{ "id": "72b6671b-4bdb-447f-a1cd-7e60026091ff", "created_at": "2026-04-06T00:08:34.485633Z", "updated_at": "2026-04-10T13:11:32.320326Z", "deleted_at": null, "sha1_hash": "4a69efd8793483181136c549c400e0c4c35238c1", "title": "变脸, Teng Snake (a.k.a. Code Core)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4221939, "plain_text": "变脸, Teng Snake (a.k.a. Code Core)\r\nBy S2W\r\nPublished: 2022-07-09 · Archived: 2026-04-05 16:40:59 UTC\r\nAuthor: HOTSAUCE | S2W TALON\r\nFirst Publihsed: July 6, 2022.\r\nLast Modified : July 8, 2022.\r\nThe profile picture of Teng Snake on Twitter\r\nAs @CrazymanArmy and @ShadowChasing1 pointed out, our conclusion is also same that there is no\r\nconcrete evidence to connect Teng Snake with the previously known APT-C-61.\r\nExecutive Summary\r\nThe “Teng Snake” team has created Telegram channels and group chats from October 2021. At the time, the team\r\nconsisted of 4 core members and 7 sub-teams, and systematically operated channels and group chats. They\r\nclaimed that they were APT-C-61, promoted provocatively, operated study teams, and recruited team members.\r\nHowever, there is no clear evidence that they are related to APT-C-61.\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 1 of 19\n\n(2022–02–10) Claimed to be APT-C-61 and started full-fledged activities.\r\n(2022–03–19) Shared the information about a Korean website vulnerability and a list of 97 websites that\r\nmay have the same vulnerability in one of the Teng Snake-managed group chats.\r\n(2022–04–07) Started selling PII(Personal Identifiable Information) and chemicals, and receiving hacking\r\nrequests.\r\n(2022–05–02) A user named uteus, who claimed to be White Dawn team, uploaded a post on an\r\nunderground forum titled “South Korean health department invades” that was selling AD server privileges\r\nfrom an association.\r\n— The same post was uploaded to the newly opened Code Core Telegram channel on May 6 and Soaring Snake\r\nTwitter account on May 7 and 13.\r\n(2022–05–20) Declared the suspension of for-profit activities and shut down Telegram channels including\r\nseveral group chats except one channel.\r\n— Mekimer started using CodecoreSET account on Telegram from this point.\r\n(2022–06–17) Yashma-based Code Core Ransomware has been discovered.\r\n1. Abstract\r\nThe Teng Snake team first began opening channels and group chats in October 2021. By June 2022, we have\r\nfound 7 Telegram channels, 5 group chats, 6 accounts, and a Twitter account Soaring Snake(@scan66322894)\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 2 of 19\n\nbelieved to be associated with Teng Snake. The activities of the Teng Snake team from Telegram channels and\r\ngroup chats conversation are listed in Figure 1.\r\n1.1. Timeline of Teng Snake x Code Core\r\nPress enter or click to view image in full size\r\nFigure 1. Timeline of Teng Snake and Code Core\r\n2. Core members of Teng Snake\r\nThe ID of Telegram channels and group chats, which were directly managed by the Teng Snake team, were\r\ncomposed in form of APT{2,3 digits}. The full list of Telegram channels and group chats can be found in\r\nAppendix A.\r\nThe Teng Snake team revealed that the team had 4 core members and mentioned their roles as shown below.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 3 of 19\n\nFigure 2. Core members of Teng Snake\r\nWe were able to find information about two of these members.\r\n2.1. Mekimer: Head of Teng Snake\r\nMekimer is the leader and seems to be the keyman of the Teng Snake team. Most of the critical information\r\nshared in all Teng Snake group chats is forwarding Mekimer’s messages. The vulnerability information of the\r\nKorean website was also shared by forwarding a Mekimer’s message.\r\nWe found 2 blogs that are believed to be managed by Mekimer, in which he listed some of his personal\r\ninformation.\r\nPress enter or click to view image in full size\r\nFigure 3. Two blogs of Mekimer\r\nAccording to the information posted, he is a 21-year-old man and currently resides in Cambodia.\r\nAt first, we assumed that Mekimer was living in China, but in the group chats, he steadily appealed that he was\r\nabroad. It is difficult to confirm as there is no proof to back this up.