EXECUTIVE SUMMARY

In November of 2025, an allegedly massive leak of data from Chinese company “KnownSec” was posted to a github account. The initial leak was covered by Wired Magazine, and a few other outlets. The leak has since been pulled off of Github and downloaded by very few, and of those few who gained access, only one uploaded 65 documents as a primer to the leak elsewhere for others to see. DTI was able to get the 65 document images and this report is derived from this slice of a much larger leak that is out there but not available.

On December 31 2025, platform and threat intelligence company Resecurity published an excellent analysis of the full leak. As we’ve been working through the 60+ available screenshots from the leak since early November, Resecurity’s post provides additional context in a few areas, especially targeting, that compliment the depth to which we analyzed Knownsec’s technical capabilities.

Ostensibly, KnownSec appeared to be just another security company, but this is only a half truth. In reality, like other reports we have written on Chinese firms, it has a shadow organization that works for the PLA, MSS, and the organs of the Chinese security state. This leak exposes a state-aligned cyber contractor that operates far beyond the role of a typical cybersecurity vendor. Its internal documents, product manuals, and data repositories show a company engineered to support Chinese national security, intelligence, and military objectives. Tools like ZoomEye and the Critical Infrastructure Target Library give China a global reconnaissance system that catalogs millions of foreign IPs, domains, and organizations mapped by sector, geography, and strategic value. Massive datasets containing real names, ID numbers, mobile phones, emails, and credentials allow Knownsec and its government clients to correlate infrastructure with people, enabling rapid deanonymization, targeting, and social engineering.

On top of this data foundation, Knownsec’s offensive products; GhostX, Un-Mail, and Passive Radar purport to provide a full intrusion and surveillance pipeline. GhostX delivers browser exploitation, routing manipulation, credential theft, and endpoint monitoring. Un-Mail enables covert takeover and continuous exfiltration of email accounts across major global providers. Passive Radar ingests PCAP data via local uploads, FTP, or SSH to reconstruct internal network topologies, user communication patterns, and service inventories. These tools work together to support long-term access, DNS hijack, admin takeover, and infrastructure control across foreign government, telecom, financial, and energy networks.

Organizational charts, customer lists, and internal briefings reveal Knownsec’s primary clients as Public Security Bureaus, defense research institutes, and likely the MSS, positioning it within China’s industrialized cyber-operations ecosystem. Its products are marketed directly to law enforcement and military customers, with teams explicitly labeled for “military industry,” “intelligence,” and “public-security support.” The leaked data shows a vertically integrated espionage stack for reconnaissance, exploitation, collection, and persistence, designed for both domestic surveillance and foreign intelligence operations, making Knownsec a central enabler of China’s modern cyber strategy.

Background

Knownsec (知道创宇), headquartered in Beijing, presents itself to the outside world as a familiar figure in the Chinese cybersecurity landscape, a company selling vulnerability assessments, penetration testing, and defensive solutions. It has long been framed as one of the country’s “white-hat” pillars, a firm dedicated to patching security gaps and strengthening networks. But the leaked internal documents, product manuals, work breakdown structure (WBS) project sheets, personnel directories, and vast infrastructure datasets tell a much more complex and far more consequential story. Beneath its public branding, Knownsec operates as an offensive intelligence contractor whose day-to-day work aligns directly with the operational needs of China’s security and military apparatus.

In practice, Knownsec functions within a tight constellation of state-aligned cyber contractors, a network that includes outfits like 404 Lab (internal to Knownsec) , Qi-An-Xin, Venustech, and i-SOON (安洵). These entities form a parallel ecosystem to China’s formal intelligence services, separate on paper, but woven into the broader machinery of state surveillance and cyberespionage. Together, they develop and maintain the tools, datasets, and capabilities required for large-scale identity tracking, offensive reconnaissance, infrastructure enumeration, and targeted intrusion. What sets Knownsec apart within this constellation is the degree of integration seen across its product lines: it does not merely produce one tool or one dataset, but rather an entire operational pipeline spanning discovery, exploitation, reconnaissance, persistence, and human-layer correlation.

The leaked materials reveal that Knownsec maintains some of the most extensive foreign targeting datasets yet seen in a contractor leak, covering Taiwan, Japan, South Korea, India, and multiple Western nations. Its clients include Public Security Bureaus at the provincial and national levels, defense research institutes, and intelligence-adjacent technical units. The company’s organizational charts and internal communications make clear that these relationships are not incidental; they are foundational to Knownsec’s business model and technical direction. In this light, Knownsec emerges not as a private security firm in the Western sense, but as a core node in China’s contractor-driven cyber state, a strategic architecture in which commercial entities serve as the research, development, and operational arms of state cyber power.

ACTOR TAXONOMY

Organizational Structure

Knownsec’s internal architecture per this dump, resembles less a commercial technology company and far more a defense integrator calibrated to state needs. The organizational hierarchy is sharply defined, layered, and optimized for the production of offensive cyber capabilities. Each division has a narrowly tailored mandate that fits into a larger operational machine, an arrangement that mirrors the compartmentalization and task specialization typical of state-sponsored research institutes and weapons contractors.

At the technical core is the 404 Security Lab (404 实验室), a unit responsible for offensive research, exploitation development, and deanonymization, including stewardship of the GhostX tooling family. This is the engine room where browser exploits, network manipulation modules, and deanonymization workflows are built. Surrounding it is the Product Technology R&D Center, which transforms raw offensive ideas into stable, deployable products (most notably Passive Radar), protocol-analysis frameworks, and related reconnaissance systems. Feeding these tools is the Data Business Division, which curates massive datasets, foreign breach archives, and credential repositories, effectively forming the human intelligence layer of Knownsec’s cyber operations. Where state-aligned priorities shift toward military readiness or battlefield cyber support, the Military Products Division (军工) adapts and reconfigures Knownsec’s core technologies – ZoomEye, Radar, GhostX – into militarized variants suitable for defense research institutes and specialized units. Meanwhile, the ZoomEye Team maintains the company’s most publicly recognizable asset: a continuous internet-wide scanning and exposure fingerprinting platform. Once all these tools are built, the Beijing Testing Group ensures they meet stability and operational-readiness requirements before deployment to customers.

This hierarchy fractures into distinct functional strata. At the strategic layer, executive leadership and cost-center directors coordinate funding, long-term planning, and alignment with state-customer requirements. The operational layer, project managers, planners, and supervisors – turns those directives into executable work, assigning tasks across teams and ensuring compliance with delivery timelines. The technical layer comprises exploit developers, reverse engineers, protocol analysts, “radar specialists” (aka those working with the platform dealing with internet scale sensing/detection), and data scientists, the hands-on specialists who build Knownsec’s offensive capabilities. Beneath them, the support layer handles content review, security inspection, documentation, and QA critical roles that ensure continuity and polish across the toolchain.

Viewed holistically, the internal structure mirrors the logic of a Chinese cyber-weapons manufacturer: program management offices overseeing multi-year development tracks; governance systems controlling scope, deliverables, and interdepartmental dependencies; and specialized teams that collaborate, integrate, and refine capabilities in parallel. The result is not a loose assemblage of researchers, but a multi-team, multi-layered production line, where offensive tools move from concept to deployment with the discipline and scale of an industrial operation aligned to national strategic priorities.

Role Characterization

Knownsec’s internal personnel structure forms a tiered hierarchy that resembles the command-and-control model of a state-linked defense contractor rather than a commercial cybersecurity vendor. At the top sits the strategic layer, composed of executive leadership, business-unit heads, and cost-center directors who set long-term priorities, allocate resources, and ensure alignment with the missions of Public Security Bureaus, military research institutes, and other government stakeholders. Their role is not merely administrative; they define the operational direction of Knownsec’s offensive tooling, selecting which capabilities to develop, which foreign networks to map, and which datasets to prioritize for correlation.

Beneath them churns the operational layer, populated by project managers, planners, and supervisors responsible for translating strategic objectives into actionable engineering programs. These individuals oversee WBS tasking, cross-team coordination, and delivery timelines. They determine how GhostX (“GhostX Framework” offensive cyber platform) modules integrate with Un-Mail (email interception tool), how Passive Radar ingests or parses PCAP data, and how TargetDB updates synchronize with ZoomEye (search engine) output. In effect, they are the connective tissue that binds Knownsec’s sprawling toolchain into a coherent, predictable development pipeline.

The technical layer of exploit developers, radar engineers, data analysts, infrastructure specialists is the skilled workforce that turns those plans into operational capabilities. These teams build the browser exploitation chains, protocol-analysis engines, deanonymization classifiers, and dataset-correlation tools that make Knownsec’s products function as integrated intrusion systems. Supporting them is a broad support layer of content reviewers, security inspectors, and test engineers who ensure data quality, operational safety, and readiness for customer deployment. This division of labor reinforces Knownsec’s resemblance to a Chinese cyber defense integrator, featuring programmatic control structures, specialized technical teams, and multi-layer orchestration designed to reliably produce offensive cyber capabilities at scale.

FULL CAPABILITY ANALYSIS

Global Reconnaissance Layer

Knownsec’s offensive operations begin with a global reconnaissance layer, a foundation built on visibility rather than exploitation. At the heart of this layer is ZoomEye, the company’s internet-wide scanning and fingerprinting platform. Externally marketed as a security research tool, ZoomEye in practice functions as a persistent intelligence sensor grid, one capable of mapping the exposed surfaces of entire nations. Unlike Shodan or FOFA, which rely on hybrid community indexing and slower crawl cycles, ZoomEye conducts full IPv4-space scanning, generating a continuously refreshed portrait of devices, services, and vulnerabilities across the global internet.

ZoomEye’s detection capabilities are unusually granular. Its internal documentation highlights a library of 40,000+ component fingerprints, allowing it to identify not just common servers but also specialized firewalls, industrial controllers, VPN concentrators, and software versions critical for exploitation targeting. The platform recrawls its indexed universe every 7–10 days, making its data nearly real-time, a crucial requirement for Chinese security organs that depend on freshness for both censorship enforcement and foreign operations. Every newly exposed port, misconfigured appliance, or unpatched system becomes visible to Knownsec’s analysts before many national CERTs are even aware of the shift.

The true power of ZoomEye emerges in its integration with Knownsec’s TargetDB (关基目标库: Key Target Library), a classified-style infrastructure database that cross-references ZoomEye results with sector, geographic, and organizational metadata. Raw IPs and banners from ZoomEye become tagged entries in a structured intelligence map identifying which systems belong to ministries, power companies, telecom operators, banks, or military units. In this way, ZoomEye doesn’t merely scan the internet; it prioritizes it, funneling raw exposure intelligence directly into China’s national-level targeting workflows.

ZoomEye

A global cyberspace search engine equivalent to Shodan/FOFA but with:

• Full IPv4-space scanning
• 40,000+ component fingerprints
• Rapid recrawl cycles (7–10 days)
• Cross-integration with TargetDB

TargetDB (关基目标库)

Knownsec’s TargetDB (关基目标库) is the analytical backbone of its reconnaissance capability, an immense, curated intelligence repository that transforms raw internet data into a structured map of global critical infrastructure. Far more than a simple asset index, TargetDB resembles a state-run targeting platform: a system designed to catalog, classify, and prioritize foreign networks according to strategic value. The scale alone is staggering. Internal documentation lists 24,241 organizations, 378,942,040 IP addresses, and 3,482,468 domains, all tagged with metadata that places them within specific industries, national sectors, and operational categories. These entries span 26 geographic regions, covering not only China’s immediate neighbors but also major economies and political rivals across Asia, Europe, and the West.

What gives TargetDB its strategic potency is the precision of its annotations. Each organization and network block is mapped to sector designations such as military, military-industrial, government ministries, telecom operators, energy providers, financial institutions, transportation networks, media outlets, and educational institutions. This transforms an anonymous IP range into a clearly identified target: a ministry of foreign affairs server in Tokyo, a regional power-grid node in Kaohsiung, a financial-trading gateway in Mumbai, or a satellite uplink belonging to a Korean telecom. The database does not simply list assets; it assigns them meaning, aligning infrastructure with strategic objectives and intelligence requirements.

In practice, TargetDB functions as a foreign-target prioritization engine, allowing Chinese state clients to focus their operations on the most consequential systems. When paired with ZoomEye’s continuous scanning, TargetDB becomes a living intelligence reference that highlights newly exposed systems belonging to sensitive entities. This fusion of raw exposure data with organizational and geopolitical context gives Knownsec and its customers a ready-made blueprint for cyber campaigns identifying who matters, where they are located, and precisely which services are vulnerable at any given moment.

The Critical Infrastructure Target Library contains:

• 24,241 organizations
• 378,942,040 classified IPs
• 3,482,468 domains
• Sector mappings across 26 geographic regions

It annotates:

• Military units
• Government ministries
• Telecom operators
• Energy companies
• Financial institutions
• Media and education networks

Data Lake (o_data_*)

Knownsec’s o_data_ data lake* represents one of the most revealing and troubling components of the entire leak. Beneath the polished surface of its security products lies a sprawling, carefully indexed archive of global breach data, sourced from criminal markets, prior compromises, open leaks, and internal acquisitions. These datasets include LinkedIn collections from Brazil and South Africa, Taiwan Yahoo account dumps, Indian Facebook user sets, and extensive Chinese national datasets ranging from railway passenger manifests to banking records and ID-card tables. Layered atop this are telecom subscriber databases, often containing phone numbers, IMSI/IMEI identifiers, addresses, and account metadata. Each dataset is catalogued with schema details including username, password, id_card, mobile, email, real_name, address, investment_style, and more, making the data lake a high-resolution, global directory of human digital traces.

Within Knownsec’s operational ecosystem, this data lake is not a passive archive; it functions as an identity-correlation engine. When a TargetDB entry identifies an exposed service or a ZoomEye scan reveals a misconfigured endpoint, analysts can pivot into the o_data_* records to uncover the real-world individuals associated with that IP, email, or domain. A VPN endpoint in Osaka becomes a person with a name, mobile number, and password reuse history. A Taiwanese banking server becomes an enumerated list of employees with matching emails, credential pairs, and personal details. These correlations enable credential replay attacks, account takeover attempts, and highly tailored social-engineering operations long before any exploit payload is deployed.

But the most powerful function of the data lake is its role in deanonymization. Modern cyber operations often hinge on identifying the human behind the machine, and the o_data_* archives allow Knownsec and by extension its state customers to strip away anonymity across borders. By linking breached credentials, phone numbers, and identity documents to technical infrastructure, the data lake fuels a range of offensive workflows: spearphishing campaigns, targeted malware delivery, behavioral profiling, and covert influence operations. In effect, the o_data_* collection serves as the human-intelligence layer of Knownsec’s cyber apparatus, turning scattered breach records into a structured intelligence resource that drives foreign espionage, domestic tracking, and precision targeting at scale.

A massive archive of global breach data:

• LinkedIn Brazil, South Africa
• Taiwan Yahoo email/password datasets
• Indian Facebook sets
• Chinese national ID/railway/banking data
• Telecom subscriber DBs

Purpose:

• Correlate human identities
• Enable credential replay
• Enable deanonymization
• Power targeted phishing and social engineering

Access Layer

Knownsec’s Access Layer is embodied most clearly in its flagship offensive toolkit, GhostX, a system designed not merely to breach endpoints but to reduce, reconstruct, and ultimately control digital identity. GhostX operates at the intersection of browser exploitation, network manipulation, and host persistence. It begins with browser fingerprinting, gathering granular details, plugins, fonts, extensions, power telemetry, and rendering quirks to create a durable identity signature that follows a user across VPNs, proxies, and devices. Once a target is profiled, GhostX can be set to escalate into active compromise: extracting browser-stored passwords, siphoning cookies and session tokens, and deploying keylogging modules that capture input in real time. These capabilities allow operators to pivot immediately into email accounts, internal dashboards, or social platforms without requiring traditional exploit chains.

But GhostX’s reach extends well beyond the endpoint. The suite includes tools for internal service identification, mapping what the compromised machine can see inside a network database, ports, admin interfaces, intranet portals, and shared resources. From there, GhostX can manipulate the network environment itself through routing attacks and DNS hijacking, redirecting traffic or impersonating internal systems. The ability to create new admin accounts on routers or internal services turns a momentary foothold into a durable position within the victim’s infrastructure, enabling stealthy lateral movement or long-term monitoring. Operators can also invoke remote command execution, screenshot capture, and webpage cloning, giving GhostX a Swiss-army-knife versatility normally found in high-end, nation-state-grade intrusion platforms.

Central to GhostX’s design is its suite of anti-forensic mechanisms and techniques such as code mixing, behavior shaping, and signatureless execution explicitly described in internal product briefs. These features aim to frustrate defenders, slow incident response, and complicate attribution. When combined, GhostX becomes a multi-vector exploitation and persistence framework, engineered to collapse anonymity, extract access, and maintain covert presence across both user endpoints and network infrastructure. It is a foundational component of Knownsec’s offensive cycle, bridging the gap between reconnaissance and deeper operational penetration.

GhostX   Virtual Identity Reduction & Exploitation Suite

Capabilities include:

• Browser fingerprinting
• Password extraction
• Cookie and credential theft
• Keylogging
• Website cloning
• Screenshot monitoring
• Internal service identification
• Routing manipulation
• DNS hijacking
• Admin user creation
• Command execution
• Anti-forensics (code mixing, signature evasion)

Un-Mail Webmail Takeover & Persistent Collection

Knownsec’s Un-Mail platform is the company’s dedicated engine for webmail takeover and long-term communications exploitation, effectively turning inboxes into intelligence feeds. Unlike traditional phishing tools or standalone password stealers, Un-Mail is built to compromise webmail ecosystems at the application layer, beginning with XSS-based exploitation of major mail portals. These injection points allow attackers to intercept login sessions, capture live session tokens, or inject malicious scripts directly into a victim’s browser workflow. Once access is established, Un-Mail seamlessly transitions into session hijacking and cookie replay, bypassing MFA or password-change events and ensuring operators maintain continuous entry even as the victim continues to use their account.

The platform’s most powerful capability is its ability to perform IMAP/POP mailbox replication, silently downloading the entire mailbox including archived, deleted, or years-old communications into a local datastore under operator control. This “first sync” is typically followed by ongoing incremental collection, with Un-Mail monitoring for new messages and exfiltrating them in real time. Operators can configure keyword triggers for sensitive terms, automate alerts when certain contacts communicate, and selectively forward or clone messages without user visibility. Internal product slides emphasize full inbox exfiltration and customizable monitoring dashboards, indicating a mature COMINT-oriented architecture rather than a simple webmail attack script.

Un-Mail’s reach is expanded by its cross-provider compatibility, with explicit support for Gmail, Outlook/Hotmail, Yahoo, AOL, and major Chinese providers such as 163, 126, TOM, and Yeah.net. This broad compatibility allows Knownsec and its state clients to conduct communications intelligence collection across national borders, harvesting diplomatic correspondence, corporate strategy emails, and internal government mails for targeting purposes. The result is a tool purpose-built for persistent surveillance, supporting intelligence requirements ranging from domestic monitoring to foreign espionage, further evidence that Knownsec’s operational mission extends deep into offensive state-cyber tradecraft.

Capabilities:

• XSS exploitation of webmail portals
• Session hijacking
• Cookie replay
• IMAP/POP mailbox replication
• Full inbox exfiltration
• Real-time keyword monitoring
• Cross-provider compatibility (Gmail, Outlook, Yahoo, 163, 126, etc.)

This enables communications intelligence collection (COMINT) across national borders.

Internal Network Discovery

Knownsec’s Passive Radar (无源雷达) is designed for the phase immediately following initial access, when the operational priority shifts from intrusion to comprehension. While tools such as GhostX focus on endpoints and Un-Mail captures communications, Passive Radar illuminates the internal network environment those systems inhabit. Its purpose is not exploitation in isolation, but the reconstruction of the operational terrain inside a compromised organization.

Unlike active scanners that generate detectable traffic, Passive Radar relies exclusively on the ingestion and analysis of packet capture (PCAP) data. This passive approach allows operators to observe a network as it actually behaves, without altering traffic patterns or triggering defensive controls. The system accepts PCAPs through three primary ingestion paths: direct offline uploads, remote retrieval via FTP, and secure acquisition over SSH. These mechanisms allow traffic to be sourced from compromised servers, misconfigured storage systems, network taps, or siphoned repositories without requiring live interaction with the target environment.

Once ingested, Passive Radar automatically extracts and classifies the network’s technical structure. It identifies IP addressing schemes, port usage, protocol signatures, service banners, device types, and traffic flows, assembling these elements into a coherent model of internal communications. By correlating flows over time, the platform reveals which systems communicate persistently, how authentication and directory services are organized, where data is aggregated or forwarded, and which services function as internal chokepoints.

This process exposes high-value internal assets that are often invisible from the perimeter: domain controllers, mail gateways, internal content-management systems, financial platforms, and management interfaces. Behavioral flow analysis highlights trust relationships, reused credentials, and open administrative paths that can be leveraged for lateral movement. Device classification further identifies unmanaged servers, weakly configured firewalls, and embedded or IoT systems that present escalation opportunities.

Through this transformation of raw packet data into structured internal intelligence, Passive Radar provides the situational awareness required to move beyond an initial foothold and toward sustained control of a target network.

Passive Radar (无源雷达)

The strategic significance of Passive Radar lies not merely in what it observes, but in how it collapses uncertainty for offensive operators. By deriving intelligence from real traffic rather than inferred exposure, the platform reveals how a network truly functions under normal conditions. This traffic-derived perspective exposes dependencies, trust boundaries, and operational habits that conventional vulnerability scanning cannot reliably detect.

Viewed through an offensive lens, Passive Radar functions as an internal reconnaissance and targeting system. Its outputs identify viable lateral-movement routes, uncover unencrypted administrative channels, and surface shared authentication paths that enable quiet expansion through a network. Instead of probing for weaknesses, it allows operators to exploit the structure that already exists, reducing noise while increasing precision.

This capability is particularly valuable in state-aligned operations, where persistence, attribution control, and long-term access outweigh speed. Passive Radar turns captured network traffic into operational intelligence that supports methodical expansion, selective exploitation, and planned data extraction. In effect, it converts the interior of a victim network from an opaque risk space into a charted environment suitable for controlled maneuver.

For Knownsec’s government and military customers, Passive Radar serves the same role in cyberspace that reconnaissance and terrain analysis serve in conventional operations. It enables planners to study internal infrastructure, anticipate defensive responses, and design lateral movement and persistence strategies with confidence. In this sense, Passive Radar is not simply a security product, but a foundational intelligence capability that bridges access and dominance within the digital battlespace.

A PCAP-based internal situational awareness tool:

3 ingestion modes:

• Offline PCAP
• FTP
• SSH

Extracts:

• IPs
• Ports
• Protocols
• Behavioral flows
• Services
• Device types

Purpose:

• Map internal networks
• Identify critical hosts
• Reveal lateral-movement opportunities
• Build operational intelligence for deeper compromise

Persistence & Exfiltration Layer

Knownsec’s Persistence & Exfiltration Layer represents the phase of an operation where intrusion shifts from momentary access to steady, renewable intelligence collection. Once an endpoint or infrastructure node has been compromised through GhostX, Un-Mail, or Passive Radar–assisted lateral movement, Knownsec’s tooling activates a suite of mechanisms designed to keep the operator embedded indefinitely. At the user level, this includes keylogging and clipboard capture, which harvest credentials, sensitive text, and operational behavior with granular precision. These seemingly simple functions become powerful when combined with GhostX’s browser and routing manipulation: every password typed, every copied token, every pasted URL becomes part of the attacker’s internal map of the victim’s digital life.

Beyond user surveillance, Knownsec’s tools enforce persistence by manipulating the environment itself. Forced browsing modules can redirect users to attacker-controlled sites to refresh payloads or harvest updated cookies, while webshell interaction provides a remote backdoor for issuing commands and staging follow-up operations. The ability to perform DNS hijacking ensures long-term redirection and covert traffic interception, allowing Knownsec’s operators or their state clients to control access to internal or external resources without needing continuous endpoint presence. When this is combined with admin account creation on routers or internal network appliances, attackers gain durable infrastructure-level footholds that survive password changes, system updates, and even some forms of incident response.

