{ "id": "bc93d967-2b6b-4ffe-a23a-c1f9e6af744e", "created_at": "2026-04-06T02:11:10.764539Z", "updated_at": "2026-04-10T03:36:01.252298Z", "deleted_at": null, "sha1_hash": "67c34167bd3eaba55ee89be1914d97864f382c1c", "title": "Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX \u0026 VShell malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2077090, "plain_text": "Operation DRAGONCLONE: Chinese Telecommunication\r\nindustry targeted via VELETRIX \u0026 VShell malware\r\nBy Subhajeet Singha\r\nPublished: 2025-06-06 · Archived: 2026-04-06 01:38:43 UTC\r\nContents\r\nIntroduction\r\nInitial Findings\r\nInfection Chain.\r\nTechnical Analysis\r\nStage 0 – Malicious ZIP File.\r\nStage 1 – Malicious VELETRIX implant.\r\nStage 2 – Malicious V-Shell implant.\r\nHunting and Infrastructure.\r\nAttribution\r\nConclusion\r\nSeqrite Protection.\r\nIOCs\r\nMITRE ATT\u0026CK.\r\nAuthors: Subhajeet Singha and Sathwik Ram Prakki\r\nIntroduction\r\nSeqrite Labs APT-Team has recently found a campaign, which has been targeting the Chinese Telecom Industry.\r\nThe campaign is aimed at targeting China Mobile Tietong Co., Ltd. which is a well-known subsidiary of China\r\nMobile, one of the major telecom companies in China. The entire malware ecosystem involved in this campaign is\r\nbased on usage of VELETRIX malware and VShell malware a very well-known adversary simulation tool, which\r\nis also known for widely being adopted by threat actors from China to target various western entities in-the-wild.\r\nIn this blog, we will explore the technical sophistication of the campaign, we encountered during our analysis. We\r\nwill examine the various stages of this campaign, starting with deep dive into the initial infection stage to implants\r\nused in this campaign, ending with a final overview covering the campaign.\r\nInitial Findings\r\nRecently, on 13th of May, our team found a malicious ZIP file, which surfaced both on various sources like\r\nVirusTotal, where ZIP file has been used as preliminary source of infection, containing multiple EXE and DLLs\r\ninside the ZIP folder. The same file was also found by other threat researchers the very same day.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 1 of 15\n\nThe ZIP contains an interesting executable file known as 2025 China Mobile Tietong Co., Ltd. Internal Training\r\nProgram is about to launch, please register as soon as possible.exewhich loads a bunch of interesting DLLs such\r\nas drstat.dll and much more. Then, we decided to look into the workings of these bunch of files.\r\nInfection Chain\r\nTechnical Analysis\r\nWe will break down analysis into three different parts, starting with looking into the malicious ZIP attachment,\r\nfollowed by malicious Veletrix implant and then we will look into some brief analysis into the VShell malware.\r\nStage 0 – Malicious ZIP File.\r\nInitially, we found a malicious ZIP file, known as 附件.zip, also known as attachment.zip. Upon, looking into the\r\ncontents of the ZIP file.\r\nWe found a set of interesting EXE and DLL and XML files, amongst them most of them were legitimately\r\nMicrosoft Signed binaries, whereas some of them had have code-signing certificate by Shenzhen Thunder\r\nNetworking Technologies Ltd , while an interesting DLL file drstat.dll which is often associated with\r\nWonderShare RepairIt software.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 2 of 15\n\nUpon confirming from an official website of Wondershare Repairit , we can confirm that an executable known as\r\ndrstat.exe which have been renamed and packaged thrice with three different names, which are:\r\nChina Mobile Limited’s 2025 internal training program is about to begin. Please register as soon as\r\npossible.\r\nUninstall.\r\nRegistration-link.\r\nNext, we decided to confirm further that, either Wondershare does sign the actual binary, which is officially\r\navailable from their website.\r\nFinally, we could confirm, that the threat entity used the same file, which is available for download from\r\nWondershare’s official website. Looking into this code-signing maneuver from Wondershare, and post-analyzing\r\nthis malicious we can confirm that the threat actor used DLL-Sideloading against the target to launch the implant,\r\nwhich we have decided to term as VELETRIX .