{ "id": "9b5e472c-951c-4ab2-ab9c-9e14eb5e43e6", "created_at": "2026-04-06T00:09:01.700982Z", "updated_at": "2026-04-10T13:12:42.25776Z", "deleted_at": null, "sha1_hash": "0162b1bdbf1a0fa527604ad7e55572fe441e5ca7", "title": "Anxun and Chinese APT Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 574841, "plain_text": "Anxun and Chinese APT Activity\r\nBy ReliaQuest Threat Research Team 5 March 2024\r\nPublished: 2024-03-05 · Archived: 2026-04-05 17:19:08 UTC\r\nKey Points\r\nThe compromise of a key Chinese information security (InfoSec) vendor, Shanghai Anxun Information\r\nTechnology (Anxun; aka iSOON), led to a rare leak of information. The publicized documents revealed the\r\ncompany’s collaborations with the Chinese government and advanced persistent threat (APT) groups in\r\noffensive cyber operations.\r\nAnxun is engaged in Chinese hacker-for-hire activity: facilitating surveillance operations of dissidents,\r\ncooperating in espionage campaigns against foreign governments, and training cybersecurity students,\r\namong other activities.\r\nThe company is also involved with the modular backdoor malware “ShadowPad,” and the 2022 attack\r\nagainst Canadian software company Comm100; this intelligence confirms that Anxun develops or\r\npromotes tools that Chinese APT groups often use.\r\nAn Anxun insider is likely responsible for the breach, based on the nature of the information and how it\r\nwas publicized—Anxun was portrayed as a bad employer whose poor business practices jeopardize\r\nChina’s national security.\r\nCustomers operating in sectors frequently targeted by state-sponsored activity (e.g., manufacturing, public\r\nadministration) will benefit from the recommendations in this report concerning insider threats and APT\r\nactivity; steps include blocking suspicious web proxy categories and simulating phishing to increase\r\nemployee awareness.\r\nDocuments recently leaked from Anxun, a key private security contractor of the Chinese Ministry of Public\r\nSecurity (MPS), provide rare insight into Chinese state-sponsored cyber-threat activity, especially the domestic\r\nhacker-for-hire ecosystem. The documents revealed that the Chinese government uses Anxun as hackers-for-hire\r\nto facilitate cyber-threat operations against foreign governments and dissidents, as well as other entities.\r\nDefenders can use the insights and recommendations described in this report to better guard against similar APT\r\nactivity and insider threats—particularly in frequently targeted sectors: manufacturing; professional, scientific,\r\nand technical services; public administration; wholesale trade; information; and construction.\r\nAnxun Surveillance and Aid to Chinese Government\r\nOn February 16, 2024, the stolen Anxun data became available on GitHub, and was subsequently removed. The\r\ndocuments included staff information, communication among employees and with customers, details of\r\nhttps://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nPage 1 of 8\n\nsurveillance tools that Anxun developed for the Chinese government, and more. They revealed dissident\r\nsurveillance, espionage against foreign governments, and the dissemination of pro-Beijing content on social\r\nmedia:\r\nAnxun developed or advertised cyber-surveillance tools for the Chinese government, to target, for\r\nexample: ethnic minority groups and pro-democracy individuals in Hong Kong and Xinjiang in west\r\nChina, overseas telecommunications firms, and online-gambling companies in China.\r\nAnxun hacked into networks in Central and South-East Asia and Taiwan; valuable data stolen from these\r\nnetworks was allegedly sold to Chinese law-enforcement authorities.\r\nThe company advertised “anti-terror” technical support to Xinjiang authorities to monitor native Uyghurs\r\nvia hacked airline, telecommunications, and government entities from Afghanistan, Malaysia, Mongolia,\r\nand Thailand.\r\nIn 2021, the public security bureau of Taizhou, China, paid Anxun RMB 2.6 million (approximately\r\n$361,000) to develop tools to track Telegram and X users.\r\nThe Hubei government paid Anxun approximately RMB 1 million ($139,000) for tools to remotely attack\r\niOS systems. The tools can extract the target’s email, phone number, and private messages; monitor them\r\nin real time; and publish tweets under their name.\r\nAnxun extensively promoted to its customers systems that it claimed could be used to generate phishing\r\nlinks. The links, Anxun claimed, would allegedly begin email extraction and activate several other\r\ncapabilities, such as password changes and setting emails extraction timeframes.\r\nTo its customers, Anxun advertised for sale remote-access trojans (RATs) that target Windows, iOS, and\r\nAndroid systems, and can harvest messages from popular Chinese messaging apps.