Communication exfiltration remains a central pillar of Knownsec’s persistence strategy. Through Un-Mail, compromised inboxes can be synchronized via ongoing IMAP replication, creating a live copy of the user’s communications outside the victim network. New messages are silently collected, sensitive terms trigger alerts, and historical archives can be mined for strategic value. When all these elements operate together keystroke capture, environmental manipulation, infrastructure control, and communications replication they form a persistent intelligence foothold. This foothold is not just durable; it is regenerative, enabling long-term espionage, strategic monitoring, and operational leverage across months or even years, well after the initial compromise has been forgotten by the victim.

Includes:

• Keylogging
• Clipboard capture
• Forced browsing
• Webshell interaction
• DNS hijack for long-term redirection
• Admin account creation on routers
• IMAP-based ongoing mailbox replication

This creates persistent intelligence footholds.

OPSEC & Anti-Forensics

Knownsec’s toolchain incorporates a mature OPSEC and anti-forensics layer, reflecting the needs of an organization that expects its operations to face scrutiny from both corporate defenders and national incident-response teams. Rather than treating stealth as an afterthought, Knownsec designs its offensive tools to actively manipulate the investigative environment, reshaping the forensic trail and degrading the defender’s ability to reconstruct what happened. This begins with proxy chain deployment, allowing operators to route traffic through multilayered, frequently shifting intermediaries that obscure the true origin of commands, payloads, or callback traffic. By automating these routing changes, Knownsec ensures that attribution efforts are diluted across ranges of unrelated IP space.

Beyond network obfuscation, Knownsec incorporates behavior-shaping and code-mixing techniques, which alter how malicious scripts behave on compromised systems. Instead of producing predictable logs or recognizable execution patterns, operations are blended into normal system activity or fragmented across modules that only reveal their true function when combined under specific conditions. These methods frustrate heuristic detection and force analysts to piece together sequences of behavior that appear benign in isolation.

Perhaps most challenging for defenders is the emphasis on signatureless execution and anti-tracing modules, which remove or modify indicators that typically reveal compromise. Malware components are often polymorphic or dynamically assembled, leaving no stable signatures for endpoint security tools to match. Meanwhile, anti-tracing features interfere with monitoring hooks, logging frameworks, and analyst tools, making post-incident reconstruction incomplete or misleading. Together, these OPSEC and anti-forensic capabilities signal that Knownsec’s offensive products are built not only to infiltrate networks but to survive inside them, resisting detection long enough to achieve intelligence objectives and complicating attribution even after an intrusion is discovered.

Capabilities:

• Proxy chain deployment
• Behavior obfuscation
• Code mixing
• No-signature execution
• Anti-tracing modules

Designed to degrade defender and investigator visibility.

TRADECRAFT & TTPs

Knownsec’s operational workflow reflects a fully realized, contractor-engineered APT intrusion lifecycle, blending state objectives with commercial development discipline. What emerges from the leak is not a set of disconnected tools, but a coherent tactic-to-technology pipeline, where each stage of intrusion is supported by a purpose-built product or dataset. The tradecraft reads like a synthesis of China’s most capable threat actors APT31, APT41, Mustang Panda yet polished through a corporate engineering lens that emphasizes stability, modularity, and reuse across diverse missions.

The intrusion sequence begins with reconnaissance, powered by ZoomEye’s internet-wide scanning and the TargetDB attribution system, which labels millions of global IPs by organization, sector, and geopolitical relevance. Once a target is identified, Knownsec pivots into its human-layer intelligence using the o_data_* collections: massive breach datasets that reveal who operates which systems, how they authenticate, and which credentials or identities overlap across services. These datasets feed directly into resource development, where credential harvesting, identity correlation, and exploit development (largely through 404 Lab) prepare the ground for an intrusion tailored to the target’s technical and human profile.

Initial access is typically obtained through GhostX’s browser exploitation modules, social-engineering campaigns crafted through breach data, or Un-Mail’s XSS-based webmail compromise. Once inside, Knownsec’s operators transition smoothly into execution, deploying JavaScript payloads, browser implants, or DNS manipulation scripts to deepen footholds. The tooling then shifts into persistence mechanisms creating admin accounts on routers, setting up IMAP mailbox replication, and establishing proxy chains that ensure continued access even as environments shift.

From there, intrusions expand through privilege escalation and discovery, guided by routing manipulation and Passive Radar’s PCAP-derived intelligence to illuminate the structure of internal networks. Defense evasion occurs continuously through code mixing, signatureless execution, and behavioral obfuscation. Credential access is achieved via browser password extraction and keylogging, enabling lateral movement into systems that would otherwise require separate exploitation. As operators explore the victim environment, they perform service fingerprinting, internal command execution, and webshell interaction to propagate their influence.

Finally, intrusion objectives manifest through collection and exfiltration, with Knownsec tools capturing screenshots, siphoning mailboxes, and sending stolen data out via IMAP or DNS-hijacked channels. Command and control remains flexible and resilient, relying on web-based callbacks and multi-hop proxy chains that obscure operational origins. Taken together, this lifecycle reveals a level of integration rarely seen outside state intelligence services: a full-spectrum intrusion pipeline where reconnaissance, exploitation, persistence, and exfiltration are engineered as interoperable modules within a single contractor-driven ecosystem.

The Knownsec pipeline mirrors a modern APT intrusion lifecycle:

This aligns with APT31, APT41, Mustang Panda, but with a commercial-engineering polish.

SUPPLY-CHAIN INTELLIGENCE

Knownsec’s operational footprint is supported by a sophisticated and multilayered supply chain, one that mirrors the procurement logic of government-backed defense contractors rather than private-sector cybersecurity firms. Internal documents show that Knownsec does not restrict its infrastructure to domestic providers; instead, it strategically procures European hosting infrastructure, including services from companies such as EDIS and Impreza. These foreign VPS and storage nodes provide staging grounds for scanning operations, payload delivery, redirection infrastructure, and exfiltration endpoints. Their geographic dispersion reduces attribution risk and increases operational reach, aligning with the needs of state customers who require global coverage and plausible deniability.

Financial organization within Knownsec also reflects a formalized, state-integrated structure. Leaked WBS project sheets reveal clearly defined cost centers, funding lines, and project sponsors, which are exactly the type of internal accounting frameworks used in China’s defense-industrial enterprises. Dedicated budgets exist for offensive R&D, data acquisition, infrastructure hosting, and specialized tools like GhostX and Passive Radar as seen in the excel images from the dump. This financial governance ensures continuity across long-term development cycles and indicates that Knownsec’s offensive tooling is not an ad-hoc initiative but an institutionalized capability sustained by predictable funding streams.

A crucial component of the supply chain is the data acquisition ecosystem. Knownsec’s massive o_data_* archives encompassing foreign breach dumps, credential collections, telecom subscriber databases, and national-ID repositories come from a mix of purchases, criminal-market harvesting, and internal scraping operations. These datasets form the human-intelligence substrate upon which exploitation and social-engineering operations depend. Similarly, Knownsec’s PCAP supply chain relies on compromised machines, operator-controlled servers, or cooperation from state entities to provide raw network captures that feed Passive Radar’s analytical engine. The success of ZoomEye likewise depends on a distributed scanning infrastructure, sustained by supporting nodes, bandwidth, and hardware that Knownsec maintains across multiple jurisdictions.

Taken together, these elements show that Knownsec’s supply chain is not incidental; it is deliberately constructed to serve national offensive cyber objectives. Its infrastructure procurement resembles the logistical patterns of government-funded cyber units; its data ingestion relies on pipelines typical of intelligence services; and its budgeting and work breakdown structures parallel those of state research contractors. Whether through hosting arrangements abroad, civilian data lakes turned into intelligence assets, or long-term PCAP sourcing, Knownsec’s dependencies align closely with Chinese government procurement cycles and strategic priorities, underscoring its role as an embedded component of the PRC’s broader cyber operations ecosystem.

Evidence from internal documents shows:

• They maintain internal cost centers for offensive tooling.
• WBS projects show formal funding lines with project sponsors.
• External datasets are purchased or harvested from criminal markets.
• Infrastructure procurement mirrors government-funded contractor operations.

Dependencies

• PCAP supply chain (victim or operator-controlled hosts)
• ZoomEye sensor infrastructure
• Data lake ingestion pipelines
• Chinese-government procurement cycles

GLOBAL TARGETING

Knownsec’s leaked infrastructure data reveals a clear pattern of structured, high-value targeting focused on the critical infrastructure of strategically significant nations. Even in the limited-resolution tables available, the indicators of compromise (IOCs) point to a deliberate and methodical mapping of Taiwan’s financial, telecommunications, and energy sectors. The sample extracted entries illustrate this well: exposed Fortinet firewalls at Nan Shan Life Insurance and Hua Nan Commercial Bank, publicly reachable Sophos XG appliances at Chunghwa Telecom, and a vulnerable Check Point service tied to Taipower, Taiwan’s national energy provider. These enumerated services tagged by IP, port, device type, and application banner function as prevalidated targets, ready for exploitation by GhostX, network-fingerprinting modules, or customized military tooling. Although these samples represent only a fraction of the full dataset, they demonstrate the precision with which Knownsec cataloged foreign infrastructure exposure.

When these IOCs are contextualized within the broader leak, a picture of systematic targeting emerges. Taiwan is disproportionately represented across the leak, with evidence of interest not only in major telecom operators and financial institutions but also in power grid, nuclear-energy, and ISP-level assets. This coverage aligns closely with PRC strategic priorities and suggests an intent to build comprehensive operational knowledge of Taiwan’s connectivity fabric, resilience posture, and critical dependencies. Similar patterns appear in Knownsec’s datasets for Japan, where telecom providers, energy-sector nodes, and major industrial corporations are cataloged; and in South Korea, where financial institutions, telecom networks, and industrial infrastructure feature prominently.

Beyond East Asia, the targeting footprint widens. Knownsec’s o_data_* records include Indian telecom subscriber databases, Facebook identity datasets, and infrastructure ranges associated with Indian ministries. This mirrors Beijing’s intelligence interest in India’s digital ecosystem and supports operations requiring identity correlation or demographic profiling. Meanwhile, portions of the dataset referencing European or Western entities appear more fragmented, but they nonetheless indicate indirect exposure: customer lists and sector-tagged entries suggest an intelligence appetite for global critical infrastructure and multinational corporations, even if not yet operationalized at the same scale as East Asia.

Taken together, these patterns show that Knownsec’s targeting is strategic, multi-regional, and overtly political, aligning with the geopolitical interests of the PRC. The infrastructure data is not random reconnaissance; it is a curated map of cyber terrain that would enable espionage, influence, and potentially pre-positioning for disruptive operations. Each IOC and sector-tagged asset represents not just a point of exposure but a node in an intelligence-gathering architecture designed to give Chinese state clients deep visibility into the operational backbone of foreign nations.

This represents strategic, multi-region, politically aligned targeting.

Internal Data Exposure: Email Addresses, Employee Identities, and Functional Roles

The Knownsec leak provides an unusually clear view into the human architecture of a Chinese cyber-contractor supporting national security, public-security bureaus, telecom regulators, and critical-infrastructure stakeholders. Unlike previous contractor leaks such as i-SOON (Anxun) which focused primarily on tools and client lists, the KnownSec corpus reveals a segment of internal personnel structures, spanning project owners, planners, cost-center sponsors, WBS task leads, and supporting engineers.

This internal data forms a blueprint of how Knownsec organizes and distributes responsibility across its offensive research, cyberspace-mapping, radar-engineering, and data-fusion programs. It offers a rare look at the people behind these capabilities, and exposes the specific functional chains by which projects move from concept to FOC (full operational capability).

Employee Identity Data

The leak contains a complete cross-section of Knownsec personnel across multiple divisions:

• 404 Security Lab (exploit research, offensive engineering, pentesting)
• Product Technology R&D Center (platform R&D, cyberspace mapping)
• Product Technology Department (hardware radar, UI/UX, testing)
• Product Technology Center 141 (high-level technical governance)
• Public-Security Research Institute (entity fusion, PSB analytic systems)

A total of 22 named employees appear in the materials, each tied to specific organizational units and assigned responsibilities inside multi-stage research or engineering efforts. These employees represent a spectrum of roles from senior leadership with strategic authority to WBS task owners responsible for tactical implementation details.

This personnel visibility is valuable for understanding:

• Internal tasking mechanisms
• Operational structure beneath Knownsec’s capabilities
• Which individuals enable offensive, defensive, or fusion-support tasks
• How work is distributed across government-sponsored projects

Where relevant, email addresses and internal accounts allow correlation with procurement records, code repositories, or external infrastructure should those indicators surface elsewhere.

Internal Email Address Patterns

Every email address in the dump uses one of two company formats:

• @knownsec.com → Headquarters operational accounts
• @xm.knownsec.com → Xiamen-based R&D and engineering offices

No personal external addresses appear for employees; only official Knownsec accounts are used inside project governance systems.

The following email addresses were recovered from the leak so far:

• zouxy2@knownsec.com
• suig@knownsec.com
• mas@knownsec.com
• wangcp2@knownsec.com
• chenc6@knownsec.com
• hey5@knownsec.com
• raosh@knownsec.com
• anyh@knownsec.com
• liuj13@knownsec.com
• xuc2@knownsec.com
• niexy2@knownsec.com
• chenrl@xm.knownsec.com
• chenjz@xm.knownsec.com
• wangll@xm.knownsec.com
• chenh4@xm.knownsec.com
• liwc@xm.knownsec.com
• wangl8@xm.knownsec.com
• yangwh2@knownsec.com
• zhanghj@knownsec.com

These addresses correspond directly to organizational positions inside Knownsec’s secure research and engineering divisions. There are no “throwaway” or operational aliases (e.g., Gmail/QQ/ProtonMail), which underscores that these individuals are internal employees, not contractors or external operators.

Functional Role Taxonomy

The personnel records reveal a clear hierarchy divided into strategic, operational, technical, and support layers.

Strategic Layer

These individuals control cost centers, approve research direction, and supervise multi-year programs. They connect Knownsec’s products to state-level requirements.

Key personnel:

• 李伟辰 (Li Weichen) – Head of Product Technology Center 141

These roles align with PRC state-integration patterns, where strategic decision-makers balance customer obligations with core R&D investment.

Operational Layer

Project managers, planners, and supervisors who translate strategic objectives into executable WBS chains.

Examples:

• PM and supervisor for 404 Security Research 2023
• PM/Planner for AW Detection (Project 391)
• PM/Planner for Hardware Radar 2022 V3
• PM of 404 Lab Pentest Research
• Project planners for Cyberspace Mapping (Carrier Platform)

These individuals operationalize multi-team engineering efforts, reflecting the governance model observed in defense integrators.

Technical Layer

Engineers responsible for exploitation, radar algorithms, system optimization, and data fusion.

Representative technical staff:

• WBS task owner for AW exploit and discovery chain
• Owner of AW 3.5 system testing
• Radar v3 implementation
• Radar optimization and stability
• Asset-identification system optimization
• User and functional testing tasks
• Data-fusion task execution for PSB
• Lead engineer for network-entity fusion research

This tier performs the core offensive and analytic development that Knownsec markets to PRC state customers.

Support Layer

Personnel performing QA, compliance, test engineering, and administrative approvals.

Notable roles:

• Beijing Testing Group (unnamed individuals except task owners)
• Default approver across R&D workflows

These roles ensure Knownsec’s platforms (Radar, Carrier Platform, offensive tooling) meet regulator and PSB deployment conditions.

Organizational Insight Derived from Internal Personnel Records

The internal data paints a clear picture of Knownsec as a multi-division cyber contractor seamlessly embedded within the broader security and intelligence ecosystem of the People’s Republic of China. Its organizational structure, personnel assignments, and project governance models demonstrate a company that is not merely providing commercial cybersecurity services but is directly supporting national cybersecurity mandates, public-security operations, and critical-infrastructure oversight. Every major division within Knownsec aligns with a corresponding state need, creating an operational architecture that mirrors the functions of a state-affiliated defense integrator.

This alignment is particularly visible in how technical departments map to specific government tasking. The 404 Lab serves as the offensive research and exploit-development hub, producing capabilities that directly support public-security bureaus and the national CERT apparatus. Meanwhile, the Product Technology Centers operate as the engineering backbone for large-scale cyberspace-mapping platforms used by telecom regulators such as Ministry of Industry and Information Technology (MIIT) and Critical Infrastructure Intelligence Center (CNNIC). Parallel to these, the Public-Security Research Institute builds data-fusion and analytic systems tailored for police units, reflecting a tight coupling between Knownsec’s internal R&D efforts and the investigative workflows of law-enforcement agencies.

Even the company’s internal email domains reinforce these functional distinctions. Accounts using @xm.knownsec.com cluster around engineering-heavy roles located in Xiamen, supporting platform development, radar systems, and systems integration. In contrast, @knownsec.com addresses are associated with research, data-fusion, offensive tooling oversight, and leadership responsibilities in Beijing. These boundaries reveal an internal trust and specialization model consistent with sensitive state-oriented development work.

Knownsec’s work-breakdown-structure (WBS) governance further shows a degree of engineering discipline typically found in military-industrial contractors. Projects are organized under formal sponsorship, with named approvers, supervisory layers, and sequenced deliverables. Every task has a clearly identified owner, and responsibilities cascade through planners, supervisors, and technical implementers. This hierarchy captures operational accountability at each stage, ensuring that sensitive tooling and large-scale platforms move through development in a controlled, auditable way.

Personnel mapping highlights how deeply the company depends on specialized, interoperable technical units. Offensive engineers in the 404 Lab, radar architects in the Product Technology Department, large-scale mapping engineers in the R&D Center, and data-fusion specialists in the Public-Security Research Institute all operate in defined silos. However, these silos are not isolated; they form a layered production pipeline that transforms exploit research into operational platforms capable of national-scale reconnaissance, targeting, and surveillance. In this way, Knownsec operates not just as a security vendor but as a critical node in China’s state-aligned cyber ecosystem, where human expertise, organizational structure, and strategic intent converge into a cohesive operational capability.

Key observations:

1. Departments align to state tasking
   • 404 Lab produces exploit and offensive research for PSB and national CERT.
   • Product Tech Centers deliver cyberspace-mapping platforms for telecom regulators (MIIT, CNNIC).
   • Public-Security Research Institute builds fusion systems directly for police units.
2. Email domains reinforce internal trust boundaries
   • @xm.knownsec.com maps to engineering-heavy functions.
   • @knownsec.com maps to research, fusion, and leadership roles.
3. WBS governance reveals engineering maturity
   • Workflows mirror military-industrial contractors with formal sponsorship, deliverable tracking, and internal approvals.
   • Each task has a named owner, capturing chains of operational accountability.
4. Personnel mapping exposes internal specialization
   • Offensive engineering, radar systems, cyberspace mapping, and data fusion are isolated but interoperable teams.
   • These silos reflect a layered pipeline that moves from exploit research to national-scale targeting platforms.

Strategic Significance of the Internal Data Exposure

The personnel information exposed in the Knownsec leak provides an unusually rich foundation for adversarial intelligence analysis. Instead of viewing Knownsec through the limited lens of tools, platforms, or public-facing capabilities, analysts can now reconstruct the company’s true operational architecture by tracing projects, responsibilities, and decision-making authority back to named individuals. This transforms Knownsec from an abstract corporate entity into a map of people, teams, and functions revealing how its internal machinery supports the broader PRC cyber apparatus.

With individual identities tied directly to work-breakdown structures, cost centers, and project leadership roles, analysts can identify exactly who drives offensive research and development. Names connected to GhostX, Radar 2022V3, the Cyberspace Mapping “Carrier Platform,” and data-fusion systems allow a clear understanding of which personnel shape the direction of core offensive and reconnaissance tools. Decision-making chains also emerge: who authors budget proposals, who approves them, who signs off on deliverables, and who assumes technical ownership of the most sensitive tasks. These insights expose how Knownsec manages risk, allocates resources, and governs the development of capabilities that ultimately serve national-level customers.

The data also closes the loop between Knownsec’s internal operations and China’s public-sector clients. Analysts can now link specific individuals to the ministries, state-owned enterprises, and provincial public-security bureaus they support. Whether developing mapping infrastructure for MIIT, vulnerability research for PSB, or reconnaissance tooling for State Grid or the national telecom operators, the personnel lists clarify which engineers and managers are responsible for executing state-directed work. This creates a direct, traceable line from human operators to cyber capabilities used by the PRC government.

Granular operator-level visibility of this kind is almost never present in Chinese contractor leaks. Typical disclosures provide tools, artifacts, or billing records, but rarely full mappings of engineers, planners, cost-center owners, and project supervisors. The Knownsec leak stands apart in that it reveals not only what the company builds, but who builds it, who authorizes it, and who ensures its integration into the state security ecosystem. For analysts, this level of detail offers an unprecedented window into the human and organizational architecture of one of China’s most capable cyber contractors.

State Security and Intelligence Organizations Identified in the Knownsec Leak

The Knownsec leak provides direct insight into the company’s relationship with the national security, cyber-regulation, and public-security ecosystems of the People’s Republic of China. The documents show that Knownsec does not operate as a conventional cybersecurity vendor but instead as a tightly integrated contractor supporting multiple layers of the PRC’s intelligence and public-security infrastructure. The presence of specific ministries, bureaus, CERT bodies, and state-owned enterprises across internal worksheets and customer tables reveals a contractor ecosystem that mirrors the organizational structure of the Chinese cyber state.

The Ministry of Public Security (MPS) emerges as the most prominent stakeholder in Knownsec’s operations. Multiple internal project sheets reference public-security intelligence requirements, entity-fusion deliverables, and policing-oriented research, suggesting that Knownsec’s tools such as Network Entity Data C fusion systems and analytics platforms feed directly into law-enforcement intelligence workflows. The inclusion of the Beijing Municipal Public Security Bureau as a direct customer reinforces that Knownsec supports both national and regional PSB units, providing technical capabilities that underpin investigatory, surveillance, and cyber-intelligence missions. The company’s Public-Security Research Institute acts as an intermediary, developing analytic systems specifically designed for MPS use, including the “30 Institutes” project, which historically links to police intelligence research centers.

Beyond policing, the documents show that Knownsec’s platform technologies align with the needs of China’s cyber governance infrastructure. The MIIT and CNNIC, which oversee network resources, DNS infrastructure, and telecom regulation, appear in customer lists. These associations suggest that Knownsec’s large-scale cyberspace-mapping platforms and radar systems contribute to regulatory visibility across the national network space. Similarly, the presence of CNCERT/CC and CCERT indicates that Knownsec plays a role in the country’s coordinated incident response and vulnerability-management programs. These organizations sit at the intersection of defensive coordination and intelligence-informed cyber situational awareness, and Knownsec’s products appear to support both domains.

Several state-owned enterprises also appear in the dataset, including State Grid, China Mobile, and China Telecom. While not intelligence agencies in name, these entities represent critical-infrastructure and telecommunications networks of high strategic value to Chinese state security. Their appearance in Knownsec’s internal documentation implies that Knownsec provides reconnaissance, mapping, or defensive monitoring capabilities that directly support national requirements for energy grid protection, telecom oversight, and large-scale network exposure assessment. These relationships blur the line between commercial engagement and state-aligned intelligence support, reflecting the dual-use nature of Knownsec’s core platforms.

Taken together, the organizations referenced in the leak form a coherent picture of how Knownsec embeds itself in the state’s cyber and intelligence apparatus. The company’s divisions and product lines align closely with the functional needs of public-security bureaus, national regulators, telecom carriers, and critical infrastructure operators. The network of relationships visible across the documents illustrates a contractor deeply woven into China’s national security architecture. It confirms that Knownsec’s internal operations, research programs, and platform developments are not random or commercially opportunistic but are systematically shaped by the requirements of the PRC’s intelligence and regulatory ecosystem.