\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 3 of 15\n\nBefore, diving into the next section, we also confirm that the other code signing certificate packed into this\r\ncompressed executable by ‘Shenzhen Thunder Networking Technologies Ltd’ has frequently been associated with\r\nmalicious executables in various reports and discussions as abused by Chinese-origin threat entities.\r\nStage 1 – Malicious VELETRIX Implant.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 4 of 15\n\nInitially, looking into the implant, we figured out a few basic information about the implant, that is it is a 64-bit\r\nbinary along with which it contains a few interesting export functions. Next, we will focus on the code analysis of\r\nthis malicious implant.\r\nUpon checking into all the exports, out of all the exports, we found dr_data_stop to be the one containing\r\ninteresting malicious code.\r\nInitially, the implant starts with a little anti-analysis trick, which uses a combination of Sleep \u0026 Beep Windows\r\nAPI, which basically runs inside a do-while loop, which basically runs inside a do-while loop that delays\r\nexecution for ~10 seconds and plays a Beep noise to evade automated sandbox analysis. The loop sleeps for 1\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 5 of 15\n\nsecond and beeps 10 times, this entire mechanism is caused to delay the analysis of the analyst or confuse the\r\nautomated sandbox.\r\nThis technique leverages NtDelayExecution at the system level – Beep internally call NtDelayExecution,\r\nwhich accepts a “DelayInterval” parameter specifying milliseconds to delay. When executed, NtDelayExecution\r\npauses the calling thread, which causes sandbox timeouts or loss of debugger control making it a not so harmful,\r\nyet effective anti-sandbox technique. The Beep API is particularly clever because it serves dual purposes:\r\ncreating execution delays through its internal NtDelayExecution calls while also generating audio artifacts that\r\nmay trigger different behavior in analysis environments or alert researchers to active code execution.\r\nThen, it moves ahead with loading kernel32.dll , further once the DLL is being loaded using LoadLibraryA, once\r\nthe DLL is loaded, further GetProcAddress is used to resolve some interesting set of APIs, which are\r\nVirtualAllocExNuma, VirtualProtect \u0026 EnumCalendarInfo.\r\nSimilarly, it loads the ADVAPI32.dll and once the DLL is loaded, it resolves using the same technique, which are\r\nSystemFunction036, HeapAlloc and HeapFree.\r\nFinally, the ntdll.dll is loaded, and an interesting Windows API is resolved which is known as\r\nRtlIpV4StringToAddressA.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 6 of 15\n\nNext, this malicious loader, uses a technique called IPFuscation, which basically converts the malicious shellcode\r\ninto a list of IPV4 address.\r\nFurther, a while-loop along with using the RtlIpv4StringToAddressA API is used to decode the obfuscated\r\nshellcode, which is done by converting the ASCII IP string to binary, where the binary further executes as a\r\nshellcode.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 7 of 15\n\nOnce the shellcode is extracted in form of binary, then VirtualAllocExNuma API is used to allocate a fresh\r\nmemory block with only Read \u0026 Write permission into the current process.\r\nNow, once the memory is allocated, further using a simple XOR operation, the encoded blob which was de-obfuscated from the IpFuscation technique via the windows API, is used to further decode via XOR-operation and\r\ncopied to the allocated memory.\r\nThen, it uses VirtualProtect to change the memory protection of the allocated memory to Execute-Read-Write.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 8 of 15\n\nThen, finally, it uses a slightly innovative technique of shellcode execution via callback function, that is by using\r\nEnumCalendarInfoA API to execute the shellcode. This technique leverages the fact that EnumCalendarInfoA\r\nexpects a callback function pointer as a parameter – the malware passes its shellcode address as this callback,\r\ncausing Windows to unknowingly execute the malicious code when the API tries to call what it thinks is a\r\nlegitimate calendar enumeration function, whereas in our case the shellcode, which is basically an windows\r\nimplant of the VShell OST framework, is being executed.\r\nFinally, we can conclude that the Veletrix implant which performs code injection via callback mechanism. In, the\r\nnext section, we will look into the Vshell implant, which is pretty well known, and look into the workings of it.