{
	"id": "6411727f-b8aa-4c18-b97b-e099a2449813",
	"created_at": "2026-04-06T00:17:59.510826Z",
	"updated_at": "2026-04-10T03:35:48.455659Z",
	"deleted_at": null,
	"sha1_hash": "4e5821484df280daf69b818820bef839c8060aff",
	"title": "China Chopper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60313,
	"plain_text": "China Chopper\r\nBy Contributors to Wikimedia projects\r\nPublished: 2019-03-10 · Archived: 2026-04-05 21:22:50 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nChina Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is\r\ncommonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely\r\ncontrol web servers. This web shell has two parts, the client interface (an executable file) and the receiver host file\r\non the compromised web server.\r\nChina Chopper has many commands and control features such as a password brute-force attack option, code\r\nobfuscation, file and database management and a graphical user interface.\r\n[1][2][3][4]\r\n It originally was distributed\r\nfrom a website www.maicaidao.com which is now down. FireEye revealed that the client of this web shell is\r\nprogrammed in Microsoft Visual C++ 6.0\r\nChina Chopper was used in attacks against eight Australian web hosting providers which were compromised due\r\nto their use of an unsupported operating system (Windows Server 2008). Hackers connected the web servers to a\r\nMonero mining pool, by which they mined about 3868 AUD worth of Monero.[5]\r\nIn 2021, a version of the web shell programmed in JScript was used by Advanced Persistent Threat group\r\nHafnium to exploit four zero-day vulnerabilities in Microsoft Exchange Server, in the 2021 Microsoft Exchange\r\nServer data breach. This web shell was dropped when one of these vulnerabilities was exploited, allowing\r\nattackers to upload a program which ran with administrator privileges.\r\n[6]\r\n With only the address of the .aspx file\r\ncontaining the script, a HTTP POST request could be made to the script with just a command in the request,\r\ncausing the script to execute the command immediately using the JScript 'eval' function, allowing attackers to run\r\narbitrary code on the server.\r\n[7]\r\n1. ^ \"China Chopper\". NJCCIC. Archived from the original on 13 January 2019. Retrieved 22 December\r\n2018.\r\n2. ^ \"What is the China Chopper Webshell, and how to find it on a compromised system?\". 28 March 2018.\r\nArchived from the original on 13 January 2019. Retrieved 22 December 2018.\r\n3. ^ \"Breaking Down the China Chopper Web Shell - Part I « Breaking Down the China Chopper Web Shell -\r\nPart I\". Mandiant. Archived from the original on 13 January 2019. Retrieved 2022-01-03.\r\n4. ^ \"Breaking Down the China Chopper Web Shell - Part II « Breaking Down the China Chopper Web Shell\r\n- Part II\". Mandiant. Archived from the original on 7 January 2019. Retrieved 2022-01-03.\r\n5. ^ Stilgherrian. \"Australian web hosts hit with a Manic Menagerie of malware\". ZDNet. Archived from the\r\noriginal on 2019-01-31. Retrieved 2019-03-17.\r\n6. ^ \"ProxyLogon\". ProxyLogon (in Chinese (Taiwan)). Retrieved 2021-03-16.\r\n7. ^ \"Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix\". threatpost.com. 16 March 2021.\r\nRetrieved 2021-03-16.\r\nhttps://en.wikipedia.org/wiki/China_Chopper\r\nPage 1 of 2\n\nSource: https://en.wikipedia.org/wiki/China_Chopper\r\nhttps://en.wikipedia.org/wiki/China_Chopper\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/China_Chopper"
	],
	"report_names": [
		"China_Chopper"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434679,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e5821484df280daf69b818820bef839c8060aff.pdf",
		"text": "https://archive.orkl.eu/4e5821484df280daf69b818820bef839c8060aff.txt",
		"img": "https://archive.orkl.eu/4e5821484df280daf69b818820bef839c8060aff.jpg"
	}
}