{ "id": "9f5b537c-078a-4dfe-8d2e-ec865dc95727", "created_at": "2026-04-06T00:14:45.657204Z", "updated_at": "2026-04-10T03:35:46.002189Z", "deleted_at": null, "sha1_hash": "d5532b7844dcf8f624e918bf4dc557e21891607c", "title": "Wuhan Xiaoruizhi Class of ‘19", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4555354, "plain_text": "Wuhan Xiaoruizhi Class of ‘19\r\nBy intrusiontruth\r\nPublished: 2023-07-04 · Archived: 2026-04-05 14:33:56 UTC\r\nWelcome back Intrusion Truth readers, it’s been a little while. We hope you’ve spent the time reflecting on our\r\nfindings from our previous set of articles on suspicious happenings in and around Wuhan. We don’t know about\r\nyou, but even after six articles we felt we had some unfinished business with Wuhan Xiaoruizhi and friends. So,\r\nwe put together the remaining information we had to give you a few more interesting snippets on APT31’s\r\noperational infrastructure. \r\nFor our first annex, we will tackle a lead that was buried in the information leaked by our disaffected Xiaoruizhi\r\ninsider, of articles 4 and 5. That employees of Xiaoruizhi (AKA APT31 actors) had moved to new companies in\r\n2020. \r\nWe set out to investigate these claims and see if we could identify some, or all, of the follow-on destinations of\r\nXiaoruizhi’s class of 2019. And, we are pleased to report, we had a pretty good run. \r\nLet’s begin with the link that was most straightforward to piece together. A company we named, briefly, in an\r\nearlier article. \r\nA touch of in-depth Googling on some of the known Xiaoruizhi actors brought up the below spreadsheet, which\r\nproved to be a goldmine. A spreadsheet of Wuhan City-based individuals in receipt of employment/training\r\nsubsidies, which, luckily for us, includes the companies they are employed by. Poring through this enormous\r\ndocument, we hit the jackpot. Wuhan Shenzhou Human Resources Development Services.\r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 1 of 18\n\nAs of October 2020, no less than 12 Xiaoruizhi actors who we named previously were now on the books of\r\nWuhan Shenzhou Human Resources Development Service. \r\nWe again see some familiar characters – graduates of Wuhan Kerui Cracking Academy who left feedback. Xiong\r\nWang, Li Yilong, Hu Jiaxing (who we did not name but can be found on Kerui’s website) and Huang Zhen.\r\nMoving onto a human resources department can’t have been part of their plan following their elite hacker training,\r\nright? \r\nWuhan Shenzhou Human Resources appears to be legitimate, at least in the sense that it’s probably a real\r\ncompany. It’s got its own website, which is a start, on which it claims to have 500 square meters of office space\r\nand a labor force of 4,000 people. Impressive. \r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 2 of 18\n\nWSHRS claims to specialize in labor dispatch, labor outsourcing, subcontracting, and headhunting, among a\r\nnumber of other noble pursuits. But this provides a clue. The practice of labor dispatch in China is a process by\r\nwhich employees are hired through an employment services agency and contracted out to an end user, as opposed\r\nto the traditional practice of direct employment. The workers sign contracts with the employment services agency,\r\nrather than the end user of their services. It’s our best guess here at team I-T that Wuhan Shenzhou Human\r\nResources now acts as labor dispatch for these 12 APT31 employees, and dispatches them out to – well – APT31\r\nor as others may know it; the MSS’ Hubei State Security Department’s cyberespionage program.\r\nHubei Chuangxin \r\nOur next front company came to us via the gift that has given generously throughout this investigation. Social\r\ninsurance. Specifically, the social insurance records for Liao Xuliang and Zhou Yin.