\r\nWe also found that the nickname he used before working as alias Mekimer, anqusec.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 4 of 19\n\nFigure 4. Footer of Mekimer’s blog\r\nBy clicking on the word “回忆”, which means memories, at the bottom of Mekimer’s blog, it is redirected to the\r\nanqusec blog. The blog posts also show that Mekimer continued to attack websites in China and other overseas\r\ncountries. Also, we found articles on how to use hacking tools such as Nessus and AWVS, and articles on the use\r\nof 1-day vulnerabilities. In particular, he had written articles about the website infiltration periodically, and we\r\nalso found that he infiltrated a Chinese coin exchange server using log4shell exploit.\r\nAfter the Teng Snake team shut down some of their Telegram channels and group chats, Mekimer started using the\r\nalias, CodecoreSET.\r\n2.2. Activity history of anqusec in an underground forum\r\nWe found that Mekimer uploaded three posts on an underground forum using the alias anqusec from November 13\r\nto 15, 2021. We assumed that he also participated in the chat of the forum. Mekimer introduced himself as\r\nThunder Domain (or Xunlei domain name) team in the following three posts.\r\n(2021–11–13) Official Portal of Kerala Local Government Leaked\r\n(2021–11–15) Fulbright plan | thunder field | 2021 | data operation\r\n(2021–11–15) ICAT international technology center of India | Xunlei domain | 2021\r\nPress enter or click to view image in full size\r\nFigure 5. Mekimer talked with ATW, Fulbright plan | thunder field | 2021 | data operation\r\nMekimer appears to have provoked ATW (Against The West) last year, saying he knew his identity. ATW\r\nresponded they were still waiting for him to reveal his identity in one of the posts published by Mekimer.\r\nMekimer has not yet released ATW’s identity, and we assume that Mekimer did not actually have ATW’s identity\r\nand just wanted to get attention or show off.\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 5 of 19\n\n2.3. Skull Killer : Pentester of Teng Snake\r\nSkull Killer is responsible for website penetration, OSINT, and vulnerability discovery in the Teng Snake team. In\r\nparticular, Skull Killer is emphasized to have a large amount of personal information, which can be seen from his\r\nprevious Telegram channel and group chat.\r\nSkull Killer operated one Telegram group chat and one channel. The group chat was opened in August 2020, but it\r\nbegan operating in October 2021. Various personal information, hacking tools, and vulnerabilities were shared in\r\nthe group chat and their channels.\r\nOn January 29, 2022, a text file named “韩国_外汇_375224 份_3月.txt” was uploaded to a chat room operated by\r\nSkull Killer. The file included 375,224 Korean account information, and consisted of e-mail, name, phone number,\r\njob information, and hashed password.\r\n3. Mekimer + Skull Killer + α\r\nOn February 10, 2022, Teng Snake shared a screenshot that contains directories and files they used in the attack\r\nwhich was conducted in 2019, with the analysis report published by 360 Security about APT-C-61.\r\n**APT-C-61(腾云蛇) report from 360 Security [link]\r\nAccording to 360 Security, APT-C-61 group primarily targeted Pakistan and Bangladesh, particularly important\r\nsectors such as government, military industry, and research centers.\r\nAPT-C-61 used spear-phishing and social engineering techniques to infiltrate, and DDE to download malware.\r\nThe malware that is finally installed on the host is an executable file packaged with pyinstaller that executes\r\ncommands received from the C\u0026C server. Afterward, utilities such as 7za.exe and rclone.exe were also\r\ndownloaded to exfiltrate sensitive files.\r\nTeng Snake group claimed to be APT-C-61 group, but the screenshot they uploaded contained 2 python scripts,\r\none suspected to be a phpstudy tool. The tool has the same size (3kb) as the publicly available script on Github.\r\nAlso, a directory that was suspected to be an open-source tool called go-shellcode-launcher is also displayed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 6 of 19\n\nFigure 6. Teng Snake claimed to be APT-C-61\r\nFurthermore, while APT-C-61 used Google Drive and Dropbox, Teng Snake is using Ali Cloud.