shells, Weaver Ant employed a technique called “web shell tunneling,” which routes traffic between servers across different network segments, creating a hidden C2 network. Each shell acts as a proxy, passing encrypted payloads for deeper network exploitation. Additionally, Weaver Ant deployed trojanized DLLs to infect systems.
Researchers investigating the breach discovered several variants of the China Chopper backdoor, along with a new, custom web shell called “INMemory” that runs payloads directly in the host’s memory. Adversaries gained access to the network by deploying an AES-encrypted China Chopper web shell iteration, enabling remote control of servers and bypassing firewall protections.
China Chopper provides advanced offensive capabilities like file management, command execution, and data exfiltration. Its compact size and stealthy nature make it perfect for maintaining persistent access, enabling further exploitation, and avoiding detection by conventional security systems. Its versatility and ease of use have made it a popular tool for carrying out a variety of malicious activities on compromised systems. The second web shell called “INMemory” operates by decoding a hardcoded GZipped Base64 string into a Portable Executable (PE) called ‘eval.dll’, which it then runs entirely in memory to avoid detection.
Moreover, Weaver Ant used SMB shares and long-standing high-privileged accounts, often authenticated via NTLM hashes, to move laterally within the network. Over four years, they harvested configuration files, logs, and credentials to map the environment and target key systems. The group focused on network intelligence and continuous access to telecom infrastructure rather than stealing user data, aligning with state-sponsored espionage.
The increased sophistication of Weaver Ant’s attacks and the use of advanced detection evasion techniques require ultra-responsiveness from defenders. To minimize the risks of Weaver Ant’s highly persistent activity, defenders recommend implementing internal network traffic controls, enabling full IIS and PowerShell logging, enforcing least privilege principles, and rotating user credentials frequently. Organizations can rely on SOC Prime’s complete product suite backed by AI and fusing cutting-edge technologies to risk-optimize the organization’s cybersecurity posture.
The post Weaver Ant Attack Detection: China-Linked Group Targets a Telecom Provider in Asia Using Multiple Web Shells, Including China Chopper appeared first on SOC Prime.
