{ "id": "690290f0-5ce2-44f6-b426-84b6be4595aa", "created_at": "2026-04-06T00:20:01.107216Z", "updated_at": "2026-04-10T03:35:45.978295Z", "deleted_at": null, "sha1_hash": "f31cbfbb87ce1c6bedede13596fdfb63d015079b", "title": "MiSSing links", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4913950, "plain_text": "MiSSing links\r\nBy intrusiontruth\r\nPublished: 2023-05-17 · Archived: 2026-04-05 16:51:44 UTC\r\n We haven’t quite finished with Mr. Cheng yet. We have one final document to share from Cheng’s cloud. A photo\r\nof a handwritten note, a series of names, and differing currency values. \r\nhttps://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nPage 1 of 8\n\nNow, we can’t make out the name in the top left, but we are pretty sure that this is a cast list of Cheng’s\r\ncolleagues. Some of these names are old hat by now: Huang Zhen, Li Yilong, and Huang Zhen #2, for example,\r\nhttps://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nPage 2 of 8\n\ntake up the bottom three rows. We also have some others we named earlier: Hou Qiang, Wan Guangcan, Chang\r\nZhen, and Zhang Chaofeng. \r\nNot entirely surprising; we have already established the fact that Cheng and these other individuals work for the\r\nsame front company. But one name caught our eye, occupying the top line of the table:  崔总 or Chief Cui. \r\nThis seems like an apt time (if you’ll pardon the pun) to return to our disgruntled whistle-blower at Wuhan\r\nXiaoruizhi. Among the individuals they outed as being part of Wuhan-based hacking team operating out of\r\nXiaoruizhi were two MSS officers: Chief Wen and Chief Cui. \r\nThe eagle-eyed amongst you might also recognize Chief Wen from an image in the previous article, on the price\r\nlist of routers, firewalls, and network cables that Cheng had. \r\nNow we had a really good dig into Chang Jiang AKA Chief Cui and Li Yue AKA Chief Wen. Unfortunately, we\r\ncould not find anything conclusive, which is possibly indicative of the level of personal operational security one\r\nmight expect of the mighty MSS. In the absence of anything more concrete, Chief Cui’s name in Cheng Feng’s\r\npossession with a number of Xiaoruizhi employees, and Chief Wen’s name on a document in Cheng Feng’s\r\npossession at least adds weight to our friend on Breachforums’ association that Cui and Wen maintain links to the\r\ncompany.\r\nThis got us thinking: we wonder who else works in and around Wuhan Xiaoruizhi who has MSS links? \r\nZhou Yuan\r\nThankfully, our investigation into Cheng Feng gave up one more lead. Some of the databases we queried looking\r\nfor Cheng’s credentials contained access logs for the services. We knew Cheng didn’t work in a vacuum, in fact,\r\nwe already knew he was one of many employees at Xiaoruizhi.  So, we wondered if we could find any more of his\r\ncolleagues based on his IP history.  Analysis of three Wuhan Chinanet IP address indicated that through much of\r\n2015, Cheng Feng’s accounts were co-located with an account owned by one Zhou Yuan周源. \r\nhttps://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nPage 3 of 8\n\nNow we have been giving everyone the deep dive treatment, and our friend Zhou is no different. We couldn’t find\r\nmuch trace of him on social media, but thankfully the gods of breached data continued to smile on us. We again\r\nworked with a trusted contact who was able to gain access to one of Zhou’s Cloud hosting accounts. Here we\r\nhave, from that Cloud account, two 2016 photos of our friend Zhou in glorious selfie style. \r\nThe uniform he is wearing is one used by both the Chinese Ministry of Public Security and the MSS. The two are\r\nnear identical, but for a couple of distinguishing factors. The first, characters on the arm badge, above the orange\r\nand beneath the word ‘POLICE’.\r\nMPS  “公安” (Public Security) badge on left; MSS “国安” (State security) badge on right. \r\nIn his left-hand selfie, these characters are not visible on Zhou’s uniform – we can’t be sure if he has pixelated\r\nthem. If he has, what is he trying to hide?