\r\nFigure 7. Screenshot of Ali Cloud\r\nWhile the countries affected by APT-C-61 are located in South Asia, the countries identified in Figure 7 and their\r\ntweets are South Korea, Myanmar, Turkey, and Taiwan. It’s an overstatement to call them an APT group, as they\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 7 of 19\n\nare carrying out their attacks with very obscure purposes.\r\nAs a result, when comparing the information of the APT-C-61 group with the information of Teng Snake that has\r\nbeen released so far, it is hard to say that Teng Snake is an APT-C-61 group.\r\n4. Teng Snake started the emerging cyber threat in the real world.\r\n4.1. Korean website vulnerability shared on a group chat\r\nOn March 19, 2022, a file named “韩国网贷.txt” was uploaded to a group chat along with several files. The\r\nmessage was a forwarded Mekimer’s message by a user named 雷域 and he is presumed to be the manager of the\r\ngroup chat.\r\nPress enter or click to view image in full size\r\nFigure 8. Exploit payload of SQL injection\r\nIn the overall context, the file appears to be educational material for users in the group chat. Hacking tools,\r\nhacking tips, a vulnerability, and a payload used to attack South Korean websites were included in the file. It also\r\nincluded a list of websites that showed the possibility of vulnerabilities or whether they existed.\r\nThe vulnerability was a SQL injection, and inside the file, there was an exploit payload that could be used for\r\nactual attacks, as shown in the picture above.\r\nIn addition, as shown below, we were able to check the precautions and hacking tips to be taken.\r\nUse Nessus or AWVS 13.14 version instead of XRAY when scanning Korean websites for vulnerabilities.\r\nUse dynamic IP.\r\nLook at the subdomains of the target website.\r\nMany XSS vulnerabilities are found, but few are useful.\r\nSocial engineering, such as phishing mail, is much more useful to target administrators.\r\nFinally, a list of 97 websites (one duplicated) that can test the forementioned vulnerabilities was also shared, with\r\nmore than half belonging to the financial and loan industry.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 8 of 19\n\nFigure 9. Classification results of shared URLs\r\nAfter sending the message, the user continued to share hacking tools and vulnerabilities they used, such as uDork\r\nand CANVAS, in the group chat and kept the group chats highly active.\r\n4.2. Start selling PII, databases, and chemicals\r\nAt the end of March, Teng Snake closed some of their Telegram group chats and channels and also stopped\r\nrecruitment. At the time of recruiting, it is estimated that at least 100 people were recruited in each of 3 group\r\nchats, so it seems that enough people gathered to stop recruiting people and begin commercial activities.\r\nOn April 7, 2022, Teng Snake posted on their main channel that they started selling the following chemicals and\r\nwould not sell them to China.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 9 of 19\n\nFigure 10. Chemicals sold by Teng Snake\r\nAnd on April 20, 2022, the Teng Snake team announced that they would start receiving hacking requests and\r\nreleased their unit price list. The workable contents and unit price are as follows.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 10 of 19\n\nFigure 11. Workable unit price released by Teng Snake\r\nAfter they released their unit price, they continuously promoted that they were receiving hacking requests on the\r\nTelegram channel. However, it seems that they were not paid even after the finish of some requests.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIn addition, they also sold Chinese personal information. Below is a part of the sales items.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 11 of 19\n\nFigure 12. Part of the Chinese PII selling list\r\nAfter that, on May 2, the suspension of receiving hacking requests and data sales was announced. Some buyers\r\nhad raised suspicions about the resale of data sold by the Teng Snake team, and some clients had not paid. This\r\nseems why they have declared a shutdown.