\r\nStage 2 – Malicious Vshell Implant.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 9 of 15\n\nWell, VShell, is pretty well-known cross-platform OST framework developed in Golang, initially developed by a\r\nresearcher, which was later taken-down mysteriously as mentioned in multiple research blogs by various\r\nresearchers who have tracked various campaigns such as UNC5174 and similar have been used by threat actors\r\noriginating from Chinese geosphere.\r\nAs mentioned, in the previous section VELETRIX loads this windows implant into memory. Looking inside the\r\nfile, we found that the specific implant, which have been dropped goes by the name tcp_windows_amd64.dll .As,\r\nthis framework is well-researched, we will only look into the key-artefacts and more of a basic overview of the\r\nimplant.\r\nUpon, looking into the implant, we have multiple functionalities of this implant such as connect, send, receive\r\nwhich is used to interact with the operator. All these functions use underlying code from multiple Windows APIs\r\nfrom WinSock library.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 10 of 15\n\nFurther, analyzing we uncovered the command-and-control server along with an import config I.e., the salt which\r\nis qwe123qwe . In, the next section, we will look into further, hunting and infrastructural artefacts.\r\nHunting and Infrastructure.\r\nUpon looking into the previous implants, we hunted and found some interesting artefacts.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 11 of 15\n\nBased on the analysis and extraction of the salt used in the campaign mentioned in this research, we found a total\r\nnumber of 44 implants, using the exact similar salt, that is qwe123qwe. Along, with that as Vshell is a cross-platform tool, we found, multiple EXEs, ELF, DLLs both signed and unsigned.\r\nWe, also found a few samples whose C2s range from multiple locations such as US, Hong Kong and much more,\r\nalong with which, we found that a few samples out of 44 implants using same salt, have co-relations with the APT\r\ngroup Earth Lamia which has targeted Indian entities in few cases. While, upon hunting, we also found, that a lot\r\nof similar implants, have multiple overlaps with UNC5174’s campaign abusing ScreenConnect CVE-2024-1709\r\nreported by researchers.\r\nNow, looking into the infrastructural overlaps, the similar indicator has been attributed to the cluster of China-Nexus-State-Sponsored threat actor which have been abusing CVE-2025-31324 to target SAP NetWeaver Visual\r\nComposer.\r\nWe also found that on the same infrastructure, a login-based webpage has been hosted which is related to the Asset\r\nLighthouse System — an open-source asset discovery and reconnaissance platform developed by Tophant\r\nCompetence Center (TCC). It is primarily used for mapping external attack surfaces by identifying exposed IPs,\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 12 of 15\n\ndomains, ports, and web services. Therefore, we decided to pivot using these artefacts and found few interesting\r\noverlaps.\r\nPost-pivoting, we discovered multiple malicious webservers with similar port-configurations such as running ASL\r\nover port 5003, have had hosted Cobalt Strike and SuperShell, which have been known as go-to implants used by\r\nUNC5174 aka Uteus and along with that we also uncovered multiple webservers with similar port-configurations\r\nrelated to Earth Lamia.\r\nWell, the last but not the least, we also saw that the command-and-control server, has also been hosting Cobalt\r\nStrike to be used against the targets making it the second post-exploitation framework used by this threat entity.\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 13 of 15\n\nAttribution.\r\nThrough analysis of implant usage and overlapping infrastructure patterns, we identified the threat actor\r\nleveraging VELETRIX, a relatively new loader designed to execute VShell in memory. Although VShell was\r\ninitially released as an open-source project and later taken down by its original developer, it has since been widely\r\nabused by China-aligned threat groups.\r\nFurther threat hunting revealed similar behavioral patterns that align with known activity from UNC5174 (Uteus)\r\nand Earth Lamia, as recently documented by researchers. The current infrastructure associated with this actor\r\nexhibits consistent use of tools such as SuperShell, Cobalt Strike, VShell, and the Asset Lighthouse System—\r\nan open-source platform for asset discovery and reconnaissance. These tools have previously been attributed to\r\nvarious China-based APT clusters and observed actively deployed in-the-wild (ITW).