Summary: Intelligence / Security Org List

OrganizationTypeRole in DumpMPS – Ministry of Public SecurityNational Police / IntelligencePrimary stakeholder for offensive, data-fusion, and entity analytics systemsBeijing Public Security BureauMunicipal PSBDirect consumer of Knownsec platforms and analysisPublic-Security Research Institute (internal Knownsec)PSB-aligned R&DBuilds fusion tech for PSB intelligence unitsMIITTelecom & Cyber RegulatorOversight for mapping platforms, radar outputsCNNICNational DNS AuthorityDomain-level surveillance & infrastructure mappingCNCERT/CCNational CERTNational-level vulnerability, incident intelCCERTEducation & Research CERTSupporting CERT node“30 Institutes” (PSB Research Institutes)Public-Security Intelligence R&DEntity fusion, data pipelines, analytic systemsState GridStrategic CII targetIncluded for reconnaissance and mappingChina Mobile / China TelecomTelecom carriersInfrastructure mapping and metadata pipelines

APPENDICES

Appendix A  Combined IOC List (Knownsec Leak Corpus)

Indicator of Compromise Summary  Knownsec TargetDB, Radar, and Foreign CI Mapping

Below is the unified IOC dataset extracted from all Knownsec screenshots, TargetDB tables, Radar 2022V3 outputs, and CI-targeting images provided in this project.

High-Confidence IP-Level IOCs (Critical Infrastructure Targets)

(All derived from Knownsec’s internal TargetDB screenshots for Taiwan CII)

country,organization,ip,port,service,device_type,notes

Taiwan,Nan Shan Life Insurance,210.242.194.198,443,httpd,Fortinet FortiGate,Listed as critical asset in CII table

Taiwan,Nan Shan Life Insurance,210.242.194.198,80,httpd,Fortinet FortiGate,Same host over HTTP

Taiwan,Hua Nan Commercial Bank,219.80.43.14,443,httpd,Fortinet FortiGate,Banking-sector firewall target

Taiwan,Hua Nan Commercial Bank,219.80.43.14,80,httpd,Fortinet FortiGate,Appears twice in Knownsec radar slices

Taiwan,Chunghwa Telecom,220.130.186.202,10443,httpd,Sophos XG,Telecom-edge gateway in CII targeting

Taiwan,Chunghwa Telecom,220.130.186.203,10443,httpd,Sophos XG,Sister device to above; separate PoP

Taiwan,Bank of Taiwan,103.21.60.3,8080,httpd,Fortinet FortiGate,Core financial gateway

Taiwan,Taipower,61.65.236.240,18264,httpd,Check Point SVN,Energy-sector firewall; high-value infrastructure

Medium-Confidence IOCs (Region-Expansion & Mapping Targets)

From Knownsec’s internal WBS expansion directives (WBS 7 & 8):

region,ip_range,notes

United States,100000_new_ips,Expansion directive: increase target coverage by 100k IPs

Taiwan,10000_new_ips,Expansion directive: +10k key Taiwan IP segments

YN_region,expansion_flag,New coverage region in platform WBS

MD_region,expansion_flag,New coverage region in platform WBS

WL_region,expansion_flag,New coverage region in platform WBS

ELS_region,expansion_flag,New coverage region in platform WBS

Data-Lake / Credential-Dump Indicators

From the o_data datasets referenced in the Knownsec HDFS export list:

dataset_name,country_or_sector,notes

o_data_taiwanahooemailpwd_tw,Taiwan,Credentials (Yahoo TW email/password dump)

linkedin_brazil,Brazil,LinkedIn identity dataset

linkedin_southafrica_202305,South Africa,LinkedIn identity dataset

o_data_facebookuserinfo_in,India,Facebook identity dump

o_data_telecom_info_india,India,Telecom subscriber dataset

o_data_royalenfield_india,India,Automotive customer dataset

o_data_shopping_order_vietnam,Vietnam,E-commerce customer dataset

o_data_shopping_vip_vietnam,Vietnam,VIP commerce dataset

o_data_insuranceindia_data,India,Insurance records dataset

o_data_sms_active_ru,Russia,SMS/telecom activity dataset

o_data_telderi_ru,Russia,Marketplace dataset

o_data_skolkovo,Russia,Skolkovo-related dataset

o_data_github,Global,GitHub developer dataset for targeting correlation

o_data_telegram_user_info,Global/Regional,Telegram identity dataset

o_data_instagram_temp,Global/Regional,Instagram scraped temp dataset

Organizational Targets & Associates (Based on Internal “典型客户” / TargetDB Sector Lists)

The following organizations appear repeatedly in Knownsec’s internal customer lists, procurement docs, or radar/TargetDB slices. These constitute strategic targeting and cooperation indicators even when no IP/IaaS attributes were provided.

country,organization,type,notes

China,Ministry of Public Security,State Client,Internal security customer consuming Knownsec platforms

China,People’s Bank of China,Financial Regulator,Monitored via PKI-linked infrastructure

China,CFCA (Financial Certification Authority),Financial PKI Infrastructure,High-value crypto/identity target

China,State Grid Corporation of China,Critical Infrastructure,Energy/SCADA mapping

China Mobile,Telecom,Carrier mapping and radar integration

China Telecom,Telecom,Carrier mapping and radar integration

China Education & Research CERT (CCERT),Academic CERT,Emergency-response alignment

China,State Council Procurement Network,Government ops,Procurement and surveillance-aligned workload

China,Beijing Public Security Bureau,Policing/LEO,Multiple contract purchases in ledger

Taiwan,Bank of Taiwan,Financial institution,Direct firewall mapping (See A.1)

Taiwan,Hua Nan Commercial Bank,Financial institution,Direct firewall mapping (See A.1)

Taiwan,Nan Shan Life Insurance,Insurance/Financial,Direct firewall mapping (See A.1)

Taiwan,Chunghwa Telecom,Telecom,Edge infrastructure fingerprinted (See A.1)

Taiwan,Taipower,Energy/Nuclear,Check Point SVN asset identified

India,Telecom Companies,Telecom,Featured in o_data_telecomcompanies_in

India,Ministry-adjacent IP ranges,Government,Identified in mapping directives

Vietnam,Shopping-order and VIP datasets,E-commerce / social profiling,Used for persona correlation

Russia,Skolkovo / Telderi / SMS datasets,Industrial / Social,Used for identity correlation

Global,GitHub developer data,Developer ecosystem,Used for deanonymization & target pivoting

Tooling-Linked IOC Classes (High-Level Indicators)

Where specific domains/servers were not provided, Knownsec tooling reveals classes of IOCs that defenders should track.

category,indicator_type,example,notes

GhostX,Persistence IOCs,admin account creation on routers,Indicates long-term foothold

GhostX,Network Manipulation,DNS hijack configurations,Used for redirect/exfil

Un-Mail,Webmail compromise,XSS injection points on webmail portals,High-risk COMINT vector

Passive Radar,Internal reconnaissance,PCAP ingestion servers,Victim-owned or attacker-controlled

Carrier Platform,Recon infrastructure,ZoomEye-linked scanners,High-volume scanning nodes

Radar 2022V3,Protocol-fingerprinting output,service banners/flows,Used to classify assets for later exploitation

Data-Fusion Projects,Identity correlation,IAM/credential merges,Used by Public-Security clients

These are behavioral indicators, not atomic IOCs, but they are directly tied to Knownsec’s operational tooling.

Appendix B   MITRE ATT&CK Map

Appendix C   Organizational Schema (Text)

State Ministries

  ↓

Knownsec Executive Leadership

  ↓

404 Lab | Product R&D | Military Division | Data Division

  ↓

Project Managers → Engineers → Operators

  ↓

Toolchain Deployment

Appendix D   Master File List from Dump

Here is a consolidated file list of all Knownsec-related uploads in this project, reconstructed from the conversation history, OCR references, system logs, and tool notes.

This includes images, PDFs, spreadsheets, and indexes you uploaded for the Knownsec leak analysis.

MASTER FILE LIST OF UPLOADED FILES (Knownsec Project)

PDFs (Leak Documents & Articles)

Leak Documentation

• 关基目标库说明文档_V202309.pdf (multiple screenshots provided)
• 无源雷达–产品文档 (Passive Radar Product Manual) (screenshots extracted)
• *404安全研究2023 – internal sheets (as images, WBS pages)
• 网空云测绘-网空航母平台-2022 (Carrier Platform 2022 WBS sheets)
• 硬件雷达2022V3.0.0.0 主力项目 (Radar Project 2022V3 WBS)
• 网络实体数据C与融合关键技术研究 (PSRI / “30 Institutes” project sheets)

Spreadsheets & Data Index Files

1. Personnel / Department / Project Indexes

• master index departments and projects.xlsx
• master index emails and people.numbers
• Untitled.xlsx (additional personnel / dept mappings)

2. Internal Project/Deliverable Sheets

(Uploaded via screenshots but constitute distinct files)

• 404 Lab WBS summary sheets (≈ 10 images)
• 391 AW Detection Project sheets (≈ 10 images)
• Carrier Platform WBS sheets (Product Technology R&D) (≈ 10+ images)
• Radar 2022V3 WBS sheets (Product Tech Dept) (≈ 10+ images)
• Public-Security Research Institute fusion project sheets (≈ 10 images)

C. Image Files (Screenshots)

Knownsec Internal Documents (numbered 1–64)

1.png

3.png

4.png

5.png

6.png

7.png

8.png

9.png

10.png

11.png

12.png

13.png

14.png

15.png

16.png

17.png

18.png

19.png

20.png

23.png

24.png

25.png

26.png

28.png

29.png

30.png

31.png

32.png

33.png

34.png

35.png

36.png

37.png

38.png

39.png

40.png

41.png

42.png

43.png

44.png

45.png

46.png

47.png

48.png

49.png

50.png

51.png

52.png

53.png

54.png

55.png

56.png

57.png

58.png

59.png

60.png

61.png

62.png

63.png

64.png.

Reconstructed File Descriptions (1–64)

1–11: Public-Security Research Institute (PSRI) – “Network Entity Data C & Fusion Key Tech Research”

These files corresponded to the “30 Institutes” fusion project, showing:

• PSB-driven data-fusion research
• Entity correlation pipelines
• Multi-dataset integration workflows
• WBS tasking for Zhang Huijie and Yang Guihui
• Deliverables tied directly to Public Security Bureau (公安三所) requirements

Typical page contents:

12–20: 404 Security Research 2023 (404实验室) / AW Detection Project 391

These images included:

• 404 Lab internal research objectives
• Vulnerability mining tasks
• AW (Asset & Weakness) detection research
• Exploit-related WBS
• Roles for Ma Shuai, Wang Cuiping, Chen Cheng, He Yan
• Related pentest research flows

Typical mapping:

23–36: Product Technology R&D Center – Cyberspace Mapping Platform (“Carrier Platform 2022”)

These images belonged to the 网空航母平台-2022 project, showing:

• Region-coverage expansion goals
• US/Taiwan key IP-range mapping
• Platform WBS tasks
• System component diagrams
• Planning roles for Chen Ruili, Chen Jinzhan, Wang Lili, Chen Hai
• Cost-center oversight by Li Weichen

Representative:

37–45: Hardware Radar 2022 V3 (产品技术部)

These files came from the Radar 2022V3 core project, including:

• Subsystem optimization tasks
• Feature development (vuln PoC ingestion, configuration checking)
• UI/UX tasks
• User testing and functional testing
• Technical owner mappings for An Yaxuan, Liu Xun, Xu Chao, Nie Xinyu

Mapping:

46–54: TargetDB / Critical Infrastructure Target Library

These screens captured the 关基目标库 (Critical Infrastructure Target Library):

• Sector classifications (military, telecom, energy, finance)
• IP counts (378,942,040)
• Regional coverage (26 geographies)
• Domain and asset listings
• Example targets: Taiwan banks, power grid, telecoms

Representative:

55–64: Data Business Division – HDFS o_data Datasets

This batch corresponds to the o_data_* dataset listings you uploaded, including:

• Indian telecom subscriber DBs
• Vietnam shopping-order datasets
• Russia SMS/telecom datasets
• Taiwan Yahoo credential dumps
• LinkedIn Brazil / South Africa
• GitHub user dataset
• Telegram data sets

Miscellaneous Internal Dataset References (via screenshots)

Not files themselves, but documented inside uploads:

• o_data_royalenfield_india
• o_data_rusnod_ru
• o_data_school_test
• o_data_shopping_order_vietnam
• o_data_shopping_vip_vietnam
• o_data_skolkovo
• o_data_sms_active_ru
• o_data_taiwan_uhq
• o_data_taiwanahooemailpwd_tw
• o_data_telderi_ru
• o_data_telecom_info_india
• o_data_telecomcompanies_in
• o_data_telegram_data
• o_data_telegram_user_info
• o_data_facebookuserinfo_in
• o_data_github
• o_data_instagram_temp
• o_data_insuranceindia_data
• linkedin_brazil
• linkedin_southafrica_202305

These were extracted from HDFS paths visible in the screenshots.

‍

Executive Summary

APT35, also known as Charming Kitten, has long occupied an odd niche in the hierarchy of Iranian cyber operations. They’re the loud ones, constantly deploying new credential-harvesting pages dressed in Western university or defense-contractor branding, yet always recycling the same code and lures. For years, analysts dismissed them as a politically motivated collective within the Revolutionary Guard’s orbit, dangerous mainly to journalists and dissidents, but rarely haunting MITRE’s nightmares.

Episode 4, the latest leak, changes that perception. What matters here isn’t the spectacle of intrusion but the machinery behind it. The files dissolve the myth of the hacker into the hum of administration: spreadsheets logging hosting providers and invoice numbers, crypto receipts processed through Cryptomus, and server rentals under a mosaic of false European identities. These aren’t exploits, they’re expense reports. The dump exposes how Iranian cyber units requisition, fund, and maintain infrastructure, revealing the bureaucratic metabolism that turns state intent into executable code.

Post-leak, APT35 failed to clean up after themselves, leaving operational infrastructure, live servers, and even hosting and service passwords accessible for weeks. The supposed guardians of Iran’s cyber doctrine simply walked away from their own compromised backend. This lack of operational hygiene underscores the paradox of Charming Kitten: a bureaucracy mimicking a hacker collective, running espionage operations with clerical precision, yet unable to follow basic OPSEC discipline when their paperwork leaked into the open.

Seen through this lens, APT35 functions as a government department more than a hacker crew. Someone drafts a VPS requisition; another logs the cost in euros; a supervisor approves the line item; and only then does a technician deploy the phishing kit or C2 beacon. It’s the banality of intrusion, the paperwork of digital espionage. Episode 4 strips away the glamour of zero-days and leaves the logistics in plain view: account creation, invoice reconciliation, crypto transaction IDs as bureaucratic stamps of approval. The same apparatus that once managed oil exports now manages data theft and influence operations. Behind every exploit sits a spreadsheet; behind every “state-sponsored attack,” a purchase order; behind every patriotic slogan, an accounts-payable clerk.

The Episode Four Files: 

The leaked spreadsheets form the operational backbone of APT35’s infrastructure management system, a triptych of bureaucracy masquerading as tradecraft. Each file exposes a different layer of the machine: procurement, payment, and deployment. Together they illustrate how a state-sponsored threat actor runs its cyber operations not through shadowy improvisation but through clerical precision. The documents track every rented server, every registered domain, and every euro or satoshi spent, all with internal ticketing numbers and service IDs linking actions across datasets. What emerges is a portrait not of hackers but of administrators, a bureaucracy that treats intrusion as an accounting exercise and espionage as a workflow.

0-SERVICE-Service.csv 

This sheet functions as the operational ledger. It contains roughly 170 populated rows tying domains to registrars and service notes, plus more than 50 distinct ProtonMail identities and over 80 cleartext credential pairs in email:password format. The entries include cadence markers like “3 Months / #2016,” lifecycle notes such as “SSL / no SSL,” and line-item prices in both dollars and euros. Provider references are recurrent and standardized rather than ad-hoc: EDIS (VPS) appears ~20 times, NameSilo (cheap domains) ~14, and Impreza (VPS) ~6, alongside sporadic mentions of Namecheap (domains) and Temok (Domains). The net effect is a normalized procurement sheet for intrusion, domains, tenancies, and accounts queued for operators, meticulous in bookkeeping but sloppy in OPSEC.

0-SERVICE-payment BTC.csv 

This sheet contains financing data that stitches itself into a meticulous ledger of fifty-five entries spanning from October 4, 2023 through December 11, 2024. The totals form tight constellations around approximately $1,225, with average outlays of about $56 or 0.0019 BTC per transaction. At least thirty-two unique Bitcoin addresses populate the Wallet field. Many rows also reference internal service numbers, “#44,” “#70,” and others, that mirror entries in the companion service sheet (“#23,” “#30,” “#103”). Together they form a verifiable connection between request, payment, and activation. A closed accountability loop meant to satisfy internal auditors while preserving outward anonymity. Each crypto receipt aligns neatly with a ticket number and an allocated cost, revealing an ecosystem of deliberate, ledger-bound order beneath the façade of decentralization.

1-NET-Sheet1.csv 

This sheet closes the loop with network addresses: IPs and /29–/30 allocations (e.g., 185.103.130[.]16/30, 185.212.193[.]240/29, 109.230.93[.]128/29, 195.191.44[.]73) with Persian-annotated connectivity and location notes (TD-LTE, service tiers, city markers). These rows correspond to live infrastructure observed in provider dashboards (EDIS, Impreza), matching the same pseudonymous customer identities and service SKUs seen in the invoices. In aggregate, the three files describe an industrial relay: the service sheet assigns and tracks assets, the BTC register funds and reconciles them (with ticket-level joins), and the network sheet manifests them as routable hosts. The tradecraft here isn’t improvisation; it’s administration, an evidentiary chain that converts hierarchy into infrastructure, with the very spreadsheets that ensure renewals also exposing credentials, wallets, and IPs.

The Economics of Access

For Tehran’s cyber apparatus, access isn’t stolen, it’s procured, budgeted, and renewed. Episode 4 makes unmistakably clear that intrusion has an economy. Each Virtual Private Server (VPS) payment, logged in euros, is a link in a chain of Iran’s information operations. All paid through Cryptomus, each transaction is small enough to slip under every compliance radar. There are no lump sums, no visible treasury trails, only the steady drip of crypto micro-payments routed through resellers in Cyprus, the Netherlands, and Central Europe. Each one buys continuity, not capability: another month of hosting for a phishing kit, another quarter of uptime for a command-and-control node, another renewal for a cover domain. This is cyber operations as a subscription service.

Charming Kitten’s internal operators follow a logic refined not in cyberspace, but in decades of sanctions survival. The same micro-smuggling economy that keeps Iranian goods moving across closed borders now underpins their digital operations. Instead of hiding budgets behind complex front companies, they fragment everything: dozens of disposable aliases, each spinning up a low-cost VPS, each paying through anonymous crypto gateways, each leaving behind a receipt that looks indistinguishable from civilian freelance infrastructure work. To an external reviewer, the activity resembles a swarm of hobbyists tinkering with side projects. Inside the apparatus, every alias corresponds to a tasking order, a performance measure, and a supervisory check.

Moses Staff: APT 35’s Hidden Hand

If the first half of Episode 4 exposed the clerical machinery that sustains Iran’s cyber-espionage bureaucracy, then the next revelation shows what that bureaucracy actually builds: the operational scaffolding behind Moses Staff, the regime’s most theatrical and destructive façade.

For years, Moses Staff appeared to the outside world as a self-contained hacktivist brand, a militant cyber-propaganda unit releasing stolen Israeli data, encrypting servers, and posting defiant manifestos instead of ransom notes. Security vendors catalogued their campaigns from 2021 onward: the destructive intrusions against Israeli logistics firms, public data dumps, the sudden appearance of custom toolsets like PyDcrypt, DCSrv, and the later StrifeWater RAT. Analysts saw ideology and chaos; what they lacked, until this dump, was administration.

The artifacts contained in Episode 4, spreadsheets, invoices, and hosting dashboards, bridge that gap. Buried in the 0-SERVICE-Service.csv ledger, among the usual lists of domains and ProtonMail credentials, sits a quiet entry: moses-staff[.]io.

Moses-Staff[.]io Domain WHOIS History 2021-25

The artifacts are clear, APT 35, the same administrative machine that runs Tehran’s long-term credential-phishing operations, also ran the logistics that powered Moses Staff’s ransomware theatre. The overlap is not merely stylistic , it is infrastructural. The same ProtonMail accounts (bbmovement@protonmail[.]com, meriyalee@protonmail[.]com, cybersonix@protonmail[.]com) appear both in Charming Kitten correspondence and in the hosting ledgers that birthed Moses Staff domains. The same registrars recur, modernizmir.net, TheOnionHost, Namecheap. The same payment conduit repeats, crypto micropayments through Cryptomus routed via Cyprus.

Through these documents, the ideological mask of Moses Staff collapses into the administrative skeleton of APT 35. The supposed hacktivists and the government cyber-unit share not only tooling and targets but also the same accounts-payable system. The propaganda arm and the espionage arm are two products of a single workflow: different “projects” under the same internal ticketing regime.

The campaign record matches the timestamps perfectly. When public vendors documented Moses Staff’s early destructive wave in late 2021, the first lines of the ledger began appearing. As new RAT variants (like StrifeWater) surface in 2023 reports, the invoices show new server rentals across Europe. Each operational evolution leaves a paper trail, a cost code, an invoice number, and a renewal date. The bureaucracy of intrusion is also its audit log.

What these artifacts ultimately reveal is that Iran’s cyber strategy is not improvised, it is administered. Moses Staff is not a rogue collective or an ideological outgrowth; it is the production wing of a well-organized ministry of access. Its campaigns are budgeted, scheduled, and logged with the same diligence as a government infrastructure project. Behind every public defacement sits a clerk who approved the invoice, a supervisor who confirmed the payment, and a system that measures operational tempo in euros, not ideology.

By uniting the visible fury of Moses Staff’s leaks with the quiet paperwork of Charming Kitten’s ledgers, Episode 4 shows how Tehran’s cyber theatre truly operates. It is a play in two acts: the spectacle of resistance on the front stage, and the hum of bureaucracy behind the curtain,  where compliance, logistics, and finance keep the revolution online.

Moses Staff Victimology:

For Iran’s cyber apparatus, Moses Staff represents not just a hacking group but a psychological weapon forged for the long war with Israel, a digital insurgency cloaked in ideology and bureaucracy. Between 2021 and 2025, the group’s victim set reads like a cross-section of the Israeli state itself: soldiers, defense engineers, municipal employees, lawyers, and IT administrators, all woven into the same web of exposure. The data shows an operation built to mirror Iran’s doctrine of asymmetric warfare, one where humiliation and disruption can achieve what direct confrontation cannot. Moses Staff’s leaks are not random; they’re curated performances designed to erode trust, advertise reach, and export Tehran’s revolutionary narrative into the digital domain.

The victimology reveals a disciplined targeting strategy. At the top are the institutions that define Israeli power, its military, intelligence services, and defense contractors. Leaks from IDF personnel files and infrastructure maps are as much about psychological warfare as intelligence gain, meant to demonstrate vulnerability in the most sacred strata of the state. Below that tier sit the defense industries, Rafael, ZAHAL suppliers, and Mossad-linked contractors, raided for R&D data, internal communications, and resumes that can feed Iran’s own weapons programs or counterintelligence matrices. The campaign widens further to the civilian layer: the Israel Electric Corporation, small municipalities, and local law firms. These targets serve dual purposes, reconnaissance for future disruption and manipulation of public sentiment. By breaching cloud providers and IT service firms like UST Global Israel, Moses Staff extends reach laterally, turning trusted intermediaries into unwitting vectors.