\r\nThe second distinguishing factor can be found on the pin on Zhou’s chest, which conveniently is visible. \r\nA closer look at Zhou’s pin: \r\nZhou’s badge reads  “国安” or State Security; distinct from MPS badges which display the province name as\r\nbelow:\r\nMPS badge for “广东” or Guangdong \r\nSo, we are pretty confident that Zhou is wearing an MSS uniform. \r\nhttps://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nPage 4 of 8\n\nZhou’s selfies also provided us with another gift. Metadata. In this case, geolocating Zhou to the headquarters of\r\nthe Hubei State Security Department. \r\nZhou looks so young and innocent that we almost feel guilty. But then, if you are going to take selfies in an MSS\r\nuniform…in an MSS building… As they say in China 凡动刀的,必死在刀下. Those who live by the sword, die\r\nby the sword. \r\nDemonstrating the longevity of Zhou’s affiliation with the MSS, we also found a 2018 photo again geolocated to\r\nwhat appears to be the secure car park of the same imposing building. \r\nhttps://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nPage 5 of 8\n\nNow, we can’t be sure of Zhou Yuan’s true employer. But we can say for sure that he is an employee of the\r\nChinese government, and at very least was affiliated with the MSS over a period of several years. \r\nSo, we have a possible MSS officer regularly connecting to personal accounts from the same IP addresses as\r\nCheng Feng, an employee of a supposedly private Wuhan-based technological enterprise. Strange, certainly, but\r\nnot a smoking gun which proves Wuhan Xiaoruizhi’s links to the MSS beyond reasonable doubt. After all, spies\r\nhave friends just like normal people, and Cheng and Zhou could be just that. \r\nNow we found one more photo we found in Zhou’s possession which we think brings our story nicely full circle\r\nand will be where we leave you, for now at least. \r\nhttps://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nPage 6 of 8\n\nThis, dear reader, is part of the official business registration certificate for Wuhan Xiaoruizhi Science and\r\nTechnology. Why, you might ask, does a possible MSS officer hold the registration certificate for a private\r\ntechnological enterprise? Surely, someone holding such an important document has to have some kind of senior\r\noversight or administrative role in the company itself?  At the very least, he is linked to the company. \r\nAt team Intrusion Truth we are satisfied Zhou having a photo of this certificate and being regularly collocated\r\nwith a Xiaoruizhi employee bears out our theory that Wuhan Xiaoruizhi is not a private enterprise, instead it is a\r\nhttps://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nPage 7 of 8\n\nfront for an MSS-sponsored APT. Zhou Yuan probably has a role in running the APT, along with his probable\r\nMSS colleagues Chief Cui and Chief Wen. \r\nThis has been a wild ride. How about we summarize how we got here. \r\nWe have found a suspicious hacking school whose owner has links to the MPS and MSS, and whose graduates go\r\non to mysterious destinations and private companies supporting the government. One such destination is what\r\nlooks to be a fishy APT front company. Said front company has a disgruntled employee leaking sensitive\r\ndocuments online and alleging that the company is affiliated with an elite hacking team in Wuhan. An employee\r\nof the front company bears out its links to Kerui Cracking Academy, and has material in his possession which\r\nsupports his affiliation with APT31. Said employee has more material in his possession indicating links to two\r\nMSS officers who have already been doxed on the darkweb as part of Xiaoruizhi. This employee is also regularly\r\ncollocated with a possible third MSS officer, who in turn has, in his possession, Xiaoruizhi documents. \r\nOne thing is for sure. All is not as it seems at Xiaoruizhi. \r\nAnd now a plea to you: what else can you find on these individuals? Can you help us tighten the Xiaoruizhi’s\r\nattribution to APT31? \r\nGoodbye for now, but we will be back. We still have more to share on Xiaoruizhi and friends – 等着瞧. \r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nSource: https://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nhttps://intrusiontruth.wordpress.com/2023/05/17/missing-links\r\nPage 8 of 8\n\n https://intrusiontruth.wordpress.com/2023/05/17/missing-links \nNow, we can’t make out the name in the top left, but we are pretty sure that this is a cast list of Cheng’s\ncolleagues. Some of these names are old hat by now: Huang Zhen, Li Yilong, and Huang Zhen #2, for example,\n Page 2 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://intrusiontruth.wordpress.com/2023/05/17/missing-links" ], "report_names": [ "missing-links" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434801, "ts_updated_at": 1775792145, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f31cbfbb87ce1c6bedede13596fdfb63d015079b.pdf", "text": "https://archive.orkl.eu/f31cbfbb87ce1c6bedede13596fdfb63d015079b.txt", "img": "https://archive.orkl.eu/f31cbfbb87ce1c6bedede13596fdfb63d015079b.jpg" } }