\r\nGiven the technical and infrastructural overlaps, we assess with high confidence that this threat actor is part of\r\nthreat entity belong to China-Nexus cluster.\r\nConclusion.\r\nUpon carefully researching the campaign, we found that the China-nexus threat entity which we have termed as\r\nOperation DRAGONCLONE has been using DLL-Sideloading technique against Wondershare Recoverit\r\nsoftware, along with loading VELETRIX DLL implant, which uses interesting techniques such as anti-sandbox,\r\nIPFuscation technique along with callback technique to execute Vshell malware, along with having multiple\r\noverlaps with UNC5174 and Earth Lamia and the recent campaign have been active since March 2025.\r\nSeqrite Protection.\r\nAgentCiR\r\nIOCs\r\nSHA-256 Filenames\r\n40450b4212481492d2213d109a0cd0f42de8e813de42d53360da7efac7249df4 \\附件.zip\r\nac6e0ee1328cfb1b6ca0541e4dfe7ba6398ea79a300c4019253bd908ab6a3dc0 drstat.dll\r\n645f9f81eb83e52bbbd0726e5bf418f8235dd81ba01b6a945f8d6a31bf406992 drstat.exe\r\nba4f9b324809876f906f3cb9b90f8af2f97487167beead549a8cddfd9a7c2fdc tcp_windows_amd64.dll\r\nbb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7 mscoree.dll\r\n2206cc6bd9d15cf898f175ab845b3deb4b8627102b74e1accefe7a3ff0017112 tcp_windows_amd64.exe\r\na0f4ee6ea58a8896d2914176d2bfbdb9e16b700f52d2df1f77fe6ce663c1426a memfd:a(deleted)\r\nIP/Domains\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 14 of 15\n\nIP\r\n62.234.24.38\r\n47.115.51.44\r\n47.123.7.206\r\nMITRE ATT\u0026CK\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nSub-technique IDSub-Technique\r\nName\r\nReconnaissance T1595 Active Scanning T1595.002\r\nVulnerability\r\nScanning\r\nReconnaissance T1588 Obtain Capabilities T1588.002 Tool\r\nInitial Access T1566 Phishing T1566.001\r\nSpear phishing\r\nAttachment\r\nExecution T1204 User Execution T1204.002 Malicious File.\r\nPersistence\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nDefense\r\nEvasion\r\nT1574 Hijack Execution Flow T1574.001 DLL\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscation Files or\r\nInformation\r\nT1027.007\r\nDynamic API\r\nResolution\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscation Files or\r\nInformation\r\nT1027.013\r\nEncrypted/Encoded\r\nFile\r\nDefense\r\nEvasion\r\nT1055 Process Injection\r\nDefense\r\nEvasion\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nT1497.003 Time Based Evasion\r\nDiscovery T1046 Network Service Discovery\r\nSource: https://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nhttps://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/" ], "report_names": [ "operation-dragonclone-chinese-telecom-veletrix-vshell-malware" ], "threat_actors": [ { "id": "2137e858-a11d-4b75-ae54-3267b096a4fc", "created_at": "2025-06-29T02:01:56.98797Z", "updated_at": "2026-04-10T02:00:04.667535Z", "deleted_at": null, "main_name": "Earth Lamia", "aliases": [], "source_name": "ETDA:Earth Lamia", "tools": [ "BypassBoss", "PULSEPACK" ], "source_id": "ETDA", "reports": null }, { "id": "b302cfdb-30c9-4dce-a968-d2398dda820d", "created_at": "2024-03-28T02:00:05.789775Z", "updated_at": "2026-04-10T02:00:03.611467Z", "deleted_at": null, "main_name": "UNC5174", "aliases": [ "Uteus" ], "source_name": "MISPGALAXY:UNC5174", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8bcbeb8a-111b-4ea1-a72b-5c7abd8ef132", "created_at": "2025-11-01T02:04:53.050049Z", "updated_at": "2026-04-10T02:00:03.774442Z", "deleted_at": null, "main_name": "BRONZE SNOWDROP", "aliases": [ "UNC5174 " ], "source_name": "Secureworks:BRONZE SNOWDROP", "tools": [ "Metasploit", "SNOWLIGHT", "SUPERSHELL", "Sliver", "VShell" ], "source_id": "Secureworks", "reports": null }, { "id": "650a9c54-160c-4a25-8e96-e845f2dd6f82", "created_at": "2026-01-18T02:00:03.063535Z", "updated_at": "2026-04-10T02:00:03.901997Z", "deleted_at": null, "main_name": "Earth Lamia", "aliases": [ "UNC5454" ], "source_name": "MISPGALAXY:Earth Lamia", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441470, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67c34167bd3eaba55ee89be1914d97864f382c1c.pdf", "text": "https://archive.orkl.eu/67c34167bd3eaba55ee89be1914d97864f382c1c.txt", "img": "https://archive.orkl.eu/67c34167bd3eaba55ee89be1914d97864f382c1c.jpg" } }