| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Actor(s): APT41, EMISSARY PANDA, GALLIUM, HAFNIUM, Hurricane Panda, Leviathan
a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.
| 2024-05-23
⋅
Palo Alto Networks Unit 42
⋅
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia Agent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter CL-STA-0043 |
| 2024-04-19
⋅
⋅
Spiegel Online
⋅
VW-Konzern wurde jahrelang ausspioniert – von China? CHINACHOPPER PlugX |
| 2023-06-16
⋅
Palo Alto Networks: Cortex Threat Research
⋅
Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa CHINACHOPPER Ladon Yasso CL-STA-0043 |
| 2023-02-13
⋅
AhnLab
⋅
Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign Godzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz Dalbit |
| 2022-12-24
⋅
Medium (@DCSO_CyTec)
⋅
APT41 — The spy who failed to encrypt me CHINACHOPPER |
| 2022-09-29
⋅
Symantec
⋅
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 Witchetty |
| 2022-07-26
⋅
Microsoft
⋅
Malicious IIS extensions quietly open persistent backdoors into servers CHINACHOPPER MimiKatz |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
| 2022-06-15
⋅
Security Joes
⋅
Backdoor via XFF: Mysterious Threat Actor Under Radar CHINACHOPPER |
| 2022-01-27
⋅
JSAC 2021
⋅
What We Can Do against the Chaotic A41APT Campaign CHINACHOPPER Cobalt Strike HUI Loader SodaMaster |
| 2021-11-03
⋅
Cisco Talos
⋅
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk Babuk CHINACHOPPER |
| 2021-09-03
⋅
FireEye
⋅
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers CHINACHOPPER HTran |
| 2021-08-03
⋅
Cybereason
⋅
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos CHINACHOPPER Cobalt Strike MimiKatz Nebulae |
| 2021-07-20
⋅
Secureworks
⋅
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran CHINACHOPPER MimiKatz RGDoor |
| 2021-06-10
⋅
ESET Research
⋅
BackdoorDiplomacy: Upgrading from Quarian to Turian CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy |
| 2021-05-07
⋅
SophosLabs Uncut
⋅
New Lemon Duck variants exploiting Microsoft Exchange Server CHINACHOPPER Cobalt Strike Lemon Duck |
| 2021-05-07
⋅
Cisco Talos
⋅
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs CHINACHOPPER Cobalt Strike Lemon Duck |
| 2021-05-06
⋅
Trend Micro
⋅
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei |
| 2021-05-05
⋅
Symantec
⋅
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques CHINACHOPPER |
| 2021-04-27
⋅
Trend Micro
⋅
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability CHINACHOPPER Cobalt Strike |
| 2021-04-16
⋅
Trend Micro
⋅
Could the Microsoft Exchange breach be stopped? CHINACHOPPER |
| 2021-04-15
⋅
Palo Alto Networks Unit 42
⋅
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials CHINACHOPPER |
| 2021-03-26
⋅
Imperva
⋅
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures CHINACHOPPER |
| 2021-03-25
⋅
Microsoft
⋅
Web Shell Threat Hunting with Azure Sentinel CHINACHOPPER |
| 2021-03-25
⋅
Microsoft
⋅
Analyzing attacks taking advantage of the Exchange Server vulnerabilities CHINACHOPPER |
| 2021-03-21
⋅
Twitter (@CyberRaiju)
⋅
Twitter Thread with analysis of .NET China Chopper CHINACHOPPER |
| 2021-03-19
⋅
Bundesamt für Sicherheit in der Informationstechnik
⋅
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) CHINACHOPPER MimiKatz |
| 2021-03-15
⋅
Trustwave
⋅
HAFNIUM, China Chopper and ASP.NET Runtime CHINACHOPPER |
| 2021-03-11
⋅
DEVO
⋅
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service CHINACHOPPER MimiKatz |
| 2021-03-11
⋅
Cyborg Security
⋅
You Don't Know the HAFNIUM of it... CHINACHOPPER Cobalt Strike PowerCat |
| 2021-03-11
⋅
Palo Alto Networks Unit 42
⋅
Microsoft Exchange Server Attack Timeline CHINACHOPPER |
| 2021-03-10
⋅
DomainTools
⋅
Examining Exchange Exploitation and its Lessons for Defenders CHINACHOPPER |
| 2021-03-10
⋅
PICUS Security
⋅
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers CHINACHOPPER |
| 2021-03-10
⋅
Lemon's InfoSec Ramblings
⋅
Microsoft Exchange & the HAFNIUM Threat Actor CHINACHOPPER |
| 2021-03-09