Each compromise serves a strategic function within Iran’s broader playbook. The leaks and defacements broadcast messages of defiance, ‘we see you, we can touch you, and your secrets are ours.’ The exposure of Mossad contractors undermines recruitment, the leaks from law firms plant doubt about client confidentiality, and the focus on infrastructure mapping telegraphs a latent capacity for sabotage. None of this is random opportunism; it’s statecraft through spreadsheets and stolen archives. The operations echo the IRGC’s longstanding emphasis on soft power projection and psychological warfare: destabilize morale, complicate defense logistics, and inject fear into the bureaucratic machinery of governance. What emerges from the Moses Staff campaign is a template for twenty-first century conflict; non-kinetic information operations (IOs) act as extensions of Iran’s regional struggle, executed not with missiles but with leaks, defacements, and the quiet precision of digital attrition.

IRGC Moses Staff Motives: Political and Operational Motives

Moses Staff’s activity fits squarely within Iran’s long-standing doctrine of using cyber power as an instrument of asymmetric statecraft: not to match an adversary blow for blow, but to exploit vulnerabilities, gather intelligence, and exert political pressure without kinetic escalation. Analysts have repeatedly observed Tehran prioritizing disruption, information operations, and psychological effects over outright destructive campaigns, a posture that leverages lower-cost, deniable operations to punch above Iran’s conventional weight (CSIS).

Politically, the leaks, shaming posts, and public data dumps perform several simultaneous functions. They undermine confidence in Israeli institutions, signal capability to domestic and regional audiences, and provide tangible propaganda for allied proxies. Publicly exposing IDF personnel, defense-industry documents, and contractor records is designed to erode morale, complicate recruitment, and broadcast Tehran’s reach, all while avoiding direct military confrontation. This blend of intelligence collection and public humiliation is consistent with Iranian playbooks that combine cyber espionage with psychological operations (SentinelOne).

Operationally, Moses Staff’s target set and methods indicate pragmatic, goal-oriented priorities: collect military and R&D data to inform countermeasures and procurement; map critical-infrastructure networks for later disruption; and pivot through IT service providers to expand access and persistence. The group’s focus on Israeli government, defense, utilities, and support firms points to a layered campaign that values both immediate intelligence yields and the option to escalate to operational sabotage if the political calculus demands (MITRE ATT&CK).

Economically and bureaucratically, these campaigns are run like a government program, producing different incentives and tradeoffs: consistency, traceable procurement and staffing, and an emphasis on service continuity (renewals, vetted resellers, repeatable toolchains) rather than opportunistic monetization. In practice, that means operations are resilient and persistent but also bound by the limitations and inefficiencies of state logistics, which can produce predictable patterns for defenders to track (Sekoia.io Blog).

Taken together, the political objective is coercive image-making and long-term attrition; the operational objective is to create persistent, actionable intelligence and latent disruption options. Moses Staff’s strikes are therefore best understood as a non-kinetic extension of Iran’s regional strategy: to degrade adversary cohesion, buy strategic advantage in intelligence, and shape the information environment without crossing thresholds that would invite overt military retaliation (secalliance.com).

Infrastructure Footprints: Domain Ecosystem and Operational Purpose

The domain ecosystem uncovered in the dump reflects the familiar operational grammar of Iranian threat actors: disposable brands, thematic cover identities, and parallel infrastructure branches tailored to function, mission, and deniability. Rather than a single monolithic C2 cluster, the operators distribute their presence across loosely coupled domains that mimic recruitment agencies, talent portals, religious fronts, job boards, and generic operational shells. The result is an environment where each hostname appears mundane in isolation, yet collectively they form a coherent operational lattice aligned with Tehran’s playbook for cyber operations, influence campaigns, and access maintenance.

The most explicit cluster centers on Moses Staff, whose public-facing leak infrastructure has repeatedly cycled through domains such as moses-staff.io, moses-staff.to, and moses-staff.se. These domains serve as the group’s broadcast layer: data-leak sites, intimidation platforms, and staging points for propaganda distribution. The existence of multiple TLD variants underscores a resilience strategy; when one domain is seized or blocked, the narrative continues uninterrupted via a sibling domain. Certificates, TOR mirrors, and cloud-based mirrors found in the dump suggest a deliberate redundancy model: a propaganda architecture hardened by duplication rather than stealth.

A second cluster revolves around bbmovements.com, which appears tied to earlier Iranian influence operations masquerading as grassroots civic activism. In the dump, it sits adjacent to VPS and ISP management notes, pointing to a broader role than mere messaging: it likely served as a multi-use façade capable of hosting recruitment funnels, persona emails, and low-grade operational staging. This pattern mirrors other IRGC and Ministry of Intelligence (MOIS)  information operations, where social-movement branding is blended with technical infrastructure to blur attribution and intent.

Several domains, such as tecret.com, cavinet[.]org, kanplus[.]org, termite[.]nu, and dreamy-jobs.com, show no preexisting footprint in public threat intelligence, which itself is revealing. These domains exhibit the hallmarks of internal-use operational infrastructure: short-lived, singly purposed, and designed to blend into the noisy churn of small business web presence. Their naming conventions track closely with CharmingKitten’s habitual use of career-themed, service-oriented, or vaguely technical branding, perfect for phishing lures, credential-harvesting portals, or as stand-ins for command-and-control endpoints disguised as SaaS tools. Historical WHOIS behavior from similar APT35 operations suggests these domains likely hosted cloned login portals for Microsoft, webmail, VPN, and cloud admin panels.

Another subset, including wazayif-halima[.]org, israel-talent[.]com, and israel-talent[.]xyz, reflects the APT’s long-running interest in targeting Israeli organizations through employment-themed social engineering. These domains mirror job-placement branding common to Israel’s tech and defense workforce, offering a credible lure surface for spear-phishing campaigns aimed at engineers, analysts, and corporate staff. In typical Charming Kitten fashion, the operators diversify across multiple TLDs, .com, .org, .xyz, to increase survivability and widen the radius of mis-typo capture for inbound victims.

The final layer consists of remnants of project-coded infrastructure, Abrahams Ax, kashef, and Bulgaria-based servers, that appear in the operators’ internal notes as hostnames, VPN exit nodes, or C2 pivots. While not domains themselves, the appearance of these labels alongside the real domains anchors the entire set within an organized procurement cycle: operators stand up a domain, bind it to a VPS host, wrap it in an alias persona, and log it in the operational spreadsheet. The repetition of this pattern across all domain families demonstrates that Charming Kitten does not innovate on infrastructure; it iterates. Domains are spun, burned, and replaced through a playbook that prioritizes administrative continuity over sophistication.

Bitcoin Wallets, Transactions, and Payments: What the Ledger Shows

The financial layer in Episode 4 is striking for its simplicity: tiny, repeatable purchases funded via a crypto gate, recorded against obvious operational artifacts. When we shift focus from invoices and VPS to the on-chain fragments and address artifacts embedded in the ledger, three points stand out: small amounts, fragmented transaction provenance, and direct domain ties.

Wallets and Payments:

The network of wallets and transaction fragments aligns closely with the domains and services in use. Within the operational records, domains appear side by side with payment entries, forming a self-contained system of attribution. When an on-chain artifact, such as the address beginning with 3A5M, appears, it sits directly beside a corresponding hosting entry like secnetdc.com, creating a syntactic and functional pairing between cryptocurrency movement and specific infrastructure assets.

A second class of payment evidence emerges through Cryptomus transaction fragments. Though these fragments conceal the actual blockchain addresses, their repetition across multiple entries points to a common gateway and a stable set of receiving clusters. This consistency implies that crypto flows were routed through a single, reusable payment processor, maintaining continuity across purchases while obscuring direct traceability.

The financial behavior itself is telling: transactions are deliberately modest, typically between €12 and €18, suggesting micro-purchases calibrated to sustain long-term infrastructure while remaining invisible to financial compliance systems. Their scale minimizes AML or OFAC scrutiny and blends seamlessly with ordinary online commerce.

Taken together, the recurring use of the Cryptomus gateway and the EDIS reseller reveals a structured procurement method. Cryptocurrency payments are funneled into a limited number of merchant endpoints, while the ledger documents the dispersed operational footprint, domains, virtual servers, and service nodes. The isolated appearance of an explicit on-chain address signals occasional lapses in operational hygiene, providing a rare and valuable foothold for blockchain correlation and broader attribution.

The Operational Collection Wallet: 1K93styPFkDGsTYNjgqaDN6xWy5NmUDLhh0

The above Bitcoin address, 1K93styPFkDGsTYNjgqaDN6xWy5NmUDLhh, is a central wallet that, according to the snapshot, transacted 90 times on-chain and received 0.15369121 BTC (displayed USD equivalent $15,259.37) before being fully emptied. The dashboard reports a total sent value identical to the total received (0.15369121 BTC), a total lifetime volume of 0.30738242 BTC (~$30,518.75), and a current on-chain balance of 0.00000000 BTC. That combination, many small transactions in, periodic consolidation and an ultimately zero balance, is a classic pattern for a service/collection wallet used to aggregate micro-payments and forward them onward.

Transaction-level indicators support that reading. The above image shows multiple incoming micro-payments of 0.0005 BTC (and similar small amounts) and at least one large consolidation spend (an outgoing TX of -0.05863265 BTC that lists 94 inputs) with a relatively large miner fee (the UI shows a fee of ~139.5k sats, displayed ≈ $138.53). Ninety total transactions with dozens of tiny inputs plus multi-input consolidation spends strongly suggest the wallet accumulated many small (Unspent Transaction Output’s typical of customer payments, routing from mixers, or automated payouts) UTXOs and then periodically consolidated or forwarded those funds in bulk.

Operational interpretation

• Role: collector/aggregation wallet for micro-payments (or small receipts) rather than a long-term cold storage or exchange custody address.
  
• Behavioral signals: repeated small inbound amounts (0.0005 BTC) indicate either automated service payments, funneling from many upstream payers, or staged outputs from a mixing service. The later consolidation with many inputs shows someone consolidated value — either to forward to a service/exchange or to obfuscate origin via coinjoins/mixers.
  
• Current state: emptied at snapshot time, meaning funds were forwarded elsewhere; those downstream hops are the logical next step to trace for attribution or cash-out points.
  

Operational Tradecraft: The Business of Operating an Intelligence Operation

The operational material in the dump turns what might seem like scattered activity into a clear and repeatable workflow. Each cycle begins with the creation of a ProtonMail persona, followed by the registration of a domain crafted for a specific campaign or cover purpose. Once the domain is secured, the operators purchase a low-cost VPS from a European reseller, pay through a cryptocurrency gateway, log the ticket number and credentials in the shared service ledger, and then deploy a phishing page or command server. Different aliases perform the steps, but the method never changes. What appears improvised from the outside is, in fact, a stable routine executed with bureaucratic discipline.

Shifts in alias or billing identity do not disrupt the choreography. A hosting purchase tied to “Maja Bosman” in December 2022 follows the same pattern as a purchase tied to “Levis Cross” in April 2023, with identical hosting tiers, vendors, price bands, and reliance on the same crypto payment rails. The consistency across time and personas shows that these are not isolated procurement events but templated cycles aligned with the rows preserved in the service ledger. The repeated use of EDIS Global in Cyprus as a hosting provider, combined with Cryptomus as the payment conduit, reveals a supply chain optimized for pseudonymous acquisitions. The operators gain anonymity, yet each transaction produces a traceable fragment that links the infrastructure back to the underlying workflow.

The ledger entries tie the entire system together. Domains such as sskmt[.]com and misvps[.]io were purchased using the same KVM BASIC PLUS hosting packages priced around seventeen euros per month, and the same price points, SKUs, and hosting strings appear throughout the spreadsheet. These recurring signatures allow investigators to follow a direct path from procurement to deployment, exposing an industrialized process in which inexpensive VPS instances are acquired in small units, paid for with micro-crypto amounts, cataloged in a shared sheet, and activated as persistent infrastructure for Charming Kitten and Moses Staff campaigns. The paperwork is not peripheral; it is the blueprint of the operation, revealing the workflow, the dependencies, and the pressure points where the infrastructure can be disrupted.

Operational Tradecraft: Creation and Use of Aliases and Email Addresses

The group’s operational tradecraft is clearest in the way it manufactures and discards identities. Each alias exists only long enough to perform a single task such as registering a domain, submitting a support ticket, or purchasing hosting. These personas are not cultivated, expanded, or reused. They are burned immediately after use, leaving only a fleeting entry in a provider’s logs. Historical WHOIS patterns confirm this discipline. While the domains are registered privately, the surrounding metadata shows that none of the names or ProtonMail addresses reappear in earlier domain ownership records, public forums, credential dumps, or any other online history. Each identity is created for the lifespan of a single procurement event and then abandoned.

The names themselves follow a deliberate aesthetic. Some resemble Israeli contractors, others Russian freelancers, American small business owners, or European students. This diversity helps the operators blend into the global background noise of hosting and domain purchases. ProtonMail provides the perfect backbone for this approach because it is widely used across regions where these personas would plausibly exist. Each alias receives a fresh ProtonMail address formatted to look like an ordinary personal account, active only long enough to complete registration tasks or answer provider messages. The absence of recurrence across the broader internet reflects a tightly controlled identity-lifecycle model.

This strategy creates airtight compartmentalization. A persona used for one domain is never used for another, and no name ever appears across different clusters of hosts or campaigns. To hosting providers, the activity looks like a scattered set of unrelated customers making small purchases. To an investigator with access to the internal ledgers, the pattern resolves into a single workflow: routine creation of ProtonMail inboxes, rapid procurement of low-cost infrastructure, strict one-time use of identities, and immediate disposal. The result is an identity management system engineered to eliminate persistent markers, frustrate long-term correlation, and make each procurement step appear isolated despite being part of a unified operational machine.

Disposable Identities and Their Intersection with Domains, Wallets, Timelines, and Ledger Patterns

The group’s disposable aliases only make sense when viewed alongside the four systems they touch: domain acquisition, cryptocurrency payments, campaign timing, and the shared service ledger. Each fabricated persona appears briefly at the junction of these pillars, completing a single procurement action before vanishing. While the names leave almost no independent footprint, the artifacts they generate across these other systems reveal how structured and interconnected the operation truly is.

The domain clusters form the first pattern. Each one consists of a small burst of registrations made within minutes or hours of each other, all protected by private WHOIS. Every cluster is assigned its own set of one-time identities, ensuring that no alias appears across separate groups of domains. The financial layer reinforces this structure. Even though payments are routed through Cryptomus, recurring transaction fragments and micro-payments align with specific hosting renewals and activation dates. These fragments persist long after the aliases are discarded, creating durable technical markers that link procurement events to infrastructure timelines.

The final coherence comes from the campaign chronology and the service ledger. Domains and VPS instances often sit dormant for weeks after being purchased, then activate shortly before a phishing campaign or intrusion attempt. This gap between procurement and use reduces exposure while keeping the workflow efficient. The ledger ties all of this together. It records hosting SKUs, timestamps, credentials, and reminders that match the payment logs and vendor records, proving that each alias is simply a single-use instrument within a unified operational system. Taken together, the four pillars show how the group balances anonymity with internal discipline: identities disappear instantly, but the infrastructure they trigger follows a consistent and well-documented lifecycle.

In this way, the group is able to create an appearance of scattered and unrelated activity across the internet while maintaining a very tight internal process. The aliases provide camouflage. The infrastructure tells the real story.

Why This All Matters

In the world of cyber threat intelligence, attention often fixates on the glamorous front end of intrusion, the zero-days, the implants, the command-and-control frameworks. But what the APT35 and Moses Staff leaks expose is the hidden half of cyberwarfare: the bureaucratic engine that funds, equips, and sustains it. These files strip away the mythology of elite operators and reveal a machine that runs on invoices, crypto payments, and shared spreadsheets. What makes this revelation significant isn’t just what Tehran is hacking, but how it keeps hacking, through systems of procurement, payment, and administration that mirror legitimate state accounting.

Each transaction tells a story of adaptation under constraint. With Iran’s access to global finance curtailed by sanctions, operators have built a parallel economy of intrusion: crypto gateways like Cryptomus and NowPayments act as anonymized intermediaries; small-scale European VPS resellers such as EDIS Global and Impreza Host become unwitting facilitators; and administrative ledgers track every euro spent as if it were a budget line in a ministry. The pattern reveals a sanctioned nation’s workaround, a form of gray-market logistics that turns the limitations of isolation into operational discipline. In this system, anonymity isn’t a byproduct of evasion; it’s a standardized function, designed to allow IO operations to persist without disruption.

By documenting the minutiae, the BTC addresses, the service tickets, the 12-euro hosting payments, this dump transforms our understanding of Iranian cyber capability. It’s not the product of rogue ingenuity but of institutional persistence, a bureaucratic adaptation of espionage to economic isolation. Cryptomus and similar payment rails effectively launder state funding into operational liquidity, while European resellers provide the legal and infrastructural scaffolding that make Tehran’s influence operations indistinguishable from ordinary e-commerce. In that sense, the lesson of these leaks is strategic: cyber power is not just built on code or exploits but on supply chains, accountants, and renewal schedules. The spreadsheet, not the malware, is what keeps Iranian operations online.

APPENDIX A: IOC’s

Operations Domains:

• bbmovements.com
• cavinet.org
• secnetdc.com
• tecret.com
• termite.nu
• dreamy-jobs.com
• wazayif-halima.org
• israel-talent.com
• israel-talent.xyz
• kanplus.org

MOSES STAFF DOMAINS:

• moses-staff.io
• moses-staff.se
• moses-staff.to

Recurring Hosting Providers:

• EDIS Global (Limassol, Cyprus) 57169
• CloudDNS nodes linked to moses-staff infrastructure AS203391
• “Server Samane” (internal operator label) AS16509
• Bulgaria-based VPS nodes (3CX / VPN / “Karaj” references) AS21340

Email Addresses and Cover Names:

• bbmovement@protonmail.com
• meriyalee@protonmail.com
• cybersonix@protonmail.com
• john.porter857@protonmail.com
• carlos.patel@protonmail.com
• lolita259@proton.me
• rona_yanga@proton.me
• cou.nic@protonmail.com
• timothyefimov@protonmail.com
• gdavies007@proton.me
• nansi.morad@protonmail.com
• juliusyermolayev@protonmail.com
• clark.norman@protonmail.com
• mekhaeelkalashnikova@proton.me
• shirley7070@proton.me
• b.laws32@proton.me
• molden5@protonmail.com
• jhjbmuugtfftdd@proton.me
• sanjilankopylova@proton.me
• bashiriansul@proton.me
• mlw.services.313@protonmail.com

Aliases:

• Maja Bosman
  
• Levis Cross
  
• Sheldon Bayer
  
• Edgar Evseev
  
• Mekhaeel Kalashnikova
  
• Shirley Bishop
  
• Clark Norman
  
• Julius Yermolayev

Bitcoin Wallets:

• 3F2KWMSkjFdskQ2gV6pm4NA7JH2dx3jfCA
• 16JMV9srqVDrK9u6z5cgKQjxnbJJp6gSxi
• 32HF3h685344uJe7RMhhp5s5oBjaQq6BQh
• bc1q567mrap7x4mwva2wlea3x9nc78pgp7dxspe6su
• bc1qw0fqr597dqh3j8pe3c9gnl7vvkpgumxsak646g
• 3Ck5dxmGXG3u1i3H7CM4vBpTeohDweJuYL
• 3DN4UZ8gTmoCDaWP7ejmDYj4ByTQmKkmwU
• 383j9rbvXyf4ZVaTPLPB1QfpkDJZfMEziG
• 3MCyrpDmEUAWjx5rg5L3uqcZDux6e9Ns78
• bc1qmasss9tj2wcyr8vyjajhn8qu9xr3g9hl0r0ne7
• 34bvn64Hn9rgwahJJVveh8xTgseLtY8KpJ
• bc1q2peh44qqjx9xg32xqfwzmrcrj42lean57vg6j4
• 3BMbdmfc9sKKEtX9EFKbxbS75xTuKEzRjF
• 35eL5XLnKWbpJPdQGULvqhQpNQEkBSPisN
• bc1qxjmw2lknnne5hr0c4va2fjx0kzc9la4vhuaqex
• 13Ue2i4Pombmd1NUGKgT8P1SCm8jw5F2Kj
• 1K93styPFkDGsTYnjgqaDN6xWy5NmUDLhh
• 19cChyRjku4zMKPr7PtkNSAdp9JE6AmiL2
• 1HcPgNVrb7RvYkaGSu286qz2WF5UVBPP1R
• 38Ai21L6mt7Qe2jnpxAZvjTLqKCYfjx9Am
• bc1qtf2a865s7ncxcsdcwee8yyyqjhhkk9nn7ww98q
• 32LvatxLwVfxpteiJc14HCyDDv2t2BRfj5
• 31we2wugu5z7Mc3irnmZu9H7rXPrEqsuTf
• 3Fv1X3we164eiBkme9wzHDU1iHpXuWcx8h
• bc1qfzke9vknxdvtm6yrkru3ddzfl74ducx7s6rke2
• 33PMgvq7HN8gdpd82WFCxKpVtsnSUWbLFx
• bc1q9a8k39xpxeflsetdw92mzd98kg7gpcwsm2malh
• bc1qpq0pk3xskqs70wg9werg3ypl8e255euzd5g4nq
• 391baZHDES5TvotnYSnWwqnyYDXf2taWWb
• 38SvFcEVRsfADhuxk7FS1p3TJfXYHewzGe
• bc1q7xk8vk2cttvz92xjh2r4tfry0964rvvedeqpls
• 17cHK7neWyAq1imHgjc6wKqoX3gqPcUx4N

IP Clusters:

• 128.199.237.132 – DigitalOcean (WordPress scanner patterns)
• 212.175.168.58 – Türk Telekom
• 212.12.178.178 – Nour Communication Co. Ltd, Saudi Arabia
• 1.235.222.140 – KRNIC (Korea)
• 109.125.132.66 – Pishgaman Tejarat Sayar DSL, Iran
• 83.96.77.227 – Fast Communication Co. Ltd, Kuwait

MITRE ATT&CK Technique Mapping

Aligned to Charming Kitten / Moses Staff Identity, Infrastructure, and Operational Tradecraft

TA0043 – Reconnaissance

T1595 – Active Scanning
Operators stage VPS nodes to probe target systems and deliver phishing infrastructure.

T1598 – Phishing for Information
Domains such as dreamy-jobs.com, israel-talent.com, and wazayif-halima.org are designed to lure specific industries for credential harvesting.

TA0001 – Initial Access

T1566 – Phishing
Job-themed, credential-harvest pages deployed on low-cost VPS nodes purchased through EDIS and Impreza Host.

T1078 – Valid Accounts
Harvested credentials fed into further access attempts, often timed shortly after domain activation.

TA0002 – Execution

T1204 – User Execution
Operators deploy phishing pages requiring victim interaction (login forms, document lures).

TA0003 – Persistence

T1098 – Account Manipulation
Use of harvested credentials to maintain foothold where applicable.

T1136 – Create Account
Single-purpose ProtonMail inboxes created for procurement (operational persistence at the infrastructure layer).

TA0004 – Privilege Escalation

(Not a focus of the dump, but implied in reference to Charming Kitten’s broader history of targeting Microsoft Exchange and Ivanti appliances.)

T1068 – Exploitation for Privilege Escalation

TA0005 – Defense Evasion

T1036 – Masquerading
Use of aliases that imitate Israeli, Russian, European, and American names; job-themed domains; fake recruitment brands.

T1070.004 – File Deletion
Use of single-use ProtonMail identities deleted or abandoned immediately after procurement.

T1112 – Modify Registry
(Not directly in the dump, but historically used in Moses Staff post-exploitation phases.)

T1027 – Obfuscated/Encrypted Files
TOR mirrors, private WHOIS, and encrypted communication channels.

T1564.003 – Hidden Artifacts: Disposable Email Identities
Strict one-time usage of procurement emails to prevent cross-cluster linkage.

TA0006 – Credential Access

T1056 – Input Capture
Credential-harvesting login portals deployed on purchased domains.

T1110 – Brute Force
Occasional activity against Israeli organizations (documented in public reporting of Moses Staff operations).

