{
	"id": "4ba1e5a4-7fee-4dd6-af80-63c596ea97b7",
	"created_at": "2026-04-06T00:17:17.196522Z",
	"updated_at": "2026-04-10T03:37:22.786789Z",
	"deleted_at": null,
	"sha1_hash": "b3a529dc5526c77787934b5c00a735a1c42529f7",
	"title": "Introducing Cheng Feng",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3418927,
	"plain_text": "Introducing Cheng Feng\r\nBy intrusiontruth\r\nPublished: 2023-05-16 · Archived: 2026-04-05 13:26:01 UTC\r\nYou might be wondering why we have picked on Cheng Feng. Just a hard-working cyber security professional,\r\nright? Well, wrong, as it turns out. Cheng Feng helped us deduce what APT Wuhan Xiaoruizhi is a cover for. \r\nAs regular readers will know, Intrusion Truth is nothing without its global network of supporters. We had to reach\r\nout for support investigating Cheng Feng using the start points from his insurance certificate, and one of our\r\ncollaborators came through with the goods. A cache of emails, documents, and photos from a cloud storage\r\naccount belonging to Cheng. \r\nLet’s start here:\r\nOn 14th June 2019, Mr. Cheng sent an email to an address he believed to belong to the Kerui Cracking Academy.\r\nHe described himself as a security company in Wuhan who had heard that Kerui’s graduates were excellent, and\r\nasking when the next graduation date was. Well, well, well. It looks like our suspicions of Kerui were correct: not\r\nonly have several Kerui graduates gone on to Wuhan Xiaoruizhi, we also now have Xiaoruizhi employees\r\nattempting to snap up their graduates. Looks like Kerui might be a pipeline into Xiaoruizhi after all. \r\nLet’s continue. \r\nA deeper dive into Cheng’s documents revealed the beginnings of overlap between his apparent research interests\r\nand those of APT 31. \r\nCISCO router exploitation:\r\nHe we have Cheng, presumably in the course of his work duties, accessing the configuration manual for Cisco\r\nbroadband routers. \r\nhttps://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng\r\nPage 1 of 5\n\nCheng Feng’s document cache contains a number of indications of him being in possession of, or purchasing, or\r\ntesting configurations of possible router exploitation on, varying different models of routers, including small\r\noffice/home office (SOHO) routers, including Huawei Echolife, Huawei AR151-S, Cisco 2911/K9, and Cisco\r\n1721 routers.\r\nhttps://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng\r\nPage 2 of 5\n\nBottom image reads: sold by Chief Wen 2015.8.4\r\n1 Service Router: CISCO 2911/K9\r\n2 VPN Routers Huawei: AR151-5\r\n1 Firewall: Huawei USG2130\r\n1 Layer 3 Switch: Huawei 5700-28C-SI\r\n3 Layer 2 Switches: Huawei 1728GWR-4P\r\n4 Gigabit Network Switches: 8 Huasan (H3C) S1208\r\n1 Network Cable: AMP Cat 6 GB (305M)\r\n1 RJ Connector: Box (100 piece/box)\r\nhttps://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng\r\nPage 3 of 5\n\n5 Wireless NICs: TPLINK 300M Wireless\r\n1 Network Cable: Tester Wire Tracer\r\n1 Network Plier: Sanbao Brand\r\n15 IBM jumpers\r\nAPT31 is famous for router exploitation. APT31 hit the press in France over summer 2021, accused by the French\r\ncyber security agency of launching a major hack targeting French entities which utilized a network of more than\r\n1000 compromised routers, including Pakedge, Sophos and Cisco routers. These routers were compromised and\r\nleveraged as anonymization relays, before APT31 carried out reconnaissance and attack activities. The listed\r\ndevices in particular are SOHO routers, which APT31 have been exploiting since at least November 2019. \r\nSo – here we have Cheng in possession of a manual for Cisco routers and in possession of a number of different\r\nSOHO router devices. Could have been his process to begin learning to exploit them? \r\nAPT IoT\r\nNext. In August 2017, Cheng created a task intriguingly labelled “做了什么 apt31 物联网”, or ‘what did APT31\r\nIoT do’/’what did APT 31 do with regards to IoT’.\r\nWe know from our previous discussion that APT31 is known to exploit IoT devices, in particular SOHO routers,\r\nto form part of their operational infrastructure. And APT31 is clearly on Cheng’s mind. In addition, the timing of\r\nthe task in August 2017 was prior to public exposure of APT31’s involvement in IoT/router exploitation,\r\nindicating that Cheng had insider knowledge of APT31’s TTPs. Perhaps because he is APT31?\r\nClibcom \r\nWe’ll leave you with one more clue which we think rounds things out nicely. Mr. Cheng also had in his possession\r\na 2015 photo of a computer screen showing usernames and passwords for 58.55.127.233. \r\nhttps://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng\r\nPage 4 of 5\n\nOn investigating this domain, we discovered that it’s hosted in Wuhan. From March 2015, it hosted\r\nwebmail.dnsapple.com, and later hosted Clibcom.com from 2017. An industry source told us that clibcom.com\r\nwas previously attributed to APT31. Can anyone help us verify this? \r\nWe are pretty confident that Cheng is affiliated with APT31. He has material indicating his interest in Cisco and\r\nSOHO router exploitation, known TTPs of APT31. Notes on his phone indicate he is thinking about APT31 and,\r\npresumably, their exploitation of IoT devices, and he has the log in credentials for an IP which a source has\r\nattributed to APT31. \r\nOverall, things are heating up. We’ve linked the hacking school to the MSS via its owner. We’ve linked the\r\nhacking school to Xiaoruizhi via its employees and its poaching of graduates. And we have enough information to\r\ntentatively link Xiaoruizhi in turn to APT31. But, there’s one missing link. The MSS. \r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nSource: https://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng\r\nhttps://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng"
	],
	"report_names": [
		"introducing-cheng-feng"
	],
	"threat_actors": [
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dc7ee503-9494-4fb6-a678-440c68fd31d8",
			"created_at": "2022-10-25T16:07:23.349177Z",
			"updated_at": "2026-04-10T02:00:04.552639Z",
			"deleted_at": null,
			"main_name": "APT 31",
			"aliases": [
				"APT 31",
				"Bronze Vinewood",
				"G0128",
				"Judgment Panda",
				"Red Keres",
				"RedBravo",
				"TA412",
				"Violet Typhoon",
				"Zirconium"
			],
			"source_name": "ETDA:APT 31",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"GrewApacha",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Roarur",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775792242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3a529dc5526c77787934b5c00a735a1c42529f7.pdf",
		"text": "https://archive.orkl.eu/b3a529dc5526c77787934b5c00a735a1c42529f7.txt",
		"img": "https://archive.orkl.eu/b3a529dc5526c77787934b5c00a735a1c42529f7.jpg"
	}
}