\r\nPress enter or click to view image in full size\r\nFigure 13. Declared suspension of receiving hacking request and data sales\r\n4.3. Selling AD server privilege of South Korea health department\r\nOn May 2, 2022, a user by the name of uteus posted on an underground forum titled “South Korean Health\r\nDepartment Invades.” Pointing out he was part of a team called White Dawn and sold access permission with\r\ncaptured photos of him accessing the AD server believed to belong to the Ministry of Health and Welfare of\r\nKorea.\r\nThe Teng Snake team introduced themselves as White Dawn only in this post, and later introduced themselves as\r\nSoaring Snake (or Snakes) team, as a part of the Code Core team. Currently, Teng Snake’s Mekimer (a.k.a.\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 12 of 19\n\nCorecodeSET) and uteus are believed to be in the Code Core team.\r\nPress enter or click to view image in full size\r\nFigure 14. AD server privilege sales post by uteus, South Korean Health Department Invades\r\nAs a result of analysis based on the username on the sample photo, it was confirmed that the actual target of the\r\nattack was a different association. We presumed that they lack an understanding of Korea.\r\nIn addition, supplementary profit-generating activities through the distribution of ransomware were not being used\r\nat that time.\r\n4.4. Who is uteus(uetus)?\r\nuteus is currently one of the members of the Code Core team and is believed to be responsible for planning\r\nattacks and recruiting team members. He has started activities on the forum since April 15.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 13 of 19\n\nFigure 15. First post of uteus, ios browser RCE 0day and twitter token steal 0day\r\nOn April 15, 2022, when he began his activities, he posted about selling an iOS browser RCE Zero Day and\r\nTwitter Token Zero Day. But he was criticized by other users for not providing grounds for the vulnerabilities.\r\nHe also commented on the article titled “Отключаем Windows Defender (+ UAC Bypass, + Повышение до\r\nуровня SYSTEM)”, asking what passwords were for downloading tools for Windows EoP.\r\ncinder, mentioned in “South Korean health department invades,” is the alias he used on another underground\r\nforum. He has started activities on the forum since April 3.\r\nPress enter or click to view image in full size\r\nFigure 16. One of the posts by cinder, Against-Killnet\r\nOn May 22, 2022, a post titled “Against-Killnet” was posted. He wrote to those who resisted Killnet, commenting\r\n“Anonymous needs you,” and this suggests that he is related to Anonymous.\r\n4.5. Recruiting new team members and mentioning NATO\r\nAfter announcing the suspension of receiving hacking requests and personal information sales on the Telegram\r\nchannel, Teng Snake began recruiting new team members on May 7. The difference is that they started to check\r\nthe hacking skills of the applicants.\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 14 of 19\n\nFigure 17. Mentioned NATO on Telegram\r\nThe conditions for joining the Teng Snake team were stated that they should be experienced (webshell upload,\r\nhigh-risk vulnerabilities, penetration of internal network nodes) in taking control of the internal network of NATO\r\nallies.\r\nFigure 18. Mentioned NATO on Twitter\r\nOn Twitter, they claimed that South Korea’s entry into NATO would cause a new war and that they had already\r\nseized confidential data from the Ministry of National Defense. Korea joining NATO mentioned here means that\r\nKorea has joined the NATO Cooperative Cyber Defence Centre of Excellence as a regular member. Through this,\r\nit is speculated that Teng Snake lacks understanding of this case and just ostensibly mentions it to create the\r\njustification for attacks on NATO-related countries.\r\nPress enter or click to view image in full size\r\nFigure 19. Continued to recruit new members\r\nFrom this point on, May 17, they started receiving new team members who can steal server privileges for non-governmental organizations, military, and third-party supply chains.\r\n4.6. Code Core Ransomware Detected\r\nOn June 17, 2022, Code Core Ransomware was uploaded to Virus Total.