\r\nAnxun’s customers expressed interest in data stolen from Australia, Cambodia, Congo, Guinea,\r\nKazakhstan, India, Indonesia, Kyrgyzstan, Malaysia, Mongolia, Myanmar, Nigeria, North Macedonia,\r\nRwanda, South Korea, Taiwan, Thailand, Timor Leste, the UK, and Vietnam, requesting proof of\r\nlegitimacy in the form of recent samples.\r\nAnxun targeted the Taiwanese health ministry during the COVID-19 pandemic to find out about Taiwan’s\r\ncaseload and hospital capacity.\r\nThe company charged $55,000 for an operation to hack a Vietnamese government ministry\r\nAnxun provided hardware surveillance kits (basic or mini) that resemble a power strip or Xiaomi power\r\nbank, to be installed in a target’s home/office and used to infiltrate local Wi-Fi networks. The built-in\r\nbattery can allegedly last 8 to 20 hours. No setup is required; after the user turns on the power, the device\r\ncan be remotely controlled to penetrate the network.\r\nIndication of Leak from Inside Anxun\r\nThere are several possibilities regarding who leaked the Anxun documents:\r\nhttps://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nPage 2 of 8\n\nDisgruntled Anxun employee\r\nRival company\r\nForeign government\r\nAnti-Chinese Communist Party hacktivists\r\nReliaQuest regards, with medium confidence, the perpetrator as being a disgruntled employee, mainly based on\r\nthe leak contents found on GitHub. The files were organized into several sections whose headings accused Anxun\r\nof jeopardizing national security and being a bad company to work for. The documents also contained screenshots\r\nof conversations in which employees complained about low company morale, long hours, low salary, and the\r\ndifficulty of tasks.\r\nA rival hacker-for-hire company would have been unlikely to publicly leak the details of Anxun’s operations with\r\nthe Chinese government, for fear of incurring notoriously severe government punishment. And a foreign\r\ngovernment would have more likely used the exfiltrated information to determine whether there are any APT\r\ngroups present in their networks, rather than disclose it publicly and risk Beijing’s retaliation. Moreover,\r\nhacktivists typically claim responsibility for their attacks to boost their reputation and promote their cause, which\r\ndid not happen in Anxun’s case; it is unlikely that the data leak was ideologically motivated.\r\nChinese Hacking Ecosystem Links and Threats\r\nIncorporated in September 2010 in Shanghai, Anxun describes itself as a technology-based enterprise that\r\nprovides InfoSec solutions for various industries. The company has branches and subsidiaries across China and an\r\nAPT Defense and Research Laboratory in Shanghai. Its role as a hacker-for-hire company is described in the\r\nfollowing revelations found in the leaked documents.\r\nChinese Government Customers\r\nAnxun has advertised offensive and defensive APT capabilities, listing dozens of Chinese government security\r\nagencies as its customers. (Anxun’s website and its Weibo and WeChat accounts have been taken offline since the\r\nleak and remain unavailable at the time of writing.)\r\nHacker CEO\r\nAnxun’s CEO and main investor, Wu Haibo (whose alias in the leaked chats is shutd0wn), is a prominent,\r\npioneering Chinese hacker and an early member of China’s first hacktivist group, the Green Army. Wu remains\r\nactively involved in Anxun’s operations and cyber activity in China, giving talks and interviews with Chinese\r\nmedia and universities.\r\nLink to Chengdu, APT Groups\r\nEvidence points to a working relationship between Anxun and Chinese APT groups based in Chengdu, Sichuan,\r\nwhere Anxun has a branch. Chengdu is an established hub of Chinese APT activity—“RedHotel” and “APT41”\r\nhttps://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nPage 3 of 8\n\nare among the state-sponsored hacking groups based there, and multiple APT groups have set up front companies\r\nin Chengdu to hide illicit cyber operations.\r\nAccording to a 2020 US Department of Justice indictment, Chengdu Silingsi Network Technology Company (aka\r\nChengdu 404) is a front company to hide APT41 cyber-threat activity, which has affected more than 100 US\r\ncompanies. In October 2023, Chengdu 404 sued Anxun in a software development partnership contract dispute.\r\nDetails of the partnership are not publicly available but, based on Anxun’s service offerings, Chengdu 404\r\nprobably engaged Anxun to develop a platform or tool to aid cyber-threat campaigns.