{
	"id": "ece32c58-2837-4fcb-8a9e-0da1888ce138",
	"created_at": "2026-04-06T00:18:15.227497Z",
	"updated_at": "2026-04-10T13:11:33.199659Z",
	"deleted_at": null,
	"sha1_hash": "e93cfc3f9a1b560733172b8dc7229d6fb3e8e4fb",
	"title": "Chinese VPN Service as Attack Platform?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1371144,
	"plain_text": "Chinese VPN Service as Attack Platform?\r\nPublished: 2015-08-04 · Archived: 2026-04-05 23:09:05 UTC\r\nHardly a week goes by without a news story about state-sponsored Chinese cyberspies breaking into Fortune 500\r\ncompanies to steal intellectual property, personal data and other invaluable assets. Now, researchers say they’ve\r\nunearthed evidence that some of the same Chinese hackers also have been selling access to\r\ncompromised computers within those companies to help perpetrate future breaches.\r\nThe so-called “Great Firewall of China” is an effort by the Chinese government to block citizens from accessing\r\nspecific content and Web sites that the government has deemed objectionable. Consequently, many Chinese seek\r\nto evade such censorship by turning to virtual private network or “VPN” services that allow users to tunnel their\r\nInternet connections to locations beyond the control of the Great Firewall.\r\nSecurity experts at RSA Research say they’ve identified an archipelago of Chinese-language virtual private\r\nnetwork (VPN) services marketed to Chinese online gamers and those wishing to evade censorship, but which\r\nalso appear to be used as an active platform for launching attacks on non-Chinese corporations while obscuring\r\nthe origins of the attackers.\r\nDubbed by RSA as “Terracotta VPN” (a reference to the Chinese Terracotta Army), this satellite array of VPN\r\nservices “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly\r\nenlists vulnerable servers around the world,” the company said in a report released today.\r\nThe hacker group thought to be using Terracotta to launch and hide attacks is known by a number of code names,\r\nincluding the “Shell_Crew” and “Deep Panda.” Security experts have tied this Chinese espionage gang to some of\r\nthe largest data breaches in U.S. history, including the recent attack on the U.S. Office of Personnel Management,\r\nas well as the breaches at U.S. healthcare insurers Anthem and Premera.\r\nAccording to RSA, Terracotta VPN has more than 1,500 nodes around the world where users can pop up on the\r\nInternet. Many of those locations appear to be little more than servers at Internet service providers in the United\r\nStates, Korea, Japan and elsewhere that offer cheap virtual private servers.\r\nhttps://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/\r\nPage 1 of 6\n\nBut RSA researchers said they discovered that many of Terracotta’s exit nodes were compromised Windows\r\nservers that were “harvested” without the victims’ knowledge or permission, including systems at a Fortune 500\r\nhotel chain; a hi-tech manufacturer; a law firm; a doctor’s office; and a county government of a U.S. state.\r\nThe report steps through a forensics analysis that RSA conducted on one of the compromised VPN systems,\r\ntracking each step the intruders took to break into the server and ultimately enlist the system as part of the\r\nTerracotta VPN network.\r\n“All of the compromised systems, confirmed through victim-communication by RSA Research, are Windows\r\nservers,” the company wrote. “RSA Research suspects that Terracotta is targeting vulnerable Windows servers\r\nbecause this platform includes VPN services that can be configured quickly (in a matter of seconds).”\r\nRSA says suspected nation-state actors have leveraged at least 52 Terracotta VPN nodes to exploit sensitive targets\r\namong Western government and commercial organizations. The company said it received a specific report from a\r\nlarge defense contractor concerning 27 different Terracotta VPN node Internet addresses that were used to send\r\nphishing emails targeting users in their organization.\r\n“Out of the thirteen different IP addresses used during this campaign against this one (APT) target, eleven (85%)\r\nwere associated with Terracotta VPN nodes,” RSA wrote of one cyber espionage campaign it investigated.\r\n“Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage related network\r\ntraffic can blend-in with ‘otherwise-legitimate’ VPN traffic.”