⋅
PRAETORIAN
⋅
Reproducing the Microsoft Exchange Proxylogon Exploit Chain CHINACHOPPER |
| 2021-03-09
⋅
YouTube (John Hammond)
⋅
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange CHINACHOPPER |
| 2021-03-09
⋅
Palo Alto Networks Unit 42
⋅
Remediation Steps for the Microsoft Exchange Server Vulnerabilities CHINACHOPPER |
| 2021-03-09
⋅
Red Canary
⋅
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm CHINACHOPPER |
| 2021-03-08
⋅
Palo Alto Networks Unit 42
⋅
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells CHINACHOPPER |
| 2021-03-08
⋅
Symantec
⋅
How Symantec Stops Microsoft Exchange Server Attacks CHINACHOPPER MimiKatz |
| 2021-03-07
⋅
TRUESEC
⋅
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM CHINACHOPPER |
| 2021-03-05
⋅
Huntress Labs
⋅
Operation Exchange Marauder CHINACHOPPER |
| 2021-03-05
⋅
Wired
⋅
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims CHINACHOPPER |
| 2021-03-04
⋅
Huntress Labs
⋅
Operation Exchange Marauder CHINACHOPPER |
| 2021-03-04
⋅
FireEye
⋅
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities CHINACHOPPER HAFNIUM |
| 2021-03-04
⋅
CrowdStrike
⋅
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits CHINACHOPPER HAFNIUM |
| 2021-03-03
⋅
MITRE
⋅
HAFNIUM CHINACHOPPER HAFNIUM |
| 2021-03-03
⋅
Huntress Labs
⋅
Mass exploitation of on-prem Exchange servers :( CHINACHOPPER HAFNIUM |
| 2021-03-03
⋅
Huntress Labs
⋅
Rapid Response: Mass Exploitation of On-Prem Exchange Servers CHINACHOPPER HAFNIUM |
| 2021-03-02
⋅
Twitter (@ESETresearch)
⋅
Tweet on Exchange RCE CHINACHOPPER HAFNIUM |
| 2021-03-02
⋅
Rapid7 Labs
⋅
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day CHINACHOPPER HAFNIUM |
| 2021-03-02
⋅
Volexity
⋅
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities CHINACHOPPER HAFNIUM |
| 2021-03-02
⋅
Microsoft
⋅
HAFNIUM targeting Exchange Servers with 0-day exploits CHINACHOPPER HAFNIUM |
| 2021-01-29
⋅
Trend Micro
⋅
Chopper ASPX web shell used in targeted attack CHINACHOPPER MimiKatz |
| 2021-01-01
⋅
DomainTools
⋅
Conceptualizing a Continuum of Cyber Threat Attribution CHINACHOPPER SUNBURST |
| 2020-11-27
⋅
PTSecurity
⋅
Investigation with a twist: an accidental APT attack and averted data destruction TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz |
| 2020-10-01
⋅
US-CERT
⋅
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy |
| 2020-09-15
⋅
US-CERT
⋅
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities CHINACHOPPER Fox Kitten |
| 2020-09-15
⋅
US-CERT
⋅
Malware Analysis Report (AR20-259A): Iranian Web Shells CHINACHOPPER |
| 2020-07-21
⋅
Department of Justice
⋅
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research CHINACHOPPER BRONZE SPRING |
| 2020-02-21
⋅
ADEO DFIR
⋅
APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
| 2020-01-01
⋅
FireEye
⋅
Mandiant IR Grab Bag of Attacker Activity TwoFace CHINACHOPPER HyperBro HyperSSL |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE MOHAWK AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26 |
| 2019-12-12
⋅
Microsoft
⋅
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
| 2019-09-23
⋅
MITRE
⋅
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
| 2019-08-27
⋅
Cisco Talos
⋅
China Chopper still active 9 years later CHINACHOPPER |
| 2019-08-19
⋅
FireEye
⋅
GAME OVER: Detecting and Stopping an APT41 Operation ACEHASH CHINACHOPPER HIGHNOON |
| 2019-06-25
⋅
Cybereason
⋅
OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS CHINACHOPPER HTran MimiKatz Poison Ivy Operation Soft Cell |
| 2019-05-28
⋅
Palo Alto Networks Unit 42
⋅
Emissary Panda Attacks Middle East Government Sharepoint Servers CHINACHOPPER HyperSSL |
| 2019-01-01
⋅
MITRE
⋅
Tool description: China Chopper CHINACHOPPER |
| 2018-03-16
⋅
FireEye
⋅
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40 |
| 2017-12-20
⋅
CrowdStrike
⋅
An End to “Smash-and-Grab” and a Move to More Targeted Approaches CHINACHOPPER |
| 2013-08-07
⋅
FireEye
⋅
Breaking Down the China Chopper Web Shell - Part I CHINACHOPPER |
There is no Yara-Signature yet.