\r\nAnxun is highly active in developing cyber-operational capabilities in Chengdu. Since 2018, the company has\r\nsponsored and/or organized the annual Anxun Cup event (most recently in December 2023): a training\r\n“bootcamp” to cultivate network security talents. The event focuses on discovering new techniques,\r\nvulnerabilities, and in-depth knowledge about an application or a coding language (see Figure 1). Similarly,\r\nChengdu 404 has displayed an interest in nurturing talent; that company maintains close relations with Sichuan\r\nUniversity, likely for recruitment.\r\nFigure 1: Anxun’s Weibo post about the Anxun Cup\r\nChengdu 404 and Anxun encourage cyber-threat capabilities through hacking competitions and training programs,\r\nare based in Chengdu, and have known ties to the Chinese government or APT groups. Although we cannot\r\nascertain whether Anxun is an APT group or a front company for an APT group, its many operational similarities\r\nto Chengdu 404 suggest either option is a realistic possibility.\r\nLink to Threat Groups via ShadowPad\r\nAnxun’s white paper on remote-control management systems, leaked on GitHub, refers to an IP address that was\r\nused as a ShadowPad command-and-control (C2) server in August 2021. ShadowPad is a modular backdoor that\r\nmultiple Chinese threat groups have used since at least 2017. The malware has been attributed to the “Winnti\r\nGroup,” a collective of several Chinese APT groups, including APT41, whose activities occasionally overlap.\r\nhttps://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nPage 4 of 8\n\nFigure 2: Screenshot of leaked Anxun white paper, showing the redacted IP address used as a ShadowPad C2\r\nserver (Source: GitHub)\r\nLink to Attack via Comm100\r\nIn September 2022, threat actors used a trojanized installer of Comm100, a chat-based customer engagement\r\napplication, for a supply-chain attack campaign. A leaked transcript of a conversation between Anxun employees\r\n(see Figure 3) confirmed an IP address that is one of the campaign’s indicators of compromise (IoCs)—is an\r\nAnxun server, cementing the company’s involvement. Since August 2022, Comm100 had been unknowingly\r\nloading backdoor scripts from the threat actors’ infrastructure. In some of the attacks, advanced malware was\r\ndelivered to the employees of several online gambling platforms; the employees had administrative privileges for\r\ntheir employers’ websites, indicating a likely campaign goal of securing administrative access.\r\nhttps://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nPage 5 of 8\n\nFigure 3: Screenshot of conversation between Anxun employees, with translation shown to right of original text\r\nMotive and Targets\r\nAs the leaked documents indicate, Anxun’s cyber-threat activity seems politically oriented, focusing on espionage\r\nand surveillance across Asia, followed by Europe, then the US. The company seems to dedicate many of its\r\nresources to targeting foreign governments to gain valuable information, which aligns with the general direction\r\nand goals of Chinese APT groups and of Chengdu 404.\r\nThe data leak has provided rare insight into how the Chinese government outsources parts of its cyber operations\r\nto private third-party companies, and how these companies work with one another to fulfill these demands.\r\nScreenshots of employee conversations hint at infighting among these third-party contractors despite their\r\ncollaborations, but the maturity of the Chinese hacker-for-hire industry is evident: Numerous companies like\r\nAnxun and Chengdu 404 offer a broad range of hacking services to the Chinese government and APT groups.\r\nAnxun will very likely continue to operate without major disruptions.\r\nAPT41: A Real and Active Threat\r\nThe APT41 group primarily wages financially and politically motivated attacks against the following sectors in\r\nNorth America, Europe, and Asia: public administration; professional, scientific, and technical services; and arts,\r\nentertainment, and recreation. However, APT41 attacks have spanned more than 20 countries, and also\r\ncompromised entities in the information; health care and social assistance; finance and insurance; manufacturing;\r\nand utilities sectors. The group remains active, despite the US indictment of several of its members; we most\r\nrecently reported on APT41’s activity in December and September 2023.\r\nRecommendations and Best Practices\r\nhttps://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nPage 6 of 8\n\nWe offer the following resources and recommendations to mitigate the risks associated with general APT activity\r\nand insider threats.\r\nAPT Threats\r\nGreyMatter includes an intelligence content library of threat profiles and intelligence updates to keep our\r\ncustomers abreast of the latest APT activity. Topics include threat-actor tactics, techniques, and procedures; IoCs;\r\ntools; and attacks/campaign details. In addition, consider the following practices to guard against common APT\r\nactivity.