\r\nDIGGING DEEPER\r\nRSA’s report includes a single screen shot of software used by one of the commercial VPN services marketed on\r\nChinese sites and tied to the Terracotta network, but for me this was just a tease: I wanted a closer look at this\r\nnetwork, yet RSA (or more likely, the company’s lawyers) carefully omitted any information in its report that\r\nwould make it easy to locate the sites selling or offering the Terracotta VPN.\r\nRSA said the Web sites advertising the VPN services are marketed on Chinese-language Web sites that are for the\r\nmost part linked by common domain name registrant email addresses and are often hosted on the same\r\ninfrastructure with the same basic Web content. Along those lines, the company did include one very useful tidbit\r\nin its report: A section designed to help companies detect servers that may be compromised warned that any\r\nWeb servers seen phoning home to 8800free[dot]info should be considered hacked.\r\nA lookup at Domaintools.com for the historic registration records on 8800free[dot]info show it was originally\r\nregistered in 2010 to someone using the email address “xnt50@163.com.” Among the nine other domains\r\nregistered to xnt50@163.com is 517jiasu[dot]cn, an archived version of which is available here.\r\nDomaintools shows that in 2013 the registration record for 8800free[dot]info was changed to include the email\r\naddress “jzbb@foxmail.com.” Helpfully, that email was used to register at least 39 other sites, including quite a\r\nfew that are or were at one time advertising similar-looking VPN services.\r\nPivoting off the historic registration records for many of those sites turns up a long list of VPN sites registered to\r\nother interesting email addresses, including “adsyb@163.com,” “asdfyb@hotmail.com” and “itjsq@qq.com”\r\n(click the email addresses for a list of domains registered to each).\r\nhttps://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/\r\nPage 2 of 6\n\nArmed with lists of dozens of VPN sites, it wasn’t hard to find several sites offering different VPN clients for\r\ndownload. I installed each on a carefully isolated virtual machine (don’t try this at home, kids!). Here’s one of\r\nthose sites:\r\nA Google-translated version of one of the sites offering the VPN software and service that RSA has dubbed\r\n“Terracotta.”\r\nAll told, I managed to download, install and use at least three VPN clients from VPN service domains tied to the\r\nabove-mentioned email addresses. The Chinese-language clients were remarkably similar in overall appearance\r\nand function, and listed exit nodes via tabs for several countries, including the Canada, Japan, South Korea and\r\nthe United States, among others. Here is one of the VPN clients I played with in researching this story:\r\nhttps://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/\r\nPage 3 of 6\n\nThis one was far more difficult to use, and crashed repeatedly when I first tried to take it for a test drive:\r\nhttps://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/\r\nPage 4 of 6\n\nNone of the VPN clients I tried would list the Internet addresses of the individual nodes. However, each node in\r\nthe network can be discovered simply by running some type of network traffic monitoring tool in the background\r\n(I used Wireshark), and logging the address that is pinged when one clicks on a new connection.\r\nRSA said it found more than 500 Terracotta servers that were U.S. based, but I must have gotten in on the fun after\r\nthe company started notifying victim organizations because I found only a few dozen U.S.-based hosts in any of\r\nthe VPN clients I checked. And most of the ones I did find that were based in the United States appeared to be\r\nvirtual private servers at a handful of hosting companies.\r\nThe one exception I found was a VPN node tied to a dedicated Windows server for the Web site of a company in\r\nMichigan that manufactures custom-made chairs for offices, lounges and meeting rooms. Contacted by\r\nKrebsOnSecurity, the company confirmed that its serve was infected and beaconing home to the control servers\r\ndescribed in the RSA report.\r\nIn addition to the U.S.-based hosts, I managed to step through a huge number of systems based in South Korea. I\r\ndidn’t have time to look through each record to see whether any of the Korean exit nodes were interesting, but\r\nhere’s the list I came up with in case anyone is interested. I simply haven’t had time to look at and look up the rest\r\nof the clients in what RSA is calling the Terracotta network. Here’s a more simplified list of just the organizational\r\nnames attached to each record.