{ "id": "d79d09ec-913a-4b47-9806-6f405ffd6139", "created_at": "2026-04-06T00:19:32.502592Z", "updated_at": "2026-04-10T13:12:49.169219Z", "deleted_at": null, "sha1_hash": "3278b0350992b3e796c231e4f30b75ed0bdd571b", "title": "An APT with no name", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2714108, "plain_text": "An APT with no name\r\nBy intrusiontruth\r\nPublished: 2021-05-06 · Archived: 2026-04-05 18:56:10 UTC\r\nWhen the 7th July indictment was released naming two Chinese hackers affiliated with the Guangdong State\r\nSecurity Department, it grabbed our interest. Hackers… in China…working with the MSS. Sounds right up our\r\nstreet. But who are Li Xiaoyu (李啸宇) and Dong Jiazhi (董家志)? How do they conduct their activity? The\r\nindictment also mentions an unnamed MSS Officer 1. Who could this be? Let’s start with the named hackers…  \r\nFBI wanted poster naming indicted hackers Li Xiaoyu (李啸宇) and Dong Jiazhi 董家志)\r\nFormer classmates, Li Xiaoyu and Dong Jiazhi studied Computer Application Technologies at the University of\r\nElectronic Science and Technology of China (UESTC) in Chengdu. Mr Dong and Mr Li are not individuals we\r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 1 of 9\n\nhave come across before in our investigations into Chinese APTs. However, we do love a challenge. So, we set\r\nabout getting to work and decided to start in the city Li and Dong are based: Chengdu.\r\nOur findings reveal a number of spurious science and technology companies linked to the indicted actors. A\r\nfamiliar pattern is once again emerging… \r\nChengdu Shirun Technology Company Ltd (成都诗润科技有限公司)\r\nLet’s start with Dong Jiazhi. There is very little to go on from the indictment. However, we know Chinese APTs\r\nfollow a common blueprint: One of contract hackers and specialists, front companies and an intelligence officer. \r\nWe know Mr Li and Mr Dong are the contract hackers. So we set about digging into their connections to front\r\ncompanies based in Chengdu. \r\nIt turns out Dong has been investing in a company called Chengdu Shirun Technology Company Ltd. Specifically,\r\n30,000RMB came from Dong, who invested in the company when it was registered. This roughly equates to\r\n$4,5000 or £3,500.\r\nRegistrant of Chengdu Shirun Technology Company Ltd: Dong Jiazhi\r\nA deeper look into this company reveals its location is 16 Tongsheng Rd, Qingyang District, Chengdu. It also\r\nprovides a contact number: 18828070461.\r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 2 of 9\n\nInterestingly, this is not the only company that is linked to this contact number. It seems a number of other\r\ncompanies in Chengdu also share this point of contact.\r\nChengdu Hanke Technology Company Ltd. (成都撼科科技有限公司)\r\nThis company shares the same contact number as Chengdu Shirun but lists this as an email contact\r\n(18828070461@139.com). Additional contact numbers (18980738906 and 18190696626) are also provided. \r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 3 of 9\n\nContact details for Chengdu Hanke Technology Company Ltd.\r\nEven more interesting is the change record for the company. Prior to 2019, Dong Jiazhi was listed as the company\r\ncontact.\r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 4 of 9\n\nChange record for Chengdu Hanke listing Dong Jiazhi on line 3\r\nChengdu Hanke doesn’t have much of a presence. The website domain 51409903.1024sj.com does not exist.\r\nHowever, we did come across a LinkedIn profile for someone who claims to be the project manager and lead\r\nprogrammer – a Kevin Lynx. Further digging did not reveal anything more on this person or the company. Kevin,\r\nif you are out there – feel free to get in touch…\r\nChengdu Xinglan Technology Company Ltd. (成都兴蓝科技有限公司)\r\nIt seems 18828070461 is a theme. The number from Shirun and the 139 email from Hanke was also used to\r\nregister another Chengdu-based technology company: Chengdu Xinglan. \r\nSo who is behind this company? Well, as we mentioned, it shares contact details with companies linked to Dong.\r\nAnd Mr Dong is mentioned as the company’s primary point of contact.\r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 5 of 9\n\nCompany registration details listing Dong Jiazhi as a contact person for Chengdu Xinglan on line\r\n2.\r\nFurthermore, records show Li Xiaoyu as Chengdu Xinglan’s legal representative, CEO and Executive Director,\r\nhaving a 99% stake in the company. It seems the pair intertwined at University, and expanded together into their\r\nbusiness ventures and criminal activity concealed by front companies based in Chengdu.  \r\nChengdu Xinglan, detailing the 18828070461 contact email and Li Xiaoyu as the company’s legal\r\nrepresentative.  \r\nChengdulzy\r\nLi and Dong haven’t learnt to mix things up – reusing the same email number for their multiple front companies. \r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 6 of 9\n\nAnd once again, this number (18828070461) was used as the registrant contact number for a domain:\r\n‘chengdulzy.com’.\r\nThe registrant of this domain? Dong Jiazhi. Unfortunately, we haven’t found out what this domain was used for,\r\nand it now appears to have been deleted. \r\nChengdu’s many Science and Technology companies\r\nWe are finding a similar pattern to previous investigations. An overlap of numbers and emails linking to contract\r\nhackers (Dong and Li), and subsequently to a number of technology companies based in Chengdu. All with little\r\nto no online presence suggests – you guessed it – front companies. \r\nHowever, what about the individuals themselves? They clearly have been busy investing in, and creating multiple\r\ntechnology businesses within Chengdu to act as fronts for their hacking activity. But what else have they left on\r\nthe internet for us to find? \r\nOro0lxy\r\nThe handle used by Li, and named in the indictment provides a helpful starting point. A quick scan of the internet\r\nshows various accounts with this handle, most now defunct or empty but the majority pertaining to hacking\r\nforums, such as the Chinese Software Developers Network (CSDN).\r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 7 of 9\n\nIt seems oro0lxy has had a long standing interest in ColdFusion, using this knowledge (according to the\r\nindictment) to develop vulnerabilities in support of his APT activity.\r\noro0lxy posts question on CSDN ColdFusion sub forum\r\nIn keeping with his interest in this vulnerability, Li was appointed moderator of a website for ColdFusion\r\ndevelopers, CFwindow.com, in 2012. \r\nHowever, oro0lxy was later flagged for posting scams on CSDN.\r\nQQ account links\r\nLooking into Li and Dong’s QQ accounts, we attempted to identify their actions and any overlaps that were\r\ninteresting or of note. According to leaked databases, QQ 3120988 was associated with the display name Li\r\nXiaoyu, whilst QQ 191956463 had historically used the username Dong Jiazhi.\r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 8 of 9\n\nWe also pulled out a number of QQ groups that crossed the two hackers profiles. Specifically their QQ accounts\r\nlinking to university groups such as ‘Class of 2005, Class 5’ (2005 级5 班),‘Information Security Lab’ (信息安全\r\n实验室) and ‘Computer Applications Technology Class 2’ (计算机应用技术 2 班). \r\nThese are historic but provide useful context for what we know about the pair. Get in touch with us if you have\r\nany further information or leads pertaining to these accounts.\r\nSo… we know that Li and Dong have been indicted as hackers working to the MSS. Contract hackers –\r\ncheck. \r\nWe know that they set up a number of front companies based in Chengdu to shield their APT activity. Front\r\ncompanies – check.\r\nAnd we know they have been working together for a number of years, having met at university and\r\nremained active on Chinese hacker forums. But who specifically is behind their activity with the\r\nGuangdong State Security Department? Who is MSS Officer 1?\r\nTune in next week to find out… \r\n#youknowwherethisleads\r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nSource: https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nhttps://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name" ], "report_names": [ "an-apt-with-no-name" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4db51064-e43e-4495-8e1b-ba6e117e688f", "created_at": "2023-11-05T02:00:08.061541Z", "updated_at": "2026-04-10T02:00:03.394014Z", "deleted_at": null, "main_name": "Storm-0062", "aliases": [ "DarkShadow", "Oro0lxy" ], "source_name": "MISPGALAXY:Storm-0062", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434772, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3278b0350992b3e796c231e4f30b75ed0bdd571b.pdf", "text": "https://archive.orkl.eu/3278b0350992b3e796c231e4f30b75ed0bdd571b.txt", "img": "https://archive.orkl.eu/3278b0350992b3e796c231e4f30b75ed0bdd571b.jpg" } }