\r\nRoutinely review application, security, and system event logs. Look for events outside the normal user\r\nbaseline that could indicate potentially malicious activity.\r\nLimit port proxy use within environments and only enable it for the period in which it is required.\r\nLook for abnormal account activity, such as logons outside normal working hours and impossible time-and-distance logons (e.g., a user logging on from two discrete locations at the same time, or a user who is\r\nbased in the US logging on repeatedly during typical Chinese working hours).\r\nReview standard directories for unexpected or unusual files. Monitor these temporary file storage\r\ndirectories for files typically located in standard system paths.\r\nForward log files to a hardened centralized logging server, preferably on a segmented network, to ensure\r\nlog integrity and availability; APT groups typically try to hide their tracks by clearing logs. This\r\nrecommended action will make it harder for threat actors to cover their tracks as their actions will be\r\ncaptured in multiple locations.\r\nPatch edge network devices:\r\nEnsure that all edge network devices (routers, switches, firewalls, etc.) are regularly updated with\r\nthe latest security patches. These updates often fix known vulnerabilities that could be exploited by\r\nattackers.\r\nUse network segmentation to limit the reach of potential attackers. If an edge device is compromise,\r\nsegmentation can help contain the threat.\r\nEnsure that devices are configured properly, according to industry best practices. Misconfiguration\r\ncan lead to vulnerabilities.\r\nEnforce best-practice multi-factor authentication (MFA) and conditional access policies:\r\nRequire MFA for access to all systems and data. MFA adds an additional layer of security by\r\nrequiring multiple forms of verification.\r\nRegularly review and update MFA and conditional access to adapt to new threats and\r\nchanges in the organization.\r\nhttps://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nPage 7 of 8\n\nEducate users on the importance of MFA and how to use it properly to prevent accidental\r\nlockouts or misuse.\r\nImplement conditional access policies that take into account user context, device health,\r\nlocation, and risk when granting access to resources.\r\nUse strong email security solutions to prevent phishing:\r\nChoose email security solutions that offer advanced protection capabilities, such as scanning\r\nemail attachments and links in real time.\r\nDeploy robust anti-spam filters that can detect and block spam and phishing emails before\r\nthey reach end users.\r\nImplement email authentication methods, like Sender Policy Framework (SPF),\r\nDomainKeys Identified Mail (DKIM), and Domain-based Message Authentication,\r\nReporting \u0026 Conformance (DMARC), to prevent spoofing and ensure that emails are\r\nverified as coming from legitimate sources.\r\nSimulate phishing campaigns to increase employee awareness and help them recognize\r\nphishing attempts.\r\nComplement technology solutions with user education, as even the best systems can be\r\nbypassed by sophisticated social-engineering techniques.\r\nInsider Threats\r\nAlthough we cannot confirm that an insider was responsible for the leak of Anxun’s data, it is the most likely\r\noption, based on our analysis.\r\nCustomers specifically concerned about insider threats should:\r\nEmploy application controls (e.g., AppLocker) to restrict the execution of unsigned files.\r\nImplement role-based access control (RBAC) to protect sensitive data, reduce the risk of insider threats,\r\nand simplify compliance with regulations. It’s important to continuously manage and update RBAC\r\nsettings as your organization evolves and as employees move to new roles.\r\nBlocking suspicious web proxy categories, such as “Online Storage and Backup,” is a critical step in\r\npreventing data exfiltration, as these services can be used to upload and store sensitive information outside\r\nthe organization’s control.\r\nSource: https://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nhttps://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.reliaquest.com/blog/anxun-and-chinese-apt-activity/" ], "report_names": [ "anxun-and-chinese-apt-activity" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434141, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0162b1bdbf1a0fa527604ad7e55572fe441e5ca7.pdf", "text": "https://archive.orkl.eu/0162b1bdbf1a0fa527604ad7e55572fe441e5ca7.txt", "img": "https://archive.orkl.eu/0162b1bdbf1a0fa527604ad7e55572fe441e5ca7.jpg" } }