\r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 3 of 18\n\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 4 of 18\n\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 5 of 18\n\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 6 of 18\n\nFor our purposes, the most interesting rows of these documents are at the very bottom right. For both Liao and\r\nZhou the entry marked 201912, i.e. the insurance contribution for December 2019, was registered to Wuhan\r\nXiaoruizhi. But from 202001, January 2020, onwards, insurance contributions are registered to Hubei Chuangxin\r\nHuman Resources Department. \r\nReaders, if you’re anything like us, the span of your interest in Chinese Human Resources Service providers will\r\nbe limited, so we will spare you too much detail here. But it certainly looks, per the screenshots below, like Hubei\r\nChuangxin provides labor dispatch services in exactly the same way as Wuhan Shenzhou, that is, most probably\r\ncontracting Liao and Zhou back to the MSS (APT, oops – sorry; typo…..) \r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 7 of 18\n\nWuhan Juge/Hubei Win Future \r\nMoving on. A contributor speaking on condition of anonymity provided us with information that a further 12\r\nformer employees of Wuhan Xiaoruizhi Science and Technology were now in receipt of subsidies under a separate\r\ncompany, Wuhan Juge Enterprise Management:\r\nChang Zhen 常振\r\nZhang Chaofeng 张超锋\r\nWang Guangcan 万光灿\r\nTu Meng 涂梦\r\nYan Wenlong鄢文龙\r\nGu Chengwu 顾成武\r\nLiu Chencheng 刘晨成\r\nHuang Jin 黄金\r\nZuo Hequn 左鹤群\r\nLi Haiqing 李海青\r\nYuan Hongxi 苑红曦\r\nHou Qiang 侯强\r\nWuhan Juge appears to have a number of branches across Wuhan City, and has a wildly diverse business portfolio,\r\nwhich includes (deep breath): Enterprise management, marketing planning, human resource services, loading and\r\nunloading, general cargo warehousing services, storage (excluding dangerous goods!), communication\r\nengineering construction and maintenance, and, most randomly, sales of automobiles. Seriously impressive range\r\nfor a company staffed in large part by APT31.\r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 8 of 18\n\nDigging into the shareholders and management of Wuhan Juge we found something interesting. The main\r\nshareholders are as follows: \r\n武汉云栖传媒有限公司 Wuhan Yunqi Media Co. Ltd. – main shareholder. \r\n腾飞 Teng Fei\r\n王道强 Wang Daoqiang  \r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 9 of 18\n\nAll three are also shareholders of another company called Hubei Win Future Enterprise Management AKA Hubei\r\nWin Future Technology.  Similarly, the legal representative, GAN Chunyan, is the same for both companies, as is\r\nthe registered phone number, 18995647475: \r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 10 of 18\n\nSo, there is considerable overlap in personnel/management between Juge and Win Future. Hubei Win Future,\r\naccording to a congratulatory article about a semi-recent recruitment drive, is a human outsourcing company of\r\nChina Telecom. It focusses on the recruitment of technical personnel and providing technical talent services for\r\nChina Telecom’s business. \r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 11 of 18\n\nAccording to the article, prospective employees can expect to enjoy all of China’s most significant holidays as\r\nleave. Lucky them. \r\nWe had a source do some digging into Hubei Win Future to see if the overlap with Juge held any significance for\r\nus. And what do you know? We found another Xiaoruizhi employee. Cheng Feng. Looks like Wuhan Yunqi\r\nMedia, Teng Fei and Wang Daoqiang own an APT front company empire!