{
	"id": "677bf378-7135-4aa5-990e-691aa0c39101",
	"created_at": "2026-04-06T00:07:13.570525Z",
	"updated_at": "2026-04-10T03:24:29.874141Z",
	"deleted_at": null,
	"sha1_hash": "165fea23798b9134e8660c9603b3c69b8f9032ff",
	"title": "What’s Cracking at the Kerui Cracking Academy?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1599128,
	"plain_text": "What’s Cracking at the Kerui Cracking Academy?\r\nBy intrusiontruth\r\nPublished: 2023-05-11 · Archived: 2026-04-05 18:27:36 UTC\r\nA brand-new investigation – we know you love it. \r\nWe’re back once more to tell a familiar tale: how an MSS-sponsored APT group – known for its hacking\r\noperations around the world – has been caught red-handed. This time, in Wuhan.\r\nIt should come as no surprise that Wuhan was already a place of interest to us before the city reached global fame\r\nin 2020. Wuhan is home to some of China’s most impressive cyber talent. We knew there was bound to be some\r\nshady things going on in the city – all we needed was a lead. \r\nWe got to thinking. We know that not all of China’s best hackers are self-trained – what if they learn together?\r\nThis thought led us to the tip of our metaphorical iceberg: the Wuhan Kerui Cracking Academy. \r\nWuhan Kerui Cracking Academy\r\nWhen we think of a typical hacker up to no good, a certain image comes to mind. A dingy, dimly-lit bedroom\r\nhome to a young twenty-something who probably has more computers than friends. But the Wuhan Cracking\r\nAcademy turns that all on its head, with seemingly big classrooms, stuffed with bright cyber talent.\r\nEstablished in 2007, the Kerui Cracking Academy prides itself on providing its students the best information\r\nsecurity training in the industry, including the ‘most professional reverse security course’ as part of its curriculum.\r\nSo confident is the school of its teaching abilities that it tells prospective students not to worry about finding a job\r\n– in fact ‘almost 100% of students get a job within one month.’ Impressive! \r\nThe ‘Professor X’ of the Kerui Cracking Academy is none other than the international cyber superstar Qian\r\nLinsong. Aside from his role as founder of Wuhan Kerui Cracking Academy, Professor Qian Linsong acts as part-time teacher at the National Cyber Security College of Wuhan University, a tutor at the Huazhong University of\r\nScience and Technology and the Vice Chairman of Quanzhou Artificial Intelligence Society. \r\nhttps://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy\r\nPage 1 of 6\n\nHe is perhaps best known however for his book on C++ disassembly and reverse analysis. Here’s a picture of him\r\nin his superstar coat and glasses signing a book for one of his fans:\r\nhttps://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy\r\nPage 2 of 6\n\nAnd for those looking to understand what led Qian to set up Wuhan’s own School for the Gifted, you are in luck.\r\nThe ever so modest Qian has documented his life in a blog, complete with pictures at Disney World. \r\nhttps://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy\r\nPage 3 of 6\n\nFollowing an increase in China-US hacking, a youthful Qian started downloading hacking software from websites\r\nto tinker with at home. In 2002, at the age of 23, Qian lands a job in the US analyzing products developed by an\r\nAmerican company. It’s not long though – only 2 years – before Qian finds himself resigning and moving back to\r\nChina, taking up a lecturer position at Tsinghua University. \r\nReading through his blog you get a sense of Qian the man. An intelligent, dedicated teacher who likes wine and\r\narchery as much as he enjoys working in cyber. But it’s not long before you begin to see Qian’s – and Kerui’s –\r\nlinks to the Chinese state…\r\nAlongside the Kerui Cracking Academy, Qian runs a side-hustle as the owner of the Kerui Reverse Technology\r\nCompany, also founded in 2007. The homepage makes clear that the company has provided ‘technical services for\r\nmany projects of the Ministry of Public Security and the Ministry of State Security’. So, it is safe to assume that\r\nQian is no stranger to working with Chinese intelligence services. \r\nhttps://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy\r\nPage 4 of 6\n\nWe couldn’t help but wonder whether Qian’s cooperation with the MSS runs a little deeper. Is Qian supplying the\r\nMSS with freshly trained hackers? Or even up-skilling hackers the MSS have found? Just to add to our suspicions,\r\nthe Kerui Cracking Academy seems to have kept a close eye on the work destinations of its graduates – with some\r\nof them labelled as ‘Mystery Unit’ and ‘Keep Confidential’. \r\nhttps://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy\r\nPage 5 of 6\n\nThis got team I-T thinking: this site must be a goldmine for names of people hacking for Chinese intelligence\r\nservices. We began investigating and struck gold. Kerui Cracking’s ‘Testimonials’ page. \r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nPost navigation\r\nSource: https://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy\r\nhttps://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy"
	],
	"report_names": [
		"article-1-whats-cracking-at-the-kerui-cracking-academy"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434033,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/165fea23798b9134e8660c9603b3c69b8f9032ff.pdf",
		"text": "https://archive.orkl.eu/165fea23798b9134e8660c9603b3c69b8f9032ff.txt",
		"img": "https://archive.orkl.eu/165fea23798b9134e8660c9603b3c69b8f9032ff.jpg"
	}
}