\r\nThe ransomware was created by the Yashma ransomware builder (a.k.a. Chaos ransomware builder), and the\r\nransom note was customized to include their team name. For information on the Chaos ransomware, refer to\r\nAppendix D. Based on the use of minor Yashma ransomware builders rather than other famous RaaS, the Code\r\nCore team seems to lack expertise in ransomware and the ransomware ecosystem.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 15 of 19\n\nFigure 20. Ransom note of Code Core Ransomware\r\nConclusion\r\nMost of the attack methods used by the Teng Snake team have not been disclosed, but it is estimated that\r\nthey are mainly focused on cloud and web servers.\r\nCurrently, it has been confirmed that Mekimer, the team leader of Teng Snake, has joined the Code Core\r\nteam and is attacking South Korea and NATO countries along with uteus and other team members.\r\nThe Code Core team is currently developing Yashma-based ransomware, so it is expected to use the\r\nransomware in future attacks.\r\nGovernment agencies in NATO countries need to continuously monitor their activities.\r\nAppendix A. Teng Snake’s group structure and managed Telegram channels,\r\naccounts, and group chats\r\nTeng Snake’s group structure\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 16 of 19\n\nGroup chats\r\n【腾蛇】-技术交流群\r\n九婴血色安全团队\r\n雷霆渗透测试团队\r\n青鸾社工团队\r\n学习组\r\nChannels and accounts\r\nPress enter or click to view image in full size\r\nAppendix B. Links associated with Mekimer\r\nSurface Web\r\nAnqusec github: https://github.com/ANQUSEC\r\nAnqusec blog: https://anqusec.github.io/\r\nMekimer github: https://github.com/Tengshe2021\r\nMekimer blog: https://tengshe2021.github.io/\r\nDeep Web\r\nAnqusec Telegram Channel: https://t.me/AnQuSEC\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 17 of 19\n\nAppendix C. Other information sharing and sales\r\n(2022.04.04) Shared Japanese E-mail lists\r\nPress enter or click to view image in full size\r\n(2022.05.06) 300 million total sales of American personal information\r\nThe data was also sold on a collaboration channel, and it is still being sold on the channel.\r\nThe collaboration channel was initially introduced as a channel managed by the Teng Snake team, but from\r\nthe end of March, it was introduced as an advertising channel. It is presumed that the Teng Snake team is\r\noperating independently even after they stopped working.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 18 of 19\n\nAppendix D. Code Core Ransomware\r\n(2021–08–25) S2W, Anatomy of Chaos Ransomware builder and its origin (feat. Open-source Hidden Tear\r\nransomware)\r\nSample of Code Core Ransomware\r\n— VirusTotal : https://virustotal.com/gui/file/3a167d1d4dfe9ba36118c816f1b73c7e\r\n— ANY.RUN : https://app.any.run/tasks/412be530-3443-4635-80b8-992c97094576/\r\nSource: https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nhttps://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a\r\nPage 19 of 19\n\n1. Abstract The Teng Snake team first began opening channels and group chats in October 2021. By June 2022, we have\nfound 7 Telegram channels, 5 group chats, 6 accounts, and a Twitter account Soaring Snake(@scan66322894)\n Page 2 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a" ], "report_names": [ "%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a" ], "threat_actors": [ { "id": "4fd2e187-fea2-421a-870c-11be83231fd5", "created_at": "2023-11-04T02:00:07.652728Z", "updated_at": "2026-04-10T02:00:03.384073Z", "deleted_at": null, "main_name": "Xiaoqiying", "aliases": [ "Genesis Day", "Teng Snake" ], "source_name": "MISPGALAXY:Xiaoqiying", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-10T02:00:03.611467Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef", "created_at": "2022-10-25T16:07:24.086915Z", "updated_at": "2026-04-10T02:00:04.862463Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "4HCrew", "APT 2", "G0024", "Group 36", "Putter Panda", "SearchFire", "TG-6952" ], "source_name": "ETDA:Putter Panda", "tools": [ "3PARA RAT", "4H RAT", "4h_rat", "MSUpdater", "httpclient", "pngdowner" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434114, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a69efd8793483181136c549c400e0c4c35238c1.pdf", "text": "https://archive.orkl.eu/4a69efd8793483181136c549c400e0c4c35238c1.txt", "img": "https://archive.orkl.eu/4a69efd8793483181136c549c400e0c4c35238c1.jpg" } }