\r\nSensing we were on to something, we continued to look at Hubei Win Future and found a new link. A phone\r\nnumber registered to Hubei Win Future, 18995647475 was also registered to one Hubei Junxinda. \r\nFurthermore, historic ownership data demonstrated that Hubei Junxinda was once a 25% shareholder of Hubei\r\nWin Future; and Hubei Win Future has been, according to internal reports, Hubei Junxinda’s principle supplier\r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 12 of 18\n\n(although of what, we don’t know – perhaps personnel?): \r\nHubei Junxinda looks like a real company; various websites list numerous employees and a number of the projects\r\nthat Junxinda has won and in-depth reports such as the one above pore over its finances. It also has its own\r\nwebsite:\r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 13 of 18\n\nA friend of I-T investigated their premises on our behalf, and found a secure facility at Hubei Junxinda’s address.\r\nHere is some imagery of their entrance hall: \r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 14 of 18\n\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 15 of 18\n\nHere, we have to admit, our curiosity was piqued, but we ran out of road. We didn’t find any additional\r\nAPT31/Xiaoruizhi employees and were not able to uncover any more on the goings on behind closed doors at\r\nWuhan Juge, Hubei Win Future, and Hubei Junxinda. Any tips, give us a shout. \r\nSo, referring back to our original list of Xiaoruizhi employees, we’ve collated as many of their follow-on\r\ndestinations as we can. \r\nChinese Pinyin Destination after Xiaoruizhi\r\n曹锦芳 Cao Jinfang  ?\r\n常振 Chang Zhen Wuhan Juge Enterprise Management \r\n程鼎 Cheng Ding ?\r\n程锋 Cheng Feng  Hubei Win Future \r\n顾成武 Gu Chengwu Wuhan Juge Enterprise management \r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 16 of 18\n\n侯强 Hou Qiang Wuhan Juge Enterprise Management \r\n胡嘉祥 Hu Jiaxiang Wuhan Shenzhou Human Resources\r\n黄增辉 Huang Zenghui Wuhan Shenzhou Human Resources\r\n黄震 Huang Zhen Wuhan Shenzhou Human Resources\r\n黄振 Huang Zhen  ?\r\n李海青 Li Haiqing Wuhan Juge Enterprise Management \r\n李家诚 Li Jiacheng Wuhan Shenzhou Human Resources\r\n李圣胜 Li Shengsheng Wuhan Shenzhou Human Resources\r\n李义龙 Li Yilong Wuhan Shenzhou Human Resources\r\n廖绪良 LiaoXuliang Hubei Chuangxin Human Resources\r\n刘晨成 Liu Chencheng Wuhan Juge Enterprise Management \r\n刘宏伟 Liu Hongwei  Wuhan Shenzhou Human Resources\r\n马欢 Ma Huan Wuhan Shenzhou Human Resources\r\n唐星昭 Tang Xingzhao Wuhan Shenzhou Human Resources\r\n涂梦 Tu Meng Wuhan Juge Enterprise Management\r\n万光灿 Wan Guangcan Wuhan Juge Enterprise Management \r\n王意军 Wang Yijun Wuhan Shenzhou Human Resources\r\n魏耀斌 Wei Yaobin Wuhan Shenzhou Human Resources\r\n熊旺 Xiong Wang Wuhan Shenzhou Human Resources\r\n鄢文龙 Yan Wenlong Wuhan Juge Enterprise Management \r\n杨鑫 Yang Xin Wuhan Shenzhou Human Resources\r\n苑红曦 Yuan Hongxi Wuhan Juge Enterprise Management \r\n张超锋 Zhang Chaofeng Wuhan Juge Enterprise Management \r\n张立业 Zhang Liye Wuhan Shenzhou Human Resources\r\n赵光宗 Zhao Guangzong  ?\r\n周鑫 Zhou Xin Hubei Chuangxin Human Resources\r\n左鹤群 Zuo Hequn  Wuhan Juge Enterprise Management \r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 17 of 18\n\nWe still have few gaps, but we are pretty pleased that we have been able to piece together as much as we have. \r\nNow, we may never know what happened at Xiaoruizhi at the end of 2019 that caused APT31 to pursue a mass\r\ncareer change.  Perhaps Xiaoruizhi had simply served its time as an APT front and the powers that be needed to\r\nmove APT31 into different administrative structures. \r\nAny light that our readers can shed would, as always, be gratefully received.\r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nSource: https://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nhttps://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19" ], "report_names": [ "wuhan-xiaoruizhi-class-of-19" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434485, "ts_updated_at": 1775792146, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d5532b7844dcf8f624e918bf4dc557e21891607c.pdf", "text": "https://archive.orkl.eu/d5532b7844dcf8f624e918bf4dc557e21891607c.txt", "img": "https://archive.orkl.eu/d5532b7844dcf8f624e918bf4dc557e21891607c.jpg" } }