{
	"id": "08575d93-e784-4b2f-8b0c-309d0602fb8f",
	"created_at": "2026-04-06T00:13:55.665867Z",
	"updated_at": "2026-04-10T03:23:52.083199Z",
	"deleted_at": null,
	"sha1_hash": "7defdc155eec7dff324be352617221b6cde80e28",
	"title": "All roads lead back to Wuhan… Xiaoruizhi Science and Technology Company",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3034217,
	"plain_text": "All roads lead back to Wuhan… Xiaoruizhi Science and\r\nTechnology Company\r\nBy intrusiontruth\r\nPublished: 2023-05-13 · Archived: 2026-04-05 18:35:39 UTC\r\nAs our readers know from our investigation into Hainan Xiandun Technology Development Company, the\r\nIntrusion Truth team have become quite adept at spotting a fishy front company when we see one. \r\nTypically, these are ‘companies’ with a generic-sounding ‘technology’ name and a minimal online presence. They\r\noften post adverts on university websites looking for graduates with offensive cyber skills and, very importantly,\r\nforeign language expertise. The language of the adverts is vague, and often recycled from other, similar adverts\r\nposted online. The front companies provide contact details which just don’t seem to add up – such as numbers\r\nshared by other businesses. So, when we began investigating Wuhan Xiaoruizhi Science and Technology\r\nCompany, it soon became clear that we were onto a winner. \r\nWe started with a 2017 job advert posted by the School of Computer and Information Engineering, Hubei\r\nUniversity. \r\nLooking for a number of software and system development engineers, Wuhan Xiaoruizhi describes itself as\r\nworking in the ‘network security field’, and being vaguely located ‘near Wuhan Optics Valley’. Prospective\r\napplicants should be proficient in C and C++, scripting languages such as python, JavaScript and php, as well as\r\nIDA and OD. They should be familiar with automated testing processes, and web frameworks. Oh, and they must\r\nbe au-fait with vulnerability mining. In fact, vulnerability mining is so important to Wuhan Xiaoruizhi, in this\r\nsmall university flyer, it is mentioned no less than three times. \r\nhttps://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nPage 1 of 8\n\nA further search of Wuhan Xiaoruizhi reveals another advert posted on a university jobs site – the College of\r\nForeign Languages at Huazhong Agricultural University. This time, Xiaoruizhi is looking for English majors to\r\nbecome analysts who will be responsible for ‘information collection, processing and text editing’ in Chinese and\r\nEnglish. \r\nXiaoruizhi gives us an introduction to the company, which is committed to providing ‘information processing,\r\nindustry research and big data analysis’ for customers, which include ‘relevant government departments’. We also\r\nget to know more about the company’s ‘ethical research and consulting team’, ‘win-win approach’ and its\r\n‘concept of integrity-based innovation’. Only the company isn’t that innovative – nor does it have much integrity:\r\nsuch wording appears to be a word-for word copy of a description from another company’s job advert in\r\nShenzhen. Shenzhen Prothinker Consulting. \r\nhttps://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nPage 2 of 8\n\nShenzhen Prothinker\r\nSo what is it about Shenzhen Prothinker Consulting that got Wuhan Xiaoruizhi so inspired? Well, funnily enough,\r\nShenzhen Prothinker was also on the lookout for English speakers with interests in politics, and graduates with\r\ncomputer-related majors. Hmm. Unfortunately, the website for Prothinker is now defunct. However, there is still\r\nsome information out there on Baidu about the company. The legal representative of Shenzhen Prothinker was a\r\nHuang Ruohang, and the address for the company is listed as Room 2511, 25th Floor, Oriental Science and\r\nTechnology Building, Science and Technology Park, Yuehai Street, Nanshan District, Shenzhen.\r\nA search for “Huang Ruohang” (Chinese characters given below) showed that Huang Ruohang was also listed as\r\nthe executive director for Shenzhen Zhongan Domain Technology Company. And as ‘coincidences’ would have it,\r\nShenzhen Zhongan Domain Technology Company was also once located on the 25th Floor of the Oriental Science\r\nand Technology Building in Nanshan District Shenzhen. \r\nhttps://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nPage 3 of 8\n\nhttps://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nPage 4 of 8\n\nShenzhen Zhongan Domain Technology Company appears to be also known, according to its branding, as\r\nZIONSEC. ZIONSEC describes itself as providing ‘advanced solutions for national security issues such as\r\nnational defense and intelligence’ to ‘help the dream of a powerful country’.\r\nhttps://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nPage 5 of 8\n\nSounds…suspicious. \r\nLet’s park the shenanigans in Shenzhen for now and return to Wuhan. Who actually works at the Xiaoruizhi\r\nScience and Technology Company and what do they do? Unfortunately, this technology company doesn’t have its\r\nown website, but we do have the name of the manager, Deng Zhiyong. \r\nhttps://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nPage 6 of 8\n\nDeng is an interesting character. Aside from holding official titles at no less than three (!) government-affiliated\r\norganizations, (Director of the Foreign Exchange Center, Ministry of Science and Technology China; Director of\r\nthe Hubei Wuhan China/Russian Technologic Cooperation Center; Chief of Department of Steelworks\r\nManagement Administration, Dongxi, Wuhan) our friend Deng also seems to have a thing for Russian lasers. \r\nWe will return to this in a later article. It’s a wild ride. \r\nA phone number which seems to be linked to Mr. Deng also seems to be used by both a construction company and\r\na ‘business information consulting company’. Quite the diverse business empire. \r\nhttps://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nPage 7 of 8\n\nSo, to summarize, we have a sketchy-looking company in Wuhan looking for vulnerability-miners and foreign\r\nlanguage experts and linked to a phone number shared between many businesses. Lacking some imagination, the\r\ncompany decides to borrow language used by another sketchy-looking company in Shenzhen, which in turn\r\nappears to have some quite considerable overlap with an info-sec company dedicated to national defense and\r\nintelligence work. We also have government clients, a CEO with official PRC government titles, and a bonus link\r\nto a shifty hacking school. \r\nYou know the drill by now. If it walks like a duck and quacks like a duck…. (should we get that printed on\r\nmerch?).\r\nBeyond this, Wuhan Xiaoruizhi hasn’t given us much to go on. So, it was time to take our search to the dark web. \r\nBingo. \r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nSource: https://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nhttps://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company"
	],
	"report_names": [
		"all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434435,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7defdc155eec7dff324be352617221b6cde80e28.pdf",
		"text": "https://archive.orkl.eu/7defdc155eec7dff324be352617221b6cde80e28.txt",
		"img": "https://archive.orkl.eu/7defdc155eec7dff324be352617221b6cde80e28.jpg"
	}
}