TA0007 – Discovery

T1087 – Account Discovery
Infrastructure scans for valid credentials through job-themed lures.

T1046 – Network Service Scanning
EDIS-hosted servers used to probe Israeli networks prior to planned intrusions.

TA0008 – Lateral Movement

T1021 – Remote Services
Use of harvested valid accounts through VPN portals and cloud dashboards.

TA0009 – Collection

T1530 – Data from Cloud Storage
Compromises of cloud/email providers in the civilian tier.

T1114 – Email Collection
Phished credentials provide mailbox access enabling data theft.

TA0011 – Command and Control

T1071 – Application Layer Protocol
C2 nodes hosted on low-tier VPS servers via HTTP(S).

T1105 – Ingress Tool Transfer
Payloads staged on purchased domains and KVM BASIC VPS instances.

T1568.002 – Dynamic DNS
Operators rotate hosts rapidly; CloudDNS references seen around Moses Staff mirrors.

TA0010 – Exfiltration

T1048 – Exfiltration Over Alternative Protocol
TOR mirrors used for anonymity during leaks.

T1567.002 – Exfiltration to Web Services
Leak sites operated under moses-staff.io, .se, .to.

TA0040 – Impact

T1491 – Defacement / Psychological Operations
Public leak sites intended to intimidate Israeli institutions.

T1485 – Data Destruction
Moses Staff’s destructive toolchain, already known in historical operations.

Supporting Operational Tradecraft Mappings

Identity Infrastructure Techniques

T1585.001 – Establish Accounts: Email Accounts
Single-use ProtonMail addresses for procurement.

T1583.003 – Domain Registration
Clusters of domains purchased for credential harvesting and campaign staging.

T1583.001 – Acquire Infrastructure: Virtual Private Servers
Routine procurement from EDIS, Impreza Host, Bulgarian VPS sellers.

T1586.002 – Compromise Accounts: Webmail
Credential theft from phishing operations.

Financial / Payment–Layer Techniques

T1586 – Obfuscation via Payment Providers
Cryptomus used to anonymize infrastructure transactions.

T1587 – Develop Capabilities
Infrastructure provisioning using micro-crypto payments in a repeatable pattern.

T1599 – Network Boundary Bridging
By paying through crypto and using global VPS hosting, operators evade regional filtering.

Evolution of Infrastructure and AI-Powered Security Analysis

Summary

Since January 2025, DomainTools Investigations has been tracking a large cluster of malware delivery domains that’s been active since June 2023. We’ve published three reports on the cluster in the past 11 months, and in the latest Part III report in July 2025 we surmised that the cluster comprised over 2,800 domains. Since then, we’ve observed more than 1,900 additional malware delivery domains we suspect are tied to the same super cluster. This high volume of malware delivery domains makes for an excellent case study of AI facilitated analysis to take on the burden of website analysis, binary analysis and detection authoring. 

This report provides updates on the cluster following Part III and introduces a new experimental approach to defensive hunting and tracking malware delivery clusters such as the one described through the deployment of agentic AI systems that enable analysis workflows at the scale and speed necessary to match threat actor operations. Using a combination of task based AI orchestrator and sub agents, one security researcher achieved a 10x improvement in analysis throughput (assuming the websites were resistant to traditional solutions) with agents tirelessly processing over 1,900 malware delivery websites in the time traditionally required for roughly 200-400 manual investigations.

At a glance, the threat actor continues to demonstrate remarkable persistence and scale in their malware delivery operations, maintaining a wide variation in infrastructure deployment, lure sites, and malware delivery, which consistently appears to be  targeting Chinese-speaking users across the globe. Our analysis from May to November 2025 reveals notable operational evolution across distinct clustering patterns and continued spoofing of common software download websites as lures to deliver trojans and credential stealers. However, the same operational security weaknesses prevail in the form of highly leveraged SOA emails, tracking IDs for SEO manipulation, unique registrant names, and relatively unique infrastructure combinations. These factors allow for distinct campaigns to be linked together, forming the super cluster of approximately 5,000 malware delivery domains that has been active since 2023. 

Sample of the malware delivery websites spoofing common application download pages:

Part 1: Campaign Evolution Analysis

1.1 Infrastructure Evolution

At a high level, the actor's infrastructure has undergone an overall fragmented evolution with a few exceptions since our July 2025 report (Part III), which documented 2,800 domains created from January to May 2025. Current analysis indicates that approximately 1,900 additional domains have been created in the period from May 2025 to November 2025. 

Initially, domain hosting infrastructure was highly consolidated prior to May 2025, but this gradually gave way to diversification in August. By November, the infrastructure fractured further into smaller, more fragmented clusters with a focus on localization and operational security improvements as well as leveraging domestic Chinese registrars and randomized domain naming patterns.

The infrastructure evolution appears to demonstrate distinct transitions with a particular surge in overall variability from August to November:

Consolidated (May-July 2025)

• Primary infrastructure: Alibaba Cloud Hong Kong
• Registrar: WebNIC (98% concentration)
• Focus: Chrome, Chinese VPN, and WPS Office spoofs

Diversified (August-September 2025)

• New targeting: Signal and Telegram messengers
• Domain clustering tightens (higher specificity scores)

Localization (October-November 2025)

• Majority use of Chinese domestic registrars
• 四川域趣网络科技有限公司 becomes primary registrar
• Random domain naming patterns emerge
• Possible OPSEC improvement attempts

[Diagram 1.2: Infrastructure Evolution Sankey] Flow diagram showing: Campaigns → Registrars → ISPs → Countries

1.2 Campaign Comparison Matrix

1.3 Operational Adaptations

Comparing domain registration trends from January through June 2025 with June through November 2025, several adaptations emerged:

Infrastructure Resilience

• Reduced reliance on single ISPs (from 90% to 40% maximum concentration)
• Geographic distribution across 5 countries (previously 3)
• Registrar diversification: 8 unique registrars vs 3 previously

OPSEC Improvements

• Increased use of privacy protection services
• Shorter domain active lifespans (average 30 days vs 60 days)

Technical Evolution

• Enhanced anti-automation JavaScript (20+ unique evasion signatures)
• Multiple packer usage (VMProtect, ASPack, ASProtect, MPRESS)
• Certificate pinning in Cloudflare-hosted domains

Part 2: Technical Threat Analysis

2.1 Malware Delivery Evolution

Analysis of 2,393 domains reveals continued targeting of Chinese-speaking users through spoofing campaigns. The actor maintains their core tactic of mimicking legitimate software download sites while expanding their portfolio.

[Diagram 2.1: Domain Naming Word Cloud] Word clouds showing naming patterns by campaign

Patterns in Spoofed Application Categories

Communication Tools (391 domains, 24.2%)

• WhatsApp variants: 243 domains
  • Pattern: xx-whatsapp[.]com[.]cn, whatsapp-xx[.]com[.]cn
  • Examples: dk-whatsapp[.]com[.]cn, whatsapp-us[.]com[.]cn, ph-whatsapp[.]com[.]cn
• WhatsApp Web: 34 domains
  • Pattern: web-*-whatsapp[.]com[.]cn, app-*-whatsapp[.]com[.]cn
  • Examples: web-apc-whatsapp[.]com[.]cn, app-hs-whatsapp[.]com[.]cn

VPN Services (363 domains, 22.4%)

• LetsVPN/Kuailian (快连): 129 domains
  • Pattern: kuailian*[.]com[.]cn, kuaillian-xx[.]com[.]cn
  • Examples: kuailianwq[.]com[.]cn, kuailianod[.]com[.]cn, kuaillian-rd[.]com[.]cn
• Kuailian variants: 43 domains
  • Pattern: xx-kuailian[.]top, kuailian*-kuailian[.]top
  • Examples: vd-kuailian[.]top, kuailian3-kuailian[.]top

Productivity Software (229 domains, 14.2%)

• Google (search/services): 148 domains
  • Pattern: cn-*-google[.]com[.]cn, zh-*-google[.]cn, web-*-google[.]cn
  • Examples: cn-app-google[.]com[.]cn, zh-cn-google[.]cn, web-gg-google[.]com[.]cn
• Youdao (translation/dict): 19 domains
  • Examples: youdao-youd[.]com[.]cn, web-youdao[.]com[.]cn
• WPS Office: 18 domains
  • Pattern: wps-office-*[.]com[.]cn, wps-*[.]com[.]cn
  • Examples: wps-office-cnzh[.]com[.]cn, wps-jinshan[.]com[.]cn

Web Browsers (109 domains, 6.7%)

• Chrome: 53 domains
  • Pattern: guge-*[.]com[.]cn, chrome-*[.]com[.]cn
  • Examples: guge-cn[.]com[.]cn, guge-chrome-app[.]com[.]cn, chrome-cnzh[.]com[.]cn

Cryptocurrency Tools (54 domains, 3.3%)

• ImToken: 38 domains
  • Multi-TLD strategy: .com, .org, .top, .xyz, .shop, .click
  • Examples: imtz1[.]xyz, mtoken[.]shop, imtoken-im[.]click

Financial/Trading Platforms (51 domains, 3.2%)

• AICoin: 27 domains (extensive infrastructure)
  • Multi-TLD strategy: .com, .org, .biz, .vip
  • Examples: aiiceoin[.]com, xz-aicoin[.]com, aicoin-zh[.]org
• AICoin Download variants: 11 domains
  • Examples: us-aicoin[.]com, aicoin-xz[.]com, home-aicoin[.]com

Input Methods & Translation (43 domains, 2.7%)

• Sogou Input: 15 domains
  • Pattern: *-sougoushurufa[.], *-sogou[.], sogou-*[.]
  • Examples: cnzh-sougoushurufa[.]com[.]cn, app-sougoushurufa[.]com[.]cn, shurufa-sogou[.]top, shurufa-sogou[.]top, sogou-pc[.]cn

2.3 Binary Analysis Results

From workflow analysis data, we recovered and analyzed 47 unique binary samples across campaigns:

[Diagram 2.2: Binary Analysis Overview] 

Malware Families Identified

Of the 1,900 domains processed, there were approximately 116 unique executables or archive files retrieved. In many cases, the same files were being delivered across multiple sites. 

Several samples identified were detected in VirusTotal; however there was a relatively consistent pattern of having large file downloads (100-250mb) from clusters. This likely prohibits most users from uploading to services like VirusTotal to scan the files without using the API. 

Other prominent patterns were protected files with VMPprotect or UPX and other packers of suspected droppers.

The experimental improvements to the website analysis and malware retrieval approach for research purposes provided additional insights into the malware delivery cluster: namely, that there is a relatively wide variation in the types of malware being delivered from relatively consistent web templates and relatively close clustering of domain management operations compared to previous findings in January and May 2025. This suggests that this long lived cluster dating back to 2023 has been or is evolving into a service platform where end users might bring their own malware in attempts to lure targets of opportunity.

2.4 Geographic and Temporal Patterns

Prior investigations found that domain registration patterns largely aligned with East Asia business hours (8am-5pm UTC+8) in terms of overall volume, continued activity through US holidays but cessation before Chinese New Year, and approximately 40% weekend reductions. The recent data from May to November 2025 does not appear to corroborate similar findings.

[Diagram 2.3: Registration Timing Heatmap 2025-05 to 2025-11] Hour/day heatmap showing timezone working patterns

[Diagram 2.4: Registration Timing Heatmap 2024-06 to 2025-06] Hour/day heatmap showing timezone working patterns

Working Hours Analysis

Peak Activity

Primary Peak: UTC 22:00 (276 domains, 13.9%)

• Beijing: 06:00 (pre-business) | US East: 17:00 (end of day) | Moscow: 01:00 (night)
• Note: 191 of 276 domains (69%) came from a single Oct 16 bulk registration event
• This peak is anomalous for any standard timezone's business hours

Secondary Peak: UTC 15:00 (179 domains, 9.0%)

• Beijing: 23:00 (late night) | US East: 10:00 (morning) | Moscow: 18:00 (evening)

Weekend Activity

• Weekday/Weekend ratio: 3.26:1 (30% above expected 2.5:1 uniform ratio)
• Thursday anomalies: 26.1% of activity (expected ~14%) 

Holidays:

Infrastructure Geography

‍

‍It's important to note that domain registrations can be done via API and in this case may well be, meaning they could be registered at any arbitrary time. Similarly, the TLD and regional hosting providings are typically globally accessible. Though previous analysis of this cluster found that a strong pattern of domain registrations and first observed DNS traffic were common during East Asia working hours, that is no longer evident from the data. What can be still inferred is that the focus remains consistently on primarily targeting Chinese language users. This inference was amplified by the cluster’s record spike in malware delivery website configurations during the Chinese Mid-Autumn festival, suggesting the intentions of this cluster are or have been primarily targeting Chinese users.

Part 3: Agentic AI for Analysis

3.1 Architecture Overview

The game-changing capability in our analysis comes from the deployment of specialized AI agents that operate in coordinated workflows. Unlike traditional automated tools that follow rigid scripts, the agentic system demonstrates adaptive intelligence in analyzing threats.

[Diagram 3.1: Agent Orchestration Flow]

Two-Layer Agent System

Layer 1: Orchestration

• Receives analysis requests
• Coordinates specialized agents
• Synthesizes findings into threat intelligence

Layer 2: Specialized Analysis Agents

• ScannerAgent: Browser automation and traffic capture
• CodeAnalyzerAgent: JavaScript semantic analysis
• BinaryAnalyzerAgent: Multi-tool malware analysis
• YARAGeneratorAgent: Automated rule creation

3.2 AI-Powered Analysis Workflow

The power of agentic AI is best illustrated through an actual analysis sequence. Here's how the agents collaboratively investigated a suspicious domain:

Sampling of the website code analyzer subagent looks for malicious characteristics, identifies malware delivery behaviors, and determines if Yara rules could be generated for any identified malicious code on the site. If so, they get tasked to and created by another subagent and are immediately put to use going into future analysis so the system can learn as it goes.

Screenshot of the malware delivery website spoofing as a Google Chrome download site for Chinese language users:

Agent analysis summary of the website code, visual inspection, and network traffic analysis:

In a second example, the experimental AI service analyzed a gambling site that attempts to profile users and has anti-bot mechanisms to attempt to prevent scanners and web scrapers, and lacks a clear programmatic delivery mechanism. The screenshot below is of a download site for a purported online gambling mobile app. It serves an APK file that is packed and suspected of sideloading stealer malware.

Agentic code analysis of the site:

3.3 Scaling Defense with AI

The use of AI agents changes the economics of defense. In investigating malicious websites for example, the primary pain points for a human analyst can be determining the website characteristics to identify and retrieve malware and knowledge management to discern if similar site configurations have been observed before. The timing for a human analyst doesn’t scale to many websites or the many investigation avenues sometimes needed such as combining code and interactive analysis actions. Agents can run those same tools and action those same or similar interactions.

[Diagram 3.2: AI vs Manual Analysis Comparison]

‍

Processing Transparency

It's important to note our actual performance metrics. During this experimentation phase we gave minimal system resources and allowed for 3 agent workers to process 1 domain each through the workflow at a time. These were their approximate completion time averages broken down by the core tasks within the analysis workflow. In one bulk processing run with 3 workers, 2,000 malware delivery domains were processed in approximately 10 hours.

• Average Processing Time: 1-10 minutes per domain
• Variance Factors:
  • Simple static sites: ~1 minute
  • Heavy JavaScript: ~3 minutes
  • Binary download and analysis: ~5 minutes
• Parallel Processing: Up to 3 concurrent analyses
• Daily Throughput: 400 - 4,000 domains

Conclusion

The threat actor continues to demonstrate capabilities in maintaining large-scale malware distribution infrastructure targeting Chinese-speaking users. Through our analysis of approximately 1,900 domains from May to November 2025, we observed an evolution in their operational tradecraft, including infrastructure diversification, enhanced evasion techniques, and additional spoofed entities such as popular Chinese AI and entertainment apps.

This investigation experimented with AI-powered analysis. The deployment of specialized AI agents enabled full coverage in analysis throughput while maintaining relatively high precision; however, agentic detection authoring remained a persistent weak point that continues to require further refinement. This capability changed the defender's equation, enabling complex and dynamic analysis workflows to scale to the volume of a large malware delivery campaign.

Special recognition goes to the AI agents that processed thousands of domains tirelessly and consistently. However, we must acknowledge limitations in our analysis. Processing times of 1-10 minutes per domain, while revolutionary compared to manual analysis, still require substantial computational resources for internet-scale defense. Attribution confidence, while high for core clusters, relied on spoof themes and infrastructure patterns rather than incorporating website and binary characteristics into clustering parameters as well. Future work seeks to incorporate an increase in the learn-as-we-go approach to identify additional sites with common malware delivery and detection evasion characteristics as well as further efforts in binary analysis integration.

As we look forward, the cybersecurity landscape has found itself balancing on the scales of an AI-pervasive era where criminals and defenders alike might empower their roles. 

The malware delivery campaign highlighted in this report provides insights into the scale of modern threats and an opportunity to show that with appropriate application of AI, defenders can keep pace.

Appendices

Appendix A:  IOC List

A complete list of all domains, file URls, and hashes can be found on our GitHub.

Disclaimer: This report contains analysis of malicious infrastructure for defensive purposes. All malware samples and malicious domains should be handled with appropriate security controls. The processing times and performance metrics stated are estimates based on our specific infrastructure and may vary in different environments.

Registrant Emails

‍

Trackers

‍

SHA256 File Hashes

‍

Download URLs

‍

Domains

Executive Summary

In October, 2025, internal documents from APT35 (also referenced as “Charming Kitten”) were leaked on github. Analysis of the leaked documents reveals a regimented, quota-driven cyber operations unit operating inside a bureaucratic military chain of command. The paperwork reads like internal administration documentation, monthly performance reports, signed supervisor reviews, and redacted KPIs, all oriented around measurable outputs rather than ad hoc opportunism.

Operators routinely file monthly performance reviews that enumerate hours worked, completed tasks, phishing success rates, and exploitation metrics; supervisors then aggregate those inputs into daily and campaign level reports that record credential yields, session dwell times, and high value intelligence extractions. Specialized teams are clearly delineated: exploit development (notably Ivanti and Exchange/ProxyShell tooling), credential replay and reuse, Human Engineering and Remote Validation (HERV) style phishing campaigns, and real time monitoring of compromised mailboxes to sustain HUMINT collection. The paperwork and logs show tasking, handoffs, and oversight , a workflow designed for repeatable collection.

From May 2022 onward, the group executed a region wide Exchange exploitation campaign that paired broad reconnaissance with precise post-exploitation tradecraft. The operation sequence is consistent across the material: build prioritized target queues focused on diplomatic, government, and corporate networks; run ProxyShell, Autodiscover, and EWS attacks; validate shells and extract Global Address Lists (GALs); weaponize harvested contacts with HERV phishing; and maintain sustained intelligence collection through mailbox monitoring and credential reuse. Internal logs, credential dumps, and “performance KPI” templates corroborate this end-to-end tradecraft and reveal deliberate, repeatable processes.

Taken together, the documents show a bureaucratized intelligence collection apparatus with structured tasking, measurable outputs, supervisory oversight, and specialized teams with a focus on systematic access, sustained collection, and exploitable intelligence yields. 

The Dump: Files Analyzed

The uploaded materials form a tightly linked forensic trail that maps both technique and organization. At the technical edge (e.g. infrastructure attacks), memory and server artifacts include an LSASS dump (mfa.tr.txt) containing plaintext credentials and NTLM hashes from MFA.KKTC (Apr 2022), and Dec 2023–Jan 2025 web access logs. These logs show RDP mstshash probes, .env/SendGrid fetch attempts, and wide-ranging curl path scans which document hands-on compromise and opportunistic scanning activity. Exchange artifacts (the ad.exchange.mail_* GAL exports) and annotated ProxyShell target lists (ProxyShell_target_*) show the precise targets and attack surface: diplomatic, government, and large commercial mail systems in Turkey/TRNC, Saudi Arabia, Lebanon, Kuwait, and Korea, with operator notes identifying successful shells, failures, legacyDN issues, and webshell paths.

Complementing the technical indicators are playbooks and conversion notes that reveal how vulnerabilities were weaponized: the Ivanti technical review (Ivanti سند بررسی...pdf) translates appliance CVEs into remote code execution paths, while the internal phishing framework (phishing herv.pdf) supplies HERV, style lure templates, campaign metrics, and operational procedures for turning harvested GALs into active collection nodes. Daily operational bookkeeping,  HSN / MJD Daily Reports (1403 series) and MJD Campaign Reports (May–July 1403), provide the human layer: KPI tables of lures sent, credentials captured, and mailbox dwell times, plus supervisor commentary and escalation logs into HUMINT and analysis units.

Crucially, the dataset ties virtual access back to a physical workplace: an on premises entry/exit log (entry_exit_form.pdf) confirms operator attendance and supports a picture of centralized tasking and oversight. Image based Farsi PDFs converted via OCR into structured IOC tables and actor maps close the loop by turning visual artifacts into machine-readable indicators (Actor Maps / OCR Extracts). All items are cross-referenced in a DTI evidence repository, producing an end-to-end evidentiary chain from vulnerability research and exploitation, through credential harvesting and phishing, to long term mailbox monitoring and human intelligence exploitation.

‍

‍

Attribution Assessment

Analysis of the operational data, supporting documentation, and recovered artifacts strongly indicates that the campaigns represented in this dataset were conducted by an element of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC IO), specifically the cluster widely tracked as APT35, also known as Charming Kitten, PHOSPHORUS (Microsoft), TA453 (Proofpoint), or APT42 (Mandiant/Google). This grouping represents the IRGC’s cyber-intelligence arm, dedicated to long term espionage and influence operations.

The alignment between these materials and the known modus operandi of the Charming Kitten ecosystem is unmistakable. The Exchange exploitation wave documented in the leak, which leverages ProxyShell chains, EWS enumeration, and PowerShell automation for Global Address List (GAL) and mailbox extraction, precisely mirrors the tradecraft historically attributed to APT35 and its offshoots. 

This focus on diplomatic and governmental mail servers, combined with credential theft and OAuth token replay for persistent access, reflects a campaign objective centered on strategic intelligence collection rather than opportunistic compromise.

The bureaucratic structure observed across the leaked Iranian language documents provides additional confirmation. The templated KPI reports, supervisor approvals, attendance sheets, and quota driven performance metrics all indicate a state-managed, hierarchical organization rather than a criminal or contractor model. These features parallel descriptions from previously leaked internal APT35 materials, which showed identical reporting structures and efficiency-based ranking systems, an unmistakable signature of an institutionalized IRGC unit operating within military command oversight.

Further reinforcing this attribution is the target set. The campaign’s focus on ministries of foreign affairs, customs authorities, energy and telecommunications providers, and other high value sectors in Turkey, Lebanon, Kuwait, Saudi Arabia, South Korea, and domestic Iran aligns precisely with IRGC intelligence priorities. The inclusion of politically sensitive and economically strategic entities demonstrates a dual-purpose mission: HUMINT collection and geopolitical leverage. Such objectives are consistent with the IRGC IO’s remit to gather information for foreign policy, security, and counter intelligence purposes.

While some technical overlaps exist with other Iranian clusters, most notably the use of Ivanti and ProxyShell vulnerabilities, which have also appeared in APT34 (OilRig) and MuddyWater operations, the operational outcome here diverges sharply. Those MOIS-linked groups typically emphasize initial access and infrastructure disruption; in contrast, this actor emphasizes mailbox-level persistence, HUMINT extraction, and iterative phishing loops based on harvested address books. The sophistication and continuity of this collection cycle align squarely with APT35/TA453/APT42 activity patterns observed globally.

In sum, the available evidence points to a state-directed intelligence collection campaign orchestrated by an IRGC IO (Information Operations) subunit operating under the Charming Kitten/APT35 umbrella. The unit’s hallmarks – structured governance, Exchange-centric tradecraft, credential, based persistence, and regionally focused targeting – identify it as a disciplined, mission-driven element within Iran’s broader cyber-intelligence apparatus, functioning as a modern digital extension of the IRGC’s traditional human intelligence mission set.

Organizational Structure & Command Hierarchy

The leaked materials reveal a structured command architecture rather than a decentralized hacking collective, an organization with distinct hierarchies, performance oversight, and bureaucratic discipline. Across the translated Farsi reports, KPI tables, and personnel documentation (including the entry_exit_form.pdf and the 1403, series operator reports), the same formalized layout repeats: a tasked cyber-intelligence regiment operating under the supervision of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC, IO).

Command and Oversight

At the apex sits the Campaign Coordination Unit, responsible for issuing daily directives, assigning operational quotas, and approving mission scopes. These coordinators function as the managerial arm of the IRGC IO cyber wing, translating strategic intelligence requirements, diplomatic collection, political influence, or economic mapping into discrete, trackable campaigns. Each campaign corresponds to a named lead analyst, who oversees operational sub teams tasked with exploitation, credential harvesting, phishing operations, and real time mailbox monitoring (RTM).

The hierarchy extends downward into operator cells, each specializing in a technical domain:

• Exploit Development Team weaponizing Ivanti, ProxyShell, and PowerShell chains into reusable scripts and RCE playbooks.
  
• Credential and Access Team conducting LSASS dumps, token replay, and OAuth abuse for persistence.
  
• HERV (HERV – Human Engineering and Remote Validation ) Phishing Unit refining HTML templates, MFA, bypass techniques, and KPI, driven lure campaigns.
  
• RTM and HUMINT Liaison Team monitoring compromised mailboxes, tagging “HIGH, VALUE” accounts, and routing intelligence to human analysts for contextual exploitation.
  

Supervisors in each unit aggregate performance data into standardized “daily performance tables”, measuring metrics such as tasks completed, credential yields, efficiency rate, and dwell time. Every operator signs their report, while supervisors annotate performance with remarks like “approved,” “escalate to analysis,” or “retrain on template variance.” These records, when viewed sequentially, function like military after action reports: formalized, evaluated, and subject to review by higher command.

Physical Centralization and Attendance

The entry and exit forms corroborate that these operators work from a centralized, secured facility. Each badge entry corresponds to the same personnel named in operational documents, confirming an on premises command center rather than a remote contractor model. Time-In/Time-Outlogs align precisely with the timestamps of phishing campaigns and Exchange exploitation bursts, implying synchronized shifts and supervised execution windows. Badge identifiers visible in the uploaded imagery show IRGC-affiliated institutional branding, likely part of a controlled government or contractor complex used for joint HUMINT–SIGINT operations.

Bureaucratic Culture and Chain of Custody

The bureaucratic tone of these documents suggests a military style rhythm of accountability: operators submit, supervisors validate, analysts escalate, and coordinators report upward to IRGC IO command. Even internal communications reflect hierarchical addresses, operators refer to superiors by title, reports are formatted in identical templates, and comments reference “efficiency improvements” and “mission adherence.” The precision of this structure transforms what might otherwise appear as scattered cyber incidents into a reproducible intelligence pipeline governed by measurable output.

In sum, the hierarchy revealed by these materials depicts a state run intelligence apparatus organized as a production line of cyber espionage. The structure mirrors conventional IRGC command principles, with centralized oversight, delegated specialization, and performance accountability all adapted to the digital domain. This is not a loose network of freelancers; it is a regimented institution whose workflows, personnel controls, and managerial review cycles directly mirror those of Iran’s established military and intelligence bureaucracy.

Personnel and Organizational Structure 

The personnel and structural data contained within the APT35 corpus illustrates an institutionalized hierarchy typical of Iranian state cyber units operating under the broader IRGC umbrella. Across the extracted monthly performance reports (بهمن ماه) and campaign summaries, personnel are consistently listed by engineering title, operational alias, or numeric identifier. The pattern mirrors internal Iranian defense-sector bureaucracies, where formalized role tracking, quota systems, and hierarchical reporting enable central oversight of technical operations.

Rather than a loose federation of contractors, the materials depict a workforce of salaried operators functioning inside a command-and-control bureaucracy. Monthly reports are logged, audited, and annotated by supervisors. Personnel are reviewed on exploit deployment speed, data exfiltration success, and compliance with tasking instructions.

Identified Personnel and Operational Handles

Command and Operational Oversight

At the apex of the structure stands Abbas Rahrovi (عباس راهروی) also known as Abbas Hosseini, an IRGC-affiliated official responsible for creating and managing a network of front companies that serve as the administrative and technical cover for ongoing cyber-espionage campaigns. Under Rahrovi’s direction, this advanced persistent threat (APT) group has conducted offensive operations targeting telecommunications, aviation, and intelligence sectors across the Middle East and Gulf region, including Türkiye, the UAE, Qatar, Afghanistan, Israel, and Jordan.

Structural Hierarchy and Subordinate Cells

Within this organization, Vosoughi Niri (وثوقی نیری)) appears as a mid-to-senior-level coordinator tied to Rahrovi’s enterprise layer. Based on the corroborative evidence and document formatting observed in the uploaded “گزارش عملکرد ماهانه” (monthly performance reports), Niri likely fulfills a technical-administrative liaison role bridging field operators and the supervisory cadre. His name surfaces in contextual alignment with sections discussing efficiency optimization, task validation, and mission-adherence feedback loops, suggesting direct involvement in performance oversight and workflow standardization, hallmarks of IRGC command doctrine.

Niri’s placement within Rahrovi’s command hierarchy mirrors the IRGC’s hybrid intelligence model: a centralized leadership overseeing functionally specialized cells. Each cell reports through uniform reporting templates, reinforcing an internal culture of quantifiable accountability and military-style chain of command.

Activities and Counter-Intelligence Mandate

Operating under the guidance of the IRGC Counterintelligence Division, Rahrovi’s APT has expanded its mission set beyond foreign espionage. Internal communications and extracted documents show domestic surveillance of Iranian nationals deemed “regime opponents,” both inside and outside Iran. This dual focus, external intelligence collection and internal repression, typifies Iran’s fusion of SIGINT and HUMINT operations, where cyber units act as both offensive tools abroad and internal security enforcers at home.

Evidentiary Data from Dump

The exposure of this network is underpinned by an extensive evidentiary chain, including:

• Official IRGC-linked documents retrieved from the APT’s internal network;
  
• Personnel imagery correlating individuals to specific operations;
  
• Attack and target reports indicating clear tasking cycles;
  
• Translation and analysis documents reflecting multilingual target exploitation;
  
• Chat logs from internal communications tools such as Issabelle, 3CX, and Output Messenger — all of which validate the group’s internal coordination, task assignment, and reporting cadence.

Collectively, these findings dismantle any plausible deniability the actors once held under the IRGC’s institutional cover. The discovery of structured managerial oversight, including figures such as Rahrovi and Vosoughi Niri, demonstrates that these are not freelance cybercriminals but state-directed operatives functioning within a bureaucratized intelligence apparatus engineered for persistence, precision, and deniable control.

Operators:

Within the dump, nineteen ID badges were found from a conference in Iran on Israel. The conference badges titled “Israel: The Fragile Mirror” («اسرائیل آینه شکننده») adds a rare human dimension to the dataset, linking technical operators, long attributed to Iranian cyberespionage activity, with physical attendance at a domestic ideological event. This conference, held in multiple sessions across 2023 and organized under the banner of Sahyoun24 and affiliated cultural-security institutes, functioned as both a propaganda symposium and an analytic forum on Israel’s strategic vulnerabilities. The theme, “Israel as a fragile mirror reflecting its own internal divisions, social decay, and geopolitical exhaustion”, was a deliberate rhetorical inversion of Israeli intelligence narratives about Iran. Official writeups describe panels on psychological warfare, media confrontation, and “the post-Zionist collapse of social cohesion.” It was hosted in Tehran’s Baq Museum of Sacred Defense (باغ موزه دفاع مقدس), a location symbolically linked to the IRGC’s self-image as the custodian of revolutionary defense.

The badges of fifteen named individuals carrying sequential registration numbers and standardized QR codes were recovered from the operator dump,  demonstrating that this was not merely a propaganda event but a managed, security-community gathering. The attendees listed (Norouzi, Sharifi, Hatami, Mousavi, Najafi, Nasimi, and others) correspond to the same internal communications clusters and device traces identified in the APT35 material. The overlap in formatting, file naming conventions, and local storage directories within the leak shows these badges were archived as part of the operators’ personal documentation, suggesting the attendees were members or affiliates of the same IRGC-linked technical units responsible for the Exchange exploitation campaigns detailed elsewhere in this corpus.

Within that operational ecosystem, attendance at Israel: The Fragile Mirror served several functions. First, it anchored the ideological justification for the group’s cyber campaigns, recasting intrusion and information theft not as espionage but as “defensive jihad” in the cognitive domain. Second, such conferences acted as recruitment and networking venues, where media officers, technical specialists, and propaganda units under the IRGC Cultural-Cyber Directorate intersected. These in-person sessions likely reinforced cross-unit collaboration between the operators running phishing and Exchange intrusion operations and those producing disinformation content targeting Israeli, Gulf, and Western media audiences.

The event’s agenda, particularly, the focus on psychological war, Zionist information operations, and digital sovereignty, mirrors the tactical doctrine embodied in APT35’s campaigns. The same operators photographed at or registered for the conference later executed targeted phishing and credential-theft operations using Israeli and Western diplomatic pretexts. The ideological framing provided by “The Fragile Mirror” conference positioned such cyber activity as a counter-narrative exercise: undermining adversary morale and exploiting perceived divisions within Israeli society. This linkage between cultural programming and operational tasking illustrates how Iran’s cyber apparatus merges soft-power indoctrination with offensive tradecraft, training its personnel to view digital espionage as a continuation of psychological warfare by other means.

In practical terms, the conference provided a semi-official aegis through which cyber operators could travel, convene, and exchange intelligence under the cover of academic or cultural engagement, consistent with IRGC and Ministry of Intelligence patterns observed since 2018. The badges’ sequential numbering and uniform QR encoding suggest centralized registration and identity management, potentially through the same administrative offices that coordinate the Thaqeb and Saqar technical institutes linked in prior datasets. By contextualizing APT35’s technical output within this ideological environment, the evidence affirms that their cyber operations are not rogue initiatives but state-aligned, bureaucratically normalized activities rooted in a shared worldview promoted through sanctioned events like “Israel: The Fragile Mirror.”

In sum, the conference stands as a bridge between rhetoric and operation: a physical manifestation of the belief system that animates APT35’s cyber doctrine. The operators who coded malware and exfiltrated credentials from foreign ministries also attended lectures on the “collapse of the Zionist regime.” Their presence at this event underscores that the Iranian state’s cyber units are not detached technologists but ideologically socialized cadres, trained simultaneously in faith, propaganda, and digital warfare.

The internal documentation reveals a structured ecosystem of named and numbered operators functioning under a disciplined command hierarchy. Personnel are consistently identified by a mix of professional titles, initials, and numeric designations, reflecting both bureaucratic formality and operational compartmentalization. Each name corresponds to a defined functional lane – engineering, exploitation, analytics, or administration — suggesting a deliberate division of labor designed to ensure continuity and accountability across campaigns. The repeated use of the honorific “Engineer” (مهندس) underscores the technical stature and formal employment status of several individuals, while numeric “Operator” tags indicate pseudonymous, task-based identities. Collectively, these records demonstrate that the unit operates as an organized workforce rather than an ad hoc hacker collective, with performance tracked, reviewed, and signed off by supervisors in a manner analogous to military or intelligence command structures.

Engineer Reza (مهندس رضا)

Referenced repeatedly as a technical lead overseeing infrastructure maintenance and deployment of Exchange-based exploits. Reza’s name appears in at least two separate performance reports, tied to scanning operations and uptime monitoring. Contextual indicators suggest a mid-level managerial role coordinating sub-teams responsible for access maintenance.

Engineer Kian (مهندس کیان)

Appears as a senior analyst or supervisor. The phrase “Team Kian” (تیم کیان) is used interchangeably with his name, implying that Kian manages a discrete operator cell. His team’s metrics emphasize exploit refinement, suggesting a focus on post-exploitation tooling and persistence.

Majid S. (مجید س.)

Associated with enumeration, lateral movement, and network scanning. The format of his report entries mirrors those of technical specialists who handle discovery and mapping of vulnerable services.

Seyed Mohammad Hosseini (سید محمد حسینی)

Mentioned in several analytic summaries, typically in administrative or oversight roles. Context implies he acts as an internal liaison between operational units and upper command.

Ali-Reza Karimi (علیرضا کریمی)

Described in the context of systems support and network configuration. Karimi’s work aligns with internal infrastructure maintenance and possibly VPN routing within Iranian ISP space.

M. Rahmani (م. رحمانی)

Appears in the monthly KPI spreadsheets as a performance tracker and reporting officer. His role appears clerical but critical — he consolidates operator statistics into higher-order analytic reports for command review, functioning as an internal metrics analyst.

Operator 04 / Operator 07 (اپراتور ۰۴ / اپراتور ۰۷)

Numeric identifiers tied to Exchange exploitation operations. Each “operator” designation corresponds to a unique user within the log corpus, implying either pseudonymous staff accounts or task-specific credential sets. Operator 04 is repeatedly observed in May–June 2022 Exchange exploitation records; Operator 07 appears in follow-on persistence activity.

Team Shahid (تیم شهید)

Referenced as an auditing or training subdivision, possibly connected to internal quality control. The term Shahid (شهید – martyr) is frequently used in Iranian military nomenclature for units named after fallen personnel.

Technical and Exploit-Focused Personnel

M. Kazemi (م. کاظمی)

Appears in Ivanti Connect Secure exploitation testing notes. Kazemi’s entries involve patch verification and vulnerability regression checks, indicative of a red-team engineering role tasked with exploit validation.

A. Mousavi (ع. موسوی)

Named in the phishing-infrastructure section, likely responsible for domain registration and control of operational mail servers. Mousavi’s profile suggests a hybrid technical–operational role bridging the gap between social engineering campaigns and backend infrastructure.

S. Ghasemi (س. قاسمی)

Connected to credential-harvesting playbooks and exfiltration scripts. Ghasemi’s responsibilities likely include automation of credential capture pipelines and data normalization for reporting.

Organizational and Institutional Context

IRGC Cyber Unit 13 (یگان سایبری ۱۳ سپاه پاسداران انقلاب اسلامی)

The structural relationship between APT35 and Unit 13 aligns with known IRGC cyber-force command chains, where Unit 13 functions as the technical backbone supporting both offensive operations and defensive R&D.

Structural Convergence: IRGC IO Unit 50, APT35, and the Integrated Command Apparatus

The recent exposure of IRGC Intelligence Organization (IO) Unit 50, internally codenamed “Thaqib,” completes the organizational puzzle long inferred from the APT35/Charming Kitten document set. Unit 50 represents the institutional fusion of Iran’s technical intrusion directorates and psychological-operations elements, revealing how bureaucratic oversight, cyber-espionage, and counter-intelligence are integrated within the IRGC’s command ecosystem.

At the top of this structure stands Abbas Rahrovi (aka Abbas Hosseini), identified as a senior IO-IRGC cyber command authority. Rahrovi’s role — confirmed through invoices, personnel files, and operational correspondence from internal program material — parallels the “senior coordinator” function described in APT35’s internal performance reports. His control over front companies, including entities such as Andishan Tafakor Sefid (“White Thought Depths”), provides the administrative façade through which APT operators receive compensation, assignments, and task metrics, erasing the divide between military and civilian employment.

Beneath Rahrovi, Manouchehr Vosoughi Niri emerges as an administrative signatory and performance-management officer. His name on employment and operational records corresponds directly to the managerial language and template uniformity seen in the monthly performance reports  (گزارش عملکرد ماهانه) recovered from the APT35 leak. Identical phrasing, “efficiency improvements,” “mission adherence,” “task verification”, and the standardized tabulation of operator hours indicate that Niri’s office served as the bureaucratic bridge between technical operators and IRGC leadership. The same hierarchy present in those internal Farsi reports — operator → supervisor → coordinator → command — appears in Unit 50 under Rahrovi, confirming that APT35’s workflow was embedded within IO-IRGC’s institutional chain of command.

On the technical side, the Thaqib RAT associated with Unit 50 represents the evolutionary successor to the Ivanti and ProxyShell exploitation workflows documented in the APT35 corpus. Both rely on identical tradecraft: phishing and supply-chain compromise for initial access, PowerShell-based persistence, credential theft, and staged exfiltration through controlled Iranian ISPs, particularly Zitel (AS50810), which also appears in the analyzed access-log dataset. The shared tool lineage and infrastructure reveal a unified development pipeline maintained under IO-IRGC supervision, with Unit 50 serving as the engineering and operational nucleus for multiple outward-facing APT teams.

Operationally, the overlap extends beyond technical objectives. Unit 50’s dual mandate—to conduct external espionage against regional and Western targets while monitoring domestic dissidents, mirrors APT35’s known blending of HUMINT, SIGINT, and influence operations. The recovered references to internal collaboration platforms (3CX, Issabelle, Output Messenger) further confirm a shared communications ecosystem coordinating campaigns across both “Thaqib” and APT35 workstreams.

Taken together, the evidence demonstrates that APT35 is not an isolated threat actor but a subordinate subdivision of IRGC IO Unit 50, reporting through Rahrovi’s command cell and administered by Vosoughi Niri’s office. The internal monthly reports, program artifacts, and infrastructure telemetry form a continuous evidentiary chain depicting a single, state-run enterprise that unites technical intrusion, information operations, and domestic counter-intelligence under one command architecture. What were once categorized as discrete clusters – APT35, Charming Kitten, Phosphorus – are in practice, modular teams within the IRGC IO cyber-espionage production line overseen by Unit 50.

Network and Target Infrastructure References

A recurring set of international IP addresses appear in associated logs, reflecting both operational relay points and foreign targets. These address patterns confirm that APT35 leveraged both domestic ISPs (for staging) and international IP space (for target access), maintaining operational separation through regionally diverse infrastructure.

Campaign and Codename Taxonomy

• APT35 umbrella codename for the leaked corpus, representing the internal reporting and exploit-management environment of APT35.
  
• Operation Kourosh, Operation Shayan, Operation Amir Hossein — likely internal monthly or operator-specific codenames correlating to بهمن ماه performance cycles.
  
• Campaign Jordan (کمپین جردن) — externally oriented operation directed at Middle Eastern targets; cross-references suggest the campaign focused on government and telecom entities.
  

Operational Analytic Assessment

The recurring personnel patterns, structured performance tracking, and formalized hierarchy reinforce that APT35 represents a bureaucratically managed, state-directed offensive-cyber enterprise. Personnel titles and engineering designations mirror those of Iranian defense-sector agencies, indicating that operations were executed under institutional oversight rather than freelance initiative.

The integration of clerical, technical, and managerial functions (e.g., Rahmani’s metrics tracking, Reza’s technical supervision, Kian’s team leadership) demonstrates an intelligence organization where success is quantitatively measured and tightly supervised. The presence of formal education affiliations (Imam Hossein University) and front companies (Pardazesh Sazeh Co.) further corroborate IRGC influence.

This structure enables Iran’s cyber apparatus to align day-to-day operational output with strategic intelligence objectives, monitoring adversary communications, maintaining regional situational awareness, and ensuring persistent visibility into diplomatic and infrastructure networks across the Middle East and Asia.

Operational Themes

The documentation depicts a tightly governed system in which every operator adheres to a uniform reporting template rather than ad hoc notes. Each form records standardized metrics, tasks completed, efficiency rate, and supervisor remarks, transforming individual actions into quantifiable performance data. This bureaucratic structure allows supervisors to rank, reassign, and reward personnel, effectively turning the template into a scorecard that enforces consistency, auditability, and disciplined, repeatable behavior over opportunistic freelancing.

Reconnaissance is explicitly dual-mode. At scale, the unit runs internet-wide discovery, broad scanning to map services, identifies exposed endpoints, and prioritizes classes of vulnerable software. Those mass recon passes are then refined into country and sector-specific hit lists: curated ProxyShell target sets, prioritized Exchange estates, and hand-picked hosts for manual exploitation. The result is a funnel, producing high-value target queues tailored to regional objectives.

The collection is Exchange-centric by design. The group weaponizes Exchange attack chains (ProxyShell, Autodiscover, EWS enumeration, and PowerShell driven tasks) to extract mailbox contents and Global Address Lists. Those artifacts serve as both intelligence and infrastructure: GALs seed phishing lists; mailboxes become long, running HUMINT sensors; harvested messages reveal follow-on targets and operational context.

Meanwhile, persistence is credential-driven. Memory and token theft tools (Mimikatz style dumps), automated token-replay, and abuse of delegated OAuth flows are used to convert initial access into sustainable footholds. Rather than relying solely on fragile webshells, the operators bake credential reuse and token persistence into their lifecycle, enabling repeated access even as individual hosts are remediated.

Finally, exploitation and social engineering are integrated into a closed loop. HERV-style phishing operations generate credentials that feed the exploitation teams; compromised mailboxes both validate access and produce fresh lures and contact lists.This creates a self-sustaining cycle where reconnaissance, exploitation, credential harvesting, and phishing continuously replenish each other under programmatic control.

Geopolitics of Targeting & Campaign Goals

Focus and observed objectives across the dataset point to a strategically targeted, region wide intelligence effort rather than random opportunism. The geographic footprint centers on Türkiye, the Turkish Republic of Northern Cyprus (TRNC), Lebanon, Kuwait, Saudi Arabia, Jordan, South Korea, and domestic Iranian targets, with operations tailored to each locale’s political and technical landscape. Sector selection repeatedly favors high value collection points,  multifactor authentication gateways, customs agencies, telecom operators, energy firms, hospitals, managed service providers, and food and manufacturing supply chains, all places where access yields both operational intelligence and strategic leverage.

The group’s operational goals are explicit and multi-layered. First, strategic HUMINT focuses on sustained mailbox monitoring and GAL exploitation to collect diplomatic traffic and internal communications. Second, political leverage comes from selective disclosure and escalation of sensitive material as a coercive tool. Third, economic reconnaissance aims to map supply chains and critical infrastructure to inform targeting and potential future operations. Fourth, capability development is achieved by actively weaponizing newly disclosed CVEs and codifying those techniques into repeatable playbooks. Together, these focus areas describe an actor prioritizing persistent intelligence collection, influence, and the continuous maturation of offensive capabilities.

Intent Analysis by Targeted Entity

Across the documented campaigns, the unit’s intent mirrors a clear, target-specific calculus. Against government and critical-infrastructure organizations the objective is sustained intelligence collection and long-term access for strategic exploitation. With large commercial and telecommunications providers the focus shifts to credential harvest and lateral pivoting to upstream customers and partners, and against small-to-medium regional targets the operations emphasize scalable account takeover and data harvesting to build volume for broader campaigns. This prioritization, guided by centralized tasking and KPI-driven workplans, reflects an operational doctrine that values persistent footholds, credential multiplicity, and the ability to trade discreet access for wider network advantage.

Türkiye: Türk Telekom (212.175.168.58)

Observed activity: Exchange-centric intrusion attempts, credential harvesting funnels (GAL → HERV), persistent access scripts validated by Team Kian.

Likely intent:

• Regional situational awareness: Turkish government and critical telecom routing are high-value for monitoring regional politics, Syria/Iraq corridors, and NATO-adjacent traffic.
  
• Negotiation leverage: Access to telco mail flows yields insight into lawful intercept requests, roaming agreements, and government guidance to carriers.
  
• Access brokerage: Telco footholds enable pivoting into downstream enterprise customers.
  • Why this entity matters: A national carrier concentrates VIP communications, roaming metadata, and cross-border peering visibility—rich for SIGINT and target development.
  • Confidence: High (KPI alignment + Exchange/persistence emphasis).
    

Saudi Arabia: Nour Communication Co. Ltd (212.12.178.178)

Observed activity: Phishing infrastructure mapped to credential theft, mailbox rule creation, and RTM tagging (“HIGH,” “VALUE”).
Likely intent:

• Energy/diplomatic visibility: Follow Saudi policy and energy sector signals; anticipate negotiation positions in OPEC+, Yemen, and U.S. relations.
  
• Target discovery: Enumerate subsidiary and hosted customer estates for second-order exploitation.
  
• Narrative operations support: Email insight can enable selective leaks, timing-based influence, or coercive messaging.
  • Why this entity matters: Saudi carriers and service providers sit at the core of GCC communications.
  • Confidence: Medium-High (campaign notes + phishing/HERV handoffs).
    

Kuwait: Fast Communication Company Ltd (83.96.77.227)

Observed activity: Exchange account intrusion attempts, post-exploitation tooling validation, credential collection.
Likely intent:

• GCC situational awareness: Track policy alignments, defense procurement, and oil/gas logistics.
  
• Regional pivot: Use Kuwaiti access to identify shared vendors and managed-service footholds into neighboring ministries and SOEs.
  • Why this entity matters: Smaller state telecom/hosting providers can be stepping stones into ministries and national oil entities.
  • Confidence: Medium (campaign references + shared TTPs).
    

South Korea: IRT-KRNIC-KR (1.235.222.140)

Observed activity: Mailbox targeting, GAL export attempts, and KPI-tracked follow-ons.
Likely intent:

• Tech and defense intelligence: Seek bidirectional visibility into R&D, export controls, and defense supply chains.
  
• Crisis exploitation: Maintain latent access to leverage during peninsular or sanctions crises; harvest identity data for later impersonation.
  • Why this entity matters: KR provides high-value technology intel and alliance perspective; access to registries and service operators unlocks broad enumerations.
  • Confidence: Medium (entity class + Exchange workflow alignment).
    

Türkiye/Jordan Campaign Overlap:  “Campaign Jordan (کمپین جردن)”

Observed activity: Use of Team Kian’s persistence scripts in field ops, coordinated phishing and credential harvest, Exchange post-exploitation.
Likely intent:

• Government and diplomatic monitoring: Track Jordan’s security cooperation, refugee policy, and regional coordination with KSA/UAE/Egypt.
  
• Transit node mapping: Identify cross-border data flows and hosting providers used by NGOs and government bodies.
  • Confidence: Medium-High (direct campaign doc references to Team Kian tooling).
    

Singapore RIPE hosted relay (128.199.237.132)

Observed activity: Operational relay / egress node, not a victim per se.
Likely intent:

• Operational security: Traffic laundering, geographic blending, and separation of staging from Iranian IP space.
  
• Latency and availability: Stable cloud region used to front C2 or scraping tasks.
  • Why it matters: Indicates tradecraft maturity: clean separation of staging, collection, and command infrastructure.
  • Confidence: High (infrastructure role is consistent across operations).
    

Iran (Domestic) Pishgaman Tejarat Sayar DSL Network (109.125.132.66)

Observed activity: Operator side usage; staging, internal VPN, or development/test access.
Likely intent:

• Operator base network: Workstation egress, internal tooling pulls, or QA against live targets.
  • Why it matters: Provides vantage for timing analysis and potential legal/telecom cooperation to identify operator shifts.
  • Confidence: High for “operator use,” not an “attacked entity.”
    

Toolset and Operational Practices 

The internal reports, campaign post-mortems, and technical write-ups produced by the actor cluster we are tracking reveals a deliberate, repeatable toolchain optimized for large-scale, quota-driven compromise operations: broad, automated discovery; prioritized exploitation of enterprise mail and VPN appliances; rapid persistence and credential harvesting; covert exfiltration; and bureaucratic measurement of results. The tools are a mix of widely available offensive frameworks and bespoke utilities, tied together by standardized playbooks and KPI reporting. The unit’s posture is that of an operationally mature, state-directed cyber organization: methodical, adaptable, and focused on measurable throughput rather than opportunistic one-offs.

The actor operates a hardened, process-driven offensive stack centered on high-yield enterprise targets: Microsoft Exchange (ProxyShell/ProxyLogon exploit chains and automated ASPX/.NET webshell deployers), Ivanti/Pulse Secure and similar VPN appliance exploit kits, and application delivery controller (F5) modules used to bypass patched Exchange instances. Reconnaissance is performed at scale with Masscan/Nmap-style scanners wrapped in custom orchestration, internal “shodan-like” scanning platforms, and lightweight HTTP probes that look for exposed admin endpoints, .env files, and RDP fingerprints to feed prioritized target lists. Initial access is routinely followed by rapid persistence (ASPX webshells with HTTP beaconing, scheduled tasks, PowerShell and WMI lateral execution), credential harvesting (EWS/Exchange scraping scripts, HTML credential collectors from phishing kits, LSASS dumping via Mimikatz-style utilities), and MFA defeat techniques including token-relay/AiTM patterns and token replay. Post-exploitation tooling is a mixed ecosystem of .NET webshells, Python parsers packaged with PyInstaller, modified Cobalt Strike–like beacons, and bespoke Windows loaders; exfiltration channels include encrypted 7zip archives staged to cloud storage (Mega, Dropbox, ProtonDrive), SMTP/compromised Exchange relays, DNS tunneling, and custom HTTP C2 beacons, while Telegram bots and API scripts provide operational telemetry and KPI ingestion for centralized reporting.

Organizationally, the unit is bureaucratic and organized into specialized discrete cells for scanning (Engineer Reza), exploit refinement and persistence engineering (Team Kian), phishing and credential ops (Engineer Shayan), and data staging/reporting, which produces high throughput and rapid tooling iteration. Their operational doctrine blends commodity offensive frameworks with in-house wrappers and tailored obfuscation to blend malicious traffic into normal enterprise patterns including the use of legitimate cloud providers for staging, VPN chaining and consumer VPNs to mask operator origin, and careful phishing templates localized to target regions. Intelligence implications are severe: this is a resilient, state-tasked capability optimized for mass credential capture and long-term access. Immediate defensive priorities are clear: harden and monitor Exchange/EWS/OWA with focused logging and retention; patch and segment remote-access appliances (Ivanti, F5); enforce phishing-resistant MFA such as FIDO2; hunt for ASPX webshell signatures and anomalous LSASS dumps or scheduled tasks; and deploy detection rules for scanning patterns, token-relay behavior, and unusual cloud staging traffic to disrupt the adversary’s kill-chain and their KPI-driven feedback loop.

The leaked materials reveal more than tools and targets, they expose a bureaucratized workplace culture that governs operator behavior through rigid templates, quotas, and supervision. Standardized KPI forms, efficiency metrics, and supervisor remarks turn tradecraft into measurable output, pushing operators to prioritize volume, more lures, faster credential harvests, shorter dwell times, even at the cost of OPSEC. Specialization across exploit, credential, and phishing teams (e.g., HERV units) increases technical proficiency but also moral distance, framing each task as a detached contribution to a collective mission. Centralized attendance logs confirm a shared worksite where peer pressure, oversight, and managerial review reinforce compliance and suppress deviation. The result is a sociotechnical system that produces consistent behavioral signatures, template-based phishing, reused webshell paths, and uniform reporting rhythms. This makes the actor efficient yet predictable, and therefore exploitable once defenders understand its metrics and workflow.

Malware Analysis

The uploaded data documents a mature, operator-driven intrusion toolkit built around two complementary components: a Windows-focused remote access trojan family (RAT-2Ac2 and associated stagers) used for persistence, credential theft, and data collection, and lightweight operator client tooling plus webshells that provide an interactive control channel for hands-on management of compromised systems. Evidence for the RAT, including developer notes describing modules for keylogging, browser credential theft, file collection, an encrypted length-prefixed command channel, and a canonical drop path under C:\ProgramData\Microsoft\diagnostic\ is present in the engineering reports and stager examples.

The client tooling is simple but operationally effective: multiple Python clients implement an interactive REPL that sends operator commands to server-side webshells by embedding the command inside an HTTP header (notably Accept-Language), accompanied by a static header token used by the operator clients as a handshake/fingerprint. Two clients use a fixed substitution cipher to obfuscate commands prior to transport, while another sends commands raw; all three hardcode different webshell endpoints and identical header fingerprints, showing reuse of the same control method across multiple targets.

Deployment and execution follow a consistent behavioral pattern. Initial access appears to rely on phishing and on Exchange/Autodiscover chains documented elsewhere in the corpus. Once an initial foothold exists, operators upload a webshell (commonly named using the m0s.* pattern), connect with the client, and issue commands to stage a more persistent artifact on internal hosts. Those artifacts are placed into ProgramData and masqueraded under plausible Windows service names (for example, Java/Update-style names or a vmware-tools.exe filename), then executed to create reverse tunnels or RDP-style connections back to external C2s. The operational control UI observed in the files constructs WMIC and net use commands programmatically, which the operator then dispatches to targeted hosts, enabling rapid lateral movement and hands-on exploitation.

From a capability perspective, the toolkit supports the full mid-stage lifecycle required for broad intrusions: credential harvesting and reuse, remote execution (WMIC, SMB admin share mounts), privilege persistence (service-style dropper placement), encrypted C2 with framing and optional TLS wrapping, and collection modules that capture documents, keystrokes, and browser-stored credentials. The presence of crash logging and developer guidance in the notes indicates an active development lifecycle and repeated testing in internal test ranges prior to production C2 rotation.

Operational fingerprints suitable for detection are clear and high-value. Host-level hunts should prioritize anomalous execution from ProgramData paths that mimic system services, the presence of vmware-tools.exe or JavaUpdateServices.exe under C:\ProgramData\Microsoft\diagnostic\, and svchost.bat helper scripts. Network and webserver detection should look for m0s.* endpoints and unusually long or non-language payloads in Accept-Language headers, and the static Accept-Captcha token string found in the client code, as that token provides an immediate, precise signature for operator traffic.

For containment and remediation, the priority actions are straightforward: treat any accounts and credentials observed in scripts as compromised and rotate them immediately, block outbound connectivity to identified C2 IPs and domains, and hunt for the ProgramData stager paths and web UI artifacts (including services masquerading under benign names and a local operator web UI typically served on port 8000 in these artifacts). When hosts are confirmed compromised, isolate and capture volatile memory, webserver logs, and disk images before remediation to preserve forensic evidence and enable robust reverse engineering of the stagers.

Confidence in the internal linkage across these artifacts is moderate to high. Multiple documents reuse the same linguistic style, operator names, filenames, and patterns, the dashboard and KPI tables reinforce an organizational, metrics-driven approach to operations, while the developer notes and client scripts reveal the technical underpinnings and the protocol choices operators relied upon. Taken together, the corpus points to an evolving, in-house capability that combines tailored RAT development with simple, reliable operator tooling and established operational tradecraft for lateral movement and persistence.

HUMINT & Counterintelligence Opportunities

The leaked materials reveal a bureaucratized ecosystem where structured templates, quotas, and supervision dictate operator behavior. Standardized KPI forms and supervisor annotations turn cyber operations into measurable output, tasks completed, efficiency rates, and quota attainment, pressuring personnel to maximize volume and speed at the expense of operational security. Highly specialized teams handle discrete phases of the attack chain, from exploit development to credential harvesting and HERV phishing, fostering technical proficiency but also moral distance from the consequences of their actions. Centralized attendance logs confirm an on-site workforce governed by peer norms and managerial oversight, reinforcing conformity and deterring dissent. Together, these dynamics produce a sociotechnical rhythm that makes the unit efficient, disciplined, and auditable, but also predictable, allowing defenders to anticipate and exploit recurring behavioral and procedural patterns.

The human-centered features of the operation create multiple pragmatic avenues for HUMINT and counterintelligence:

• Exploit incentive loops. Because operators chase measurable outputs, injecting false or poisoned inputs (e.g., decoy GAL entries, seeded contacts that lead to dead ends, plausibly privileged but monitored accounts) can produce observable follow-through that exposes infrastructure, timelines, or personnel.
• Target behavioral chokepoints. Handoffs (GAL export → HERV) and switchboards (RTM tags like “HIGH, VALUE”) are logical places to interpose deception or monitoring; a single tampered GAL can produce downstream intelligence on collection paths.
• Leverage physical–digital correlation. Aligning badge logs with intrusion timestamps can help identify likely shifts, escalation windows, and even the specific teams running a campaign, enabling tailored HUMINT or legal avenues of pressure.
• Encourage insider instability. Performance driven cultures generate internal stress. Well-crafted HUMINT approaches that emphasize career risk, poor performance, or the moral costs of operations can sometimes induce cooperation or mistakes, especially among lower tier operators who are most exposed to quota pressure.

Defensive & Operational Recommendations (HUMINT aware)

For effective defense, it is crucial to instrument human handoffs and monitor the signals that travel between people and systems: alert on GAL exports, anomalous mailbox access patterns, and KPI workflow metadata (filenames, templates, and report stamps). At the same time, deploy high-fidelity deception, seed plausible contacts, documents, and mailbox content designed to make adversaries reveal tooling, extraction paths, or C2 when they act on the bait. Where lawful HUMINT or partner cooperation is available, correlate badge entry/exit logs with intrusion timestamps to map shifts and likely operator windows, and use carefully timed notifications, managed false positives, and controlled exposure to introduce measurable friction into their metric-driven processes to slow their cadence without risking sensitive data. Rather than only chasing novel malware,defenders should prioritize detection engineering for repeatable artifacts, template-based phishing HTML, reused webshell paths, script headers, and standardized PowerShell idioms, and combine these technical measures with lawful HUMINT and legal process to target the social and supply-chain nodes that sustain centralized operations.

• Instrument human handoffs: Monitor and alert on GAL exports, unusual mailbox access patterns, and the specific metadata used in KPI workflows (filenames, report templates).
  
• Deploy high-fidelity deception: Seed plausibly genuine contacts, documents, and mailbox content that will cause adversaries to reveal tooling, extraction paths, or C2 endpoints when they act on the bait.
  
• Correlate physical logs with cyber events: In environments where legal HUMINT or partner cooperation is possible, correlate badge entry/exit with intrusion timing to identify windows of activity and likely operator shifts.
  
• Stress-test their incentive structure: Use notification timing, false positives, and managed exposure to create perceptible friction in the adversary’s metric-driven processes — enough to slow their cadence without exposing protected data.
  
• Prioritize detection of repeatable artifacts: Focus defenders’ detection engineering on template-based markers (phishing HTML structures, webshell paths, script headers, and standardized PowerShell idioms) rather than on novel malware signatures.
  
• Pursue lawful HUMINT and legal channels: Where policy allows, combine human-source collection, legal process, and cyber threat intelligence to target the social nodes (contractors, facilities, supply chains) that sustain centralized operations.
  

Malware, Implants & Tooling

The collected artifacts reveal a focused tooling suite and a clear operational tradecraft. At the center of their Exchange-facing work sits a ProxyShell/Exchange exploit chain: weaponized PowerShell scripts and automated routines designed to extract Global Address Lists and full mailbox contents. Memory-level theft and dumper tools, notably LSASS captures processed with Mimikatz-style workflows,  supply plaintext credentials and NTLM hashes that are immediately reused for lateral movement and persistent access.

Social engineering and credential theft are handled by a mature HERV toolkit that includes  configurable HTML credential harvesters, OAuth token theft and relay mechanisms, and campaign plumbing that turns harvested identities into reusable session tokens. Successful footholds are frequently backed by lightweight ASP.NET webshells placed under predictable paths (aspnet_client/, owa/auth/, exchange/temp/) to provide persistence and remote command execution.

Operators also employ custom stagers and minimal PowerShell and .NET loaders masquerading as benign administrator scripts  to bootstrap in memory implants and evade detection. For specialized targets, bespoke Ivanti wrappers and one-off exploit scripts convert appliance CVEs into reliable RCEs, demonstrating an ability to translate vulnerability research into targeted operational code. Together, these components form a compact, interoperable toolset optimized for Exchange compromise, credential capture, sustained presence, and rapid weaponization.

Indicators of Compromise

The dataset includes a mix of high-value domains, internal hosts, and telltale network indicators that together sketch the group’s target set and reconnaissance techniques. Observed domains of interest include government and corporate mail estates such as mfa.gov.ct.tr, alrabie.com, customs.gov.lb, and cnthoth.com, alongside commercial webmail gateways like mail.yousifi.com.kw and webmail.kccec.com.kw. The collection also documents multiple Iranian internal mail hosts with operator-annotated webshell paths, linking specific hosts to successful post exploitation activity.

Network-level evidence reinforces the pattern – sample source IPs tied to scanning and probing activity include:

• 128.199.237.132 RIPE
• 212.175.168.58 Turk Telecommunications
• 212.12.178.178 Nour Communication Co. Ltd Saudi Arabia
• 1.235.222.140 IRT, KRNIC, KR Korea
• 109.125.132.66 Pishgaman Tejarat Sayar DSL Network Iran
• 83.96.77.227 Fast Communication Company Ltd Kuwait

HTTP logs show a mix of automated reconnaissance and opportunistic credential harvesting that includes Cookie: mstshash= payloads indicative of RDP-style probes, attempts to fetch .env and SendGrid configuration files, and WordPress enumeration hits such as /?author= and /wp, json/wp/v2/users. Crawling activity is sometimes identifiable by user agent strings like Pandalytics/2.0, which the operators used for domain discovery and prioritization. Together, these domain, host, and HTTP indicators map a coherent reconnaissance to exploitation pipeline focused on mail infrastructure, credential harvesting, and rapid post-compromise expansion.

Tradecraft Evolution & Timeline

This section documents the actor’s operational evolution across the dump: an initially Exchange-centric, human-driven collection effort in spring–summer 2022 that progressively scaled into a multi-vector intelligence program through 2023–2025. Early activity focused on high-value mailbox access and HUMINT, ProxyShell/EWS exploitation, GAL exfiltration, and hands-on mailbox monitoring that fed HERV phishing cycles. Over time the group automated discovery and credential harvesting, codified exploit playbooks (including Ivanti appliance wrappers), and integrated those capabilities into KPI-driven phishing and persistence workflows. In short, the campaign shifted from a scalpel to a manual, leveraging targeted Exchange intrusions, to a hybrid scalpel-and-net model that adds large-scale scanning, appliance RCEs, and reusable credential infrastructures while retaining the original HUMINT endgame.

Timeline (key milestones and supporting artifacts)

• April 2022 — Initial domain compromise evidence
  The LSASS/Mimikatz capture (mfa.tr.txt, Apr 2022) demonstrates early success at memory-level credential theft and domain compromise. These artifacts show plain text admin/service passwords and NTLM hashes that enabled immediate credential replay and lateral movement.
  
• May–July 2022 (1403 series in the leaks) — Exchange-centric campaign wave
  The MJD campaign reports and HSN daily KPI tables (May–July 1403) document a concentrated Exchange exploitation wave: ProxyShell and EWS chains were used to validate shells, export Global Address Lists (GALs), and pull mailbox contents. Those GAL exports then seeded HERV phishing campaigns and longer term mailbox monitoring for HUMINT collection.
  
• Late 2022 – 2023 operational consolidation and automation
  Post campaign internalization of lessons is visible in the templated KPI reports and playbooks: weaponized PowerShell scripts for GAL exports, standardized webshell placement paths, and automated token replay mechanisms. Operators shift toward operational repeatability; the same attack sequences appear across different target sets with only minor variance in lure content.
  
• 2023–Jan 2025 broad reconnaissance and opportunistic harvesting
  Access logs spanning Dec 2023–Jan 2025 show mass internet scanning, RDP-style< Cookie: mstshash= probes>, .env and SendGrid configuration fetch attempts, and WordPress enumeration (</?author=, /wp, json/wp/v2/users>). This period marks an expansion to wide net discovery and opportunistic credential/config harvesting to supplement targeted exploitation.
  
• 2023–2025 (intermixed) Ivanti and appliance exploitation
  The Ivanti technical review (internal “سند بررسی …” PDF) and the later Ivanti wrappers evidence indicate the group converted appliance CVEs into one-off RCE scripts. These capability additions broadened the attack surface beyond Exchange, enabling access to VPN and network appliances that could be used to reach additional mail estates or privileged management interfaces.
  
• Ongoing closed-loop phishing and HUMINT sustainment
  Throughout the timeline, the HERV toolkit, RTM reports (mailbox dwell times, “HIGH, VALUE” tagging), and attendance logs show the persistent operational goal: turn access into sustained collection. Harvested GALs and mailbox contents feed new lures measured by campaign KPIs, creating a replenishing cycle of exploitation → harvest → phishing → monitoring.

Implications for defenders

• Watch for hybrid indicators: Exchange abuse indicators (ProxyShell, suspicious GAL export activity) correlated with mass-scan signatures (RDP, style cookies, .env probes) often indicate the same operator lifecycle.
  
• Prioritize detection of credential theft and token abuse (LSASS dumps attempting exfiltration, unusual OAuth consent flows), and instrument GAL export monitoring and alerting.
  
• Treat appliance CVE advisories as operationally relevant to email estate security — appliance RCEs are being used to pivot to mail infrastructure.

Closing Narrative

The APT35 leak exposes a bureaucratized cyber-intelligence apparatus, an institutional arm of the Iranian state with defined hierarchies, workflows, and performance metrics. The documents reveal a self-sustaining ecosystem where clerks log daily activity, quantify phishing success rates, and track reconnaissance hours. Meanwhile, technical staff test and weaponize exploits against current vulnerabilities, most notably in Microsoft Exchange and Ivanti Connect Secure, before passing them to operations teams for coordinated use. Supervisors compile results into analytic summaries with success ratios and recommendations, forwarding them up the chain for review. This level of procedural rigor shows that APT35 functions less like a criminal group and more like a government bureau executing defined intelligence mandates.

Strategically, the materials confirm that APT35’s operations serve Tehran’s broader security objectives: maintaining awareness of regional adversaries, exerting leverage in geopolitical negotiations, and monitoring domestic dissent. Its Exchange-centric targeting underscores a deliberate focus on email ecosystems as both intelligence sources and control hubs, while the rapid weaponization of Ivanti and ProxyShell exploits illustrates an operational doctrine built on speed, persistence, and long-term access. The leak transforms analytic suspicion into evidence of a state-directed enterprise, a centralized system integrating SIGINT, psychological operations, and technical reconnaissance under military oversight. Together, these files mark a turning point in understanding Iran’s cyber apparatus: a professionalized intelligence service that has institutionalized the digital battlefield, erasing the boundary between espionage and warfare.

APPENDIX A: Leaked Document List

A consolidated list of every document that contains, references, or was used in assessing the individuals associated with APT35 / Charming Kitten (مهندس کیان, مهندس رضا, م. رحمانی, سید محمد حسینی, etc.)

Each entry includes the filename (exact as uploaded) and the personnel or entity references confirmed or inferred within it.

Documents Containing Personnel References

1. MMD-1403-01-27.pdf

Mentions / Context:

• Aggregate monthly performance summary for the cyber unit.
  
• Contains tables with operators’ metrics and identifiers.
  
• Individuals: مهندس رضا (Engineer Reza), مهندس کیان (Engineer Kian), م. رحمانی (M. Rahmani), سید محمد حسینی (Seyed Mohammad Hosseini).
  Relevance: Baseline administrative report connecting supervisors to operator cells.
  

2. گزارش عملکرد ماهانه (بهمن ماه کوروش).pdf

(Monthly Performance Report — Bahman Month, Kourosh)
Mentions / Context:

• Parallel structure to Kian’s report; indicates multiple team leads (Engineer Kourosh).
  
• Cross-references Team Kian and Team Shayan as comparative performers.
  
• Individuals: مهندس کیان, مهندس کوروش, م. رحمانی.
  Relevance: Confirms existence of multiple parallel technical teams under a unified metric system.
  

3. 4d6bf3834e9afb8e3c3861bf2ad64a68d9c7d870_گزارش عملکرد ماهانه (بهمن ماه_ (2).pdf

Mentions / Context:

• Duplicate or revised Bahman-month report.
  
• Mentions تیم کیان (Team Kian), تیم شایان (Team Shayan), اپراتور ۰۴, اپراتور ۰۷.
  Relevance: Key linkage document showing the operator numbering convention (04, 07) tied to Kian’s cell.
  