\r\nAssuming RSA’s research is accurate (and I have no reason to doubt that it isn’t) the idea of hackers selling access\r\nto hacked PCs for anonymity and stealth online is hardly a new one. In Sept. 2011, I wrote about how the Russian\r\ncybercriminals responsible for building the infamous TDSS botnet were selling access to computers sickened with\r\nhttps://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/\r\nPage 5 of 6\n\nthe malware via a proxy service called AWMProxy, even allowing customers to pay for the access with PayPal,\r\nVisa and MasterCard.\r\nIt is, after all, incredibly common for malicious hackers to use systems they’ve hacked to help perpetrate future\r\ncybercrimes – particularly espionage attacks. A classified map of the United States obtained by NBC last week\r\nshowing the victims of Chinese cyber espionage over the past five years lights up like so many exit nodes in a\r\nVPN network.\r\nSource: NBC\r\nUpdate, 2:34 p.m. ET: Updated the story to note that I heard back from the furniture company victim named in\r\nthe story, and that the company was able to confirm a breach of its servers by this VPN service.\r\nSource: https://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/\r\nhttps://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2015/08/chinese-vpn-service-as-attack-platform/"
	],
	"report_names": [
		"chinese-vpn-service-as-attack-platform"
	],
	"threat_actors": [
		{
			"id": "3fad11c6-4336-4b28-a606-f510eca5452e",
			"created_at": "2022-10-25T16:07:24.346573Z",
			"updated_at": "2026-04-10T02:00:04.948823Z",
			"deleted_at": null,
			"main_name": "Turbine Panda",
			"aliases": [
				"APT 26",
				"Black Vine",
				"Bronze Express",
				"Group 13",
				"JerseyMikes",
				"KungFu Kittens",
				"PinkPanther",
				"Shell Crew",
				"Taffeta Typhoon",
				"Turbine Panda",
				"WebMasters"
			],
			"source_name": "ETDA:Turbine Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Hurix",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mivast",
				"PlugX",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"Sogu",
				"StreamEx",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"cobeacon",
				"ffrat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "64ca1755-3883-4173-8e0a-6e5cf92faafd",
			"created_at": "2022-10-25T15:50:23.636456Z",
			"updated_at": "2026-04-10T02:00:05.389234Z",
			"deleted_at": null,
			"main_name": "Deep Panda",
			"aliases": [
				"Deep Panda",
				"Shell Crew",
				"KungFu Kittens",
				"PinkPanther",
				"Black Vine"
			],
			"source_name": "MITRE:Deep Panda",
			"tools": [
				"Mivast",
				"StreamEx",
				"Sakula",
				"Tasklist",
				"Derusbi"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f",
			"created_at": "2022-10-25T16:07:23.335869Z",
			"updated_at": "2026-04-10T02:00:04.547702Z",
			"deleted_at": null,
			"main_name": "APT 19",
			"aliases": [
				"APT 19",
				"Bronze Firestone",
				"C0d0so0",
				"Checkered Typhoon",
				"Codoso",
				"Deep Panda",
				"G0009",
				"G0073",
				"Operation Kingslayer",
				"Red Pegasus",
				"Sunshop Group",
				"TG-3551"
			],
			"source_name": "ETDA:APT 19",
			"tools": [
				"Agentemis",
				"C0d0so0",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"EmPyre",
				"EmpireProject",
				"Fire Chili",
				"PowerShell Empire",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "46a151bd-e4c2-46f9-aee9-ee6942b01098",
			"created_at": "2023-01-06T13:46:38.288168Z",
			"updated_at": "2026-04-10T02:00:02.911919Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"DEEP PANDA",
				"Codoso",
				"KungFu Kittens",
				"Group 13",
				"G0009",
				"G0073",
				"Checkered Typhoon",
				"Black Vine",
				"TEMP.Avengers",
				"PinkPanther",
				"Shell Crew",
				"BRONZE FIRESTONE",
				"Sunshop Group"
			],
			"source_name": "MISPGALAXY:APT19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d",
			"created_at": "2025-08-07T02:03:24.595597Z",
			"updated_at": "2026-04-10T02:00:03.740023Z",
			"deleted_at": null,
			"main_name": "BRONZE FIRESTONE",
			"aliases": [
				"APT19 ",
				"C0d0s0",
				"Checkered Typhoon ",
				"Chlorine ",
				"Deep Panda ",
				"Pupa ",
				"TG-3551 "
			],
			"source_name": "Secureworks:BRONZE FIRESTONE",
			"tools": [
				"9002",
				"Alice's Rabbit Hole",
				"Cobalt Strike",
				"Derusbi",
				"PlugX",
				"PoisonIvy",
				"PowerShell Empire",
				"Trojan Briba",
				"Zuguo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434695,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e93cfc3f9a1b560733172b8dc7229d6fb3e8e4fb.pdf",
		"text": "https://archive.orkl.eu/e93cfc3f9a1b560733172b8dc7229d6fb3e8e4fb.txt",
		"img": "https://archive.orkl.eu/e93cfc3f9a1b560733172b8dc7229d6fb3e8e4fb.jpg"
	}
}