4. گزارش عملکرد ماهانه (بهمن ماه شایان).pdf

(Monthly Performance Report — Bahman Month, Shayan)
Mentions / Context:

• Another operator-cell summary.
  
• Individuals: مهندس شایان, مهندس کیان (for comparative KPI).
  Relevance: Confirms multiple peer teams; provides comparative success percentages.
  

5. _گزارش عملکرد ماهانه (بهمن ماه_REDACTED.pdf

Mentions / Context:

• Redacted performance document, partially anonymized.
  
• Visible metrics fields reference اپراتور ها and رحمانی.
  
• Individuals: م. رحمانی, مهندس رضا.
  Relevance: Provides evidence of Rahmani’s central KPI consolidation function.
  

6. 544bf4f9e5fdb4d35987b4c25f537213ce3c926a_گزارش عملکرد ماهانه ( بهمن ما_REDACTED.pdf

Mentions / Context:

• Another variant of the Bahman-month corpus.
  
• Individuals: سید محمد حسینی (reviewer), مهندس رضا, م. رحمانی.
  Relevance: Reinforces hierarchical oversight and clerical structure.
  

7.

2d5b8da0d0719e6f8212497d7e34d5f1b1fa6776_All_target_report_20220508.pdf

Mentions / Context:

• English-language operational summary of Exchange and Ivanti exploitation.
  
• Individuals (roles cross-mapped to Persian reports): M. Kazemi, A. Mousavi, S. Ghasemi, Operator 04, Operator 07.
  Relevance: Connects technical operators and exploit engineers to foreign target campaigns.
  

8. 4d6bf3834e9afb8e3c3861bf2ad64a68d9c7d870_گزارش عملکرد ماهانه (بهمن ماه_.pdf

Mentions / Context:

• Near-identical to the other Bahman-month reports; confirms Team Kian hierarchy.
  
• Mentions تیم شهید (Team Shahid) in a quality-control context.
  Relevance: Establishes linkage between Kian’s technical branch and the auditing/training unit.
  

9. گزارش عملکرد ماهانه (بهمن ماه امیرحسین).pdf

(Monthly Performance Report — Bahman Month, Amir Hossein)
Mentions / Context:

• Focused on مهندس امیرحسین (Engineer Amir Hossein).
  
• References Team Kian and مهندس رضا in comparative task metrics.
  Relevance: Adds another operational cell; confirms standardized reporting and KPI structure.
  

10. گزارش اقدامات کمپین جردن.pdf

(Campaign Jordan Report)
Mentions / Context:

• Operational summary for a specific campaign targeting regional entities (Jordan, Saudi Arabia, Kuwait).
  
• References تیم کیان (Team Kian) tools in use during external exploitation.
  
• Individuals: مهندس کیان, ع. موسوی (A. Mousavi), س. قاسمی (S. Ghasemi).
  Relevance: Demonstrates deployment of Team Kian’s persistence scripts in live operations.
  

11. Ivanti سند بررسی و تلاش برای اخذ دسترسی با استفاده از آسیب پذیری.pdf

(Ivanti Exploitation Analysis Document)
Mentions / Context:

• Technical document describing weaponization of Ivanti Connect Secure CVEs.
  
• Individuals: م. کاظمی (M. Kazemi), مهندس کیان.
  Relevance: Validates Kazemi’s role in exploit testing and Kian’s integration of the resulting payloads.
  

12. phishing herv.pdf

Mentions / Context:

• Describes GAL→HERV workflow and credential-collection automation.
  
• Individuals: ع. موسوی (A. Mousavi), س. قاسمی (S. Ghasemi).
  Relevance: Maps phishing infrastructure and data handoff pipeline to Kian’s credential integration.
  

13. گزارش نفوذ به ایمیل.pdf

(Email Intrusion Report)
Mentions / Context:

• Describes compromised Exchange accounts and operational feedback loops.
  
• Mentions اپراتور ۰۴, اپراتور ۰۷, تیم کیان.
  Relevance: Direct evidence linking Kian’s operators to live intrusions.
  

Cross-Reference Summary

‍

APPENDIX B: Analytic Attribution of IRG Operators

Command and Coordination Layer

2. Technical Leads – Engineering Cells

‍

3. Field Operators / Exploitation Tier

‍

4. Specialized Technical Staff

‍

5. Training and Oversight

‍

Functional Constellations

IRGC Cyber Unit 13 (Command)

│

├── Coordination & Metrics

│   ├─ Seyed Mohammad Hosseini

│   └─ M. Rahmani

│

├── Technical Infrastructure Branch

│   ├─ Engineer Reza → Majid S., Ali-Reza Karimi

│   └─ Front Company: Pardazesh Sazeh Co.

│

├── Exploit R&D Branch

│   ├─ Engineer Kian (Team Kian)

│   │    ├─ Operator 04

│   │    ├─ Operator 07

│   │    ├─ M. Kazemi

│   │    ├─ A. Mousavi ↔ S. Ghasemi

│   │    └─ Team Shahid (audit/training)

│   ├─ Peer Teams: Kourosh, Shayan, Amir Hossein

│   └─ Toolchain: HERV ↔ RTM Modules

│

└── Recruitment / Training

    └─ Imam Hossein University

Synthesis

• The corpus shows a matrixed command, typical of the IRGC Cyber Unit 13 / APT35 ecosystem:
  
  • Top Layer: strategic oversight and performance auditing.
    
  • Middle Layer: engineering leads managing semi-autonomous operator cells.
    
  • Bottom Layer: technicians handling exploit deployment, credential theft, and infrastructure upkeep.
    
• The repeated educational and cover-company references indicate state-employment relationships, not independent contractors.
  
• Each engineer-named team (Kian, Reza, Kourosh, Shayan, Amir Hossein) forms a production line feeding into shared toolkits (Exchange, Ivanti, HERV modules).
  

Analytic Confidence

‍

APPENDIX C: Malware Analysis & IOC’s Technical Section

Summary

The corpus contains two complementary toolsets used by the same operator ecosystem: (A) an in-house Windows RAT family (RAT-2Ac2 / stagers) used for persistence, credential theft, file collection, and encrypted C2, and (B) lightweight operator client tooling / webshell controllers used to interactively manage compromised hosts through webshell endpoints. The RATs are deployed under plausible Windows-looking filenames in C:\ProgramData\… and use reverse/RDP-style tunneling to external C2s (e.g., 103.57.251.153), while the client tooling uses unusual HTTP header channels (Accept-Language) and an Accept-Captcha static token to carry commands.

‍

Samples / artefacts observed (evidence list)

• RAT engineering notes and stager examples (RAT-2Ac2): dropper path and example reverse command lines referencing C:\ProgramData\Microsoft\diagnostic\vmware-tools.exe and C2 103.57.251.153:443.
  
• Operator client scripts: three Python clients that implement an interactive webshell controller: connect.py (encoded commands), rce5.py (encoded), and RCE4.py (raw commands). These include three hardcoded webshell endpoints and a static header token.
  
• Operator web control / IIS panel: script that constructs WMIC / stager commands and serves Execute/Upload forms (operator admin UI), plus logs indicating a local operator web UI on port 8000 and masquerade service name Java Update Services.
  

Capability matrix (what the malware does)

• Initial access / account capture: Phishing / credential harvesting lures and previously observed Exchange exploitation enabled credential access; RAT includes browser credential theft modules.
  
• Command & Control: Custom encrypted channel with <len><base64(payload)> framing for RATs (test port 8080), and reverse/RDP tunneling to external C2s (103.57.251.153) using stager executables. Client tooling uses HTTP(S) GETs with commands encoded in Accept-Language header and an Accept-Captcha header token.
  
• Execution & Persistence: Droppers install to ProgramData, spawn service-like processes and helper scripts (e.g., svchost.bat, JavaUpdateServices.exe), and remove installers after launch.
  
• Lateral movement: Use of net use \\<ip>\C$, WMIC remote process creation (wmic /NODE:) to execute cmd.exe /c remotely.
  
• Collection / exfiltration: file collection (documents, attachments), keylogger, clipboard monitor, and browser stealer modules noted in developer notes.
  

Code / protocol fingerprints (useful for detection)

• Stager path & filenames: C:\ProgramData\Microsoft\diagnostic\vmware-tools.exe, C:\ProgramData\Microsoft\diagnostic\svchost.bat, C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.exe, JavaUpdateServices.ps1.
  
• Client header fingerprint: header Accept-Captcha: 2EASs2m9fqoFsq4E0Ho3a3K1yHh5Fl3ZtWs5Td1Qx63QWsZKJ9mV9... (static token present in Python clients) and usage of Accept-Language as a command carrier.
  
• Webshell filename pattern: m0s.* (m0s.php, m0s.aspx, m0s.phto) used across multiple targets.
  
• Client User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 ... Chrome/120.0.0.0 Safari/537.36 as used in operator clients.
  

Typical attack flow (behavioral timeline)

1. Recon & phishing / Exchange exploitation to harvest credentials (documented campaign KPIs).
   
2. Initial webshell deployment to public-facing host (webshell filename m0s.*).
   
3. Operator connection using Python client which sends obfuscated or raw commands in Accept-Language header to the webshell endpoint (interactive REPL).
   
4. Stager deployment on internal hosts into ProgramData with masqueraded names and service registration; reverse tunnel established to external C2 (e.g., 103.57.251.153).
   
5. Lateral movement using WMIC / SMB (net use) to expand access; data collection via RAT modules.
   

MITRE ATT&CK mapping (high-level)

• T1190: Exploit public-facing application (Exchange/Autodiscover/EWS in corpus).
  
• T1566: Phishing.
  
• T1071.001 / T1071.004: C2 over HTTP(S) and use of web protocols as command channel (Accept-Language carrier).
  
• T1021.004 / T1021.001: Remote Services (WMIC, RDP tunneling).
  
• T1027 / T1564: Obfuscated files / information (substitution encoding in clients, hiding in ProgramData).
  

Detection guidance (high-confidence detections)

Network detections

• Alert on outbound connections to known C2 103.57.251.153 and 212.175.168.58.
  
• IDS/Proxy rule: flag HTTP(S) requests where Accept-Language header length > baseline (e.g., >100 chars) or containing non-language tokens/command-like characters. Also detect presence of the static Accept-Captcha token.
  

Host detections

• EDR / endpoint hunts for files executed from:
  C:\ProgramData\Microsoft\diagnostic\vmware-tools.exe and C:\ProgramData\Microsoft\Diagnostic\JavaUpdateServices.exe or JavaUpdateServices.ps1.
  
• Process creation events (Windows Event 4688) where cmd.exe is spawned with net use \\ or wmic /NODE: command lines.
  

Webserver detections

• IIS / web logs: search for GET/POST to */m0s.* paths and unusual header patterns (Accept-Language with long/encoded strings).
  

Recommended YARA / signature examples (for defensive use)

Below are defensive detection signatures (search for these strings or patterns on endpoints / file repositories). These are benign, detection-only rules — they do not enable use of any malware.

YARA-style example (conceptual — adapt to your YARA environment):

rule RAT_2Ac2_stager_path {

  meta:

    description = "Detect reference to known RAT-2Ac2 stager path"

    source = "session_uploads"

  strings:

    $s1 = "C:\\ProgramData\\Microsoft\\diagnostic\\vmware-tools.exe" nocase

    $s2 = "C:\\ProgramData\\Microsoft\\diagnostic\\svchost.bat" nocase

  condition:

    any of ($s*)

}

Signature for operator-client header token (IDS/snort approach — conceptual):

• Match HTTP header Accept-Captcha containing 2EASs2m9fqoFsq4E0Ho3a3K1yHh5Fl3Zt... (full token in original scripts).
  

Forensic and containment playbook (concise)

1. Immediate: block outbound traffic to listed C2 IPs and domains; rotate all credentials observed in scripts.
   
2. Hunt & isolate: EDR hunt for ProgramData stagers and recent wmic/net use activity; isolate confirmed hosts and capture memory + full disk images.
   
3. Preserve logs: collect IIS/webserver logs (requests to m0s.*), proxy logs (Accept-Language payloads), and firewall logs for the suspect IPs.
   
4. Malware analysis: analyze any recovered vmware-tools.exe/JavaUpdateServices.exe in a disconnected lab, extract network protocol fingerprints, and produce YARA and Suricata signatures for deployment.
   

Confidence & provenance

• Confidence in linkage: Moderate–high. Attribution to the same actor cluster is supported by: repeated Farsi-language artifacts, consistent project / operator names (Reza / Kian), reuse of filenames and paths, and reuse of webshell filename patterns and header-carrier technique across multiple client scripts and operational dumps.
  

The Great Firewall as Geopolitical Infrastructure

The Great Firewall of China (GFW) represents far more than a technical construct; it is the digital expression of a strategic doctrine, one rooted in state control, authoritarian stability, and a redefinition of sovereignty in cyberspace. Where earlier generations of internet architecture were built around openness and interoperability, the GFW stands as a counter-model: a system that enforces not just censorship but also discipline, not merely blocking information but engineering a compliant digital citizenry.

Through this lens, the GFW becomes a cornerstone of China’s broader governance model, extending internal social control mechanisms into the digital realm while also projecting power abroad. It is both shield and sword: insulating the domestic population from undesired narratives and foreign influence, while exporting technologies, protocols, and ideological models of digital sovereignty to other authoritarian or aspiring technocratic regimes. What began as a reactive security tool has evolved into a dynamic governance platform, tightly integrated with national infrastructure, industrial policy, propaganda channels, and law enforcement systems. Its architecture, as seen in the leaked data, supports real-time behavioral tracking, regionally adaptive enforcement, and centralized orchestration across ISPs, ministries, and military-linked vendors.

Internal Social Control: Domestic Implementation and Ideological Containment

China’s domestic deployment of the Great Firewall (GFW) is not merely a digital barrier, it is an infrastructure for surveillance engineering that operates in service of ideological conformity and political control. The infrastructure revealed in the dataset showcases a system that is deeply embedded within the national internet architecture, capable of granular content classification, multi-layered traffic inspection, and adaptive suppression mechanisms. Every facet of user interaction, from HTTP headers and TLS handshakes to DNS queries and application telemetry, is a potential input for censorship decisions.

At its core, the GFW’s domestic function is ideological containment: a technical means to preempt the circulation of narratives, symbols, or software deemed threatening to Party legitimacy. The filtering mechanisms are not static, they exhibit dynamic heuristics that flag circumvention traffic patterns, encrypted tunnels, and access attempts to banned services such as Twitter, YouTube, Wikipedia, and GitHub. Logs and routing tables within the leaked data reveal strategic targeting of:

• Foreign software update servers, to prevent the installation of tools like Signal or Tor,

• Cloud services and content delivery networks (CDNs) associated with media organizations and dissident communities,

• Online education portals and democracy-linked content, particularly around anniversaries of events like Tiananmen Square,
  
• Religious and ethnic advocacy content, especially concerning Tibet, Xinjiang, and Falun Gong.

By mapping these access patterns to regions, user sessions, and endpoints, the GFW enables adaptive, real-time suppression, a form of algorithmic censorship that not only blocks, but surveils. The presence of regionally distributed “probe agents,” remote configuration push systems, and memory-optimized Redis-based blacklist updates shows a scalable enforcement model designed to track and shape the narrative landscape at population scale. This is not passive filtering; it is proactive thought boundary enforcement, engineered to neutralize dissent before it propagates.

Economic Engineering and Domestic Substitution

By systematically blocking foreign SaaS and collaborative software, China nurtures its own domestic ecosystem. Excel-based audits from the dump show targeted suppression of applications such as Google Docs, Zoom, Dropbox, and Trello. These gaps are filled by Tencent Docs, DingTalk, and Huawei-developed platforms, illustrating how the GFW enables economic protectionism masquerading as cyber defense. This pattern is not incidental but strategic: the firewall constrains market access for foreign competitors under the guise of national security, while ensuring that data flows remain within the control of state-aligned corporations.

The substitution effect creates a dual outcome. First, it accelerates the adoption of domestic platforms that are deeply integrated with state surveillance and content moderation requirements, ensuring ideological conformity and technical compliance. Second, it generates an economic moat for Chinese firms by shielding them from the competitive pressures of global incumbents, allowing state-championed companies to scale rapidly in an artificially insulated market. What emerges is a model where censorship and market engineering are inseparable, cyber sovereignty and industrial policy reinforcing one another.

At a macro level, this reveals how the GFW is not only an instrument of political control but also a lever of techno-nationalism. By positioning domestic software as the only viable option for collaboration, communication, and file sharing, the state ensures that innovation pipelines, venture capital flows, and user data remain under Beijing’s regulatory umbrella. The firewall thus becomes a structural barrier to globalization, producing not only ideological isolation but also a controlled economic environment where China’s champions can thrive at the expense of suppressed foreign rivals.

On the geopolitical stage, this model contributes to the fragmentation of the global internet. As China’s approach is emulated by other authoritarian regimes, the result is a “splinter-net” or a “Balkanization of the internet”, where national borders dictate not just content but also economic flows and digital standards. Beijing leverages its ecosystem as a form of soft power, exporting platforms like Huawei Cloud and Tencent Meeting to Belt and Road partner states, presenting them as secure alternatives to Western software while embedding latent channels of influence and surveillance. In doing so, the GFW does not simply defend China’s information space, it actively reshapes global digital norms, setting precedents for a world where censorship and economic self-sufficiency converge as tools of statecraft.

Regional Influence and the Export of Cyber Norms

As Beijing cements control internally, it also exports its digital governance model. Observed similarities in data retention mandates, DPI (Deep Packet Inspection) deployment, and application whitelisting mechanisms in countries such as Iran, Vietnam, and Russia suggest the emergence of a “cyber sovereignty coalition” modeled after the GFW. These states borrow not only the technical blueprints but also the ideological framing: the notion that national borders should extend into cyberspace, with governments controlling what citizens can access, publish, and share.

Chinese firms such as Huawei and ZTE play a central role in enabling this diffusion. By providing turnkey infrastructure, core routers, traffic gateways, and 5G networks, these companies ensure that the hardware and software underlying new digital environments embed the same logics of inspection and control that define the Chinese model. This makes Beijing’s digital governance framework not just a domestic fixture but an exportable package, bundled with financing through the Digital Silk Road initiative. The export is both technical and political, shaping authoritarian states’ capacity to replicate China’s approach under the banner of sovereignty and “information security.”

The effect is a gradual normalization of state-mediated connectivity. Countries adopting GFW-style controls are not simply importing equipment; they are adopting a philosophy that treats information as a threat vector rather than a public good. Over time, this fosters interoperability among authoritarian regimes, creating channels for knowledge transfer, intelligence sharing, and shared censorship protocols. The outcome is a fragmented, parallel internet sphere where repression is standardized and commercialized, with China as the principal vendor of both ideology and infrastructure.

Societal Impact and Resistance

Since the Tiananmen Square protests in 1989, the Chinese Communist Party has treated the free flow of information as an existential threat to regime stability. The development of the Great Firewall must be understood in that context: it is not simply a security apparatus, but a continuation of the Party’s broader strategy to prevent mass mobilization by limiting access to ideas, narratives, and organizing tools. Over the decades, censorship has evolved from blunt blocking of foreign websites to a finely tuned system of VPN blacklists, URL tracebacks, and application-level analytics. These capabilities allow authorities to correlate individual users with dissent behavior in near-real-time, ensuring that politically sensitive searches, conversations, and digital gatherings are identified and neutralized before they can coalesce into movements. In effect, the firewall transforms the internet into an extension of the state’s security services, eroding anonymity and embedding surveillance into the mundane acts of browsing, messaging, or sharing.

Yet despite this pervasive control, resistance is both persistent and adaptive. Beginning with early proxy experiments in the 2000s, Chinese developers themselves have been central to the creation of circumvention tools. Shadowsocks, created in 2012 by a developer known as clowwindy, pioneered lightweight encrypted proxying that could slip past deep packet inspection. When Shadowsocks nodes began to be actively targeted, the community iterated with V2Ray (Project V), a modular platform with multiple transport protocols and obfuscation layers. This in turn inspired Trojan, which disguises proxy traffic as ordinary TLS to resist probing, and later Brook and Xray, forks that pushed further into stealth and flexibility. Each of these tools originated within Chinese coding circles, highlighting how resistance emerges from inside the very environment being controlled.

Culturally, dissent also manifests in creative forms. Social commentary critical of censorship and the Party circulates widely on Weibo, Bilibili, and WeChat before deletion, often employing satire, homophones, memes, or coded references to evade keyword filters. These “edge-ball” expressions illustrate both the limits of algorithmic censorship and the cultural resilience of Chinese netizens. Meanwhile, diaspora communities amplify resistance by publishing bypass techniques, hosting mirrors of blocked content, and maintaining repositories of circumvention code on platforms like GitHub, ensuring knowledge is never entirely erased inside the firewall.

The interplay between suppression and resistance thus produces an ongoing arms race. Each new round of GFW countermeasures provokes new tools, tactics, and cultural adaptations. While the firewall is formidable, it paradoxically nurtures an oppositional ecosystem that continually innovates around its constraints. Far from extinguishing dissent, the system creates a feedback loop of repression and resistance, embedding digital counterculture as a permanent feature of Chinese society. The result is a paradox: the GFW sustains authoritarian control, yet at the same time guarantees the continual reinvention of the very forms of resistance it seeks to eradicate.

Strategic Positioning in Global Cyber Norms

China’s long-term vision is visible through its participation in multilateral forums such as the UN’s Group of Governmental Experts (GGE) on ICT security and the Belt and Road Initiative’s “Digital Silk Road.” These initiatives provide diplomatic cover for Beijing’s promotion of “internet sovereignty” as a legitimate model of governance. In practice, this means embedding the logic of the Great Firewall into international policy discourse, presenting it not as censorship or repression but as a sovereign right of states to regulate information flows within their borders.

At the UN level, Chinese representatives have consistently argued for norms that emphasize non-interference in domestic internet policies, deliberately contrasting this with historical Western advocacy for a “free and open” internet. By reframing censorship as an extension of sovereignty, Beijing attempts to normalize state control as a global principle, effectively insulating its own practices from critique while empowering other governments to follow suit. The Digital Silk Road, meanwhile, operationalizes these ideas by providing infrastructure, financing, and governance templates to partner countries. Through fiber optic cables, 5G buildouts, and “smart city” packages, China creates an export pathway for both technology and ideology, linking development assistance with the adoption of Beijing’s governance model.

This approach positions China as more than a participant in global internet governance, it casts Beijing as a rule-setter. By aligning economic incentives with political norms, China gradually shifts the Overton window of global digital policy. What once would have been viewed as authoritarian overreach is rebranded as legitimate digital self-determination, creating a parallel order where the GFW’s logic is not an exception but an accepted standard.

Future Resistance and Possible Outcomes of Intensified Surveillance

If China accelerates its trajectory toward deeper electronic surveillance and repression, the societal and geopolitical consequences are likely to manifest in both predictable and disruptive ways. At the domestic level, a more comprehensive fusion of AI-driven monitoring, predictive policing, and ubiquitous biometric collection would further entrench a climate of self-censorship and fear. The integration of surveillance with economic and social systems, already evident in the Social Credit framework, would amplify the daily costs of dissent, making deviation from state narratives punishable not only through arrest but through exclusion from essential services, employment, and mobility. In such an environment, formal opposition is unlikely to survive, but informal networks of coded communication and underground technological innovation could expand, creating a dual society where repression coexists with hidden circuits of resistance.

Historically, such intense monitoring regimes often produce unintended consequences. The more pervasive and intrusive the surveillance, the more it incentivizes citizens and developers to innovate countermeasures, ranging from obfuscated communication protocols to subtle forms of cultural satire and resistance. As seen with Shadowsocks and subsequent projects, the very act of suppression can cultivate technical expertise and solidarity networks among those targeted. If the state further escalates, resistance may shift from individual acts of circumvention toward collective forms of digital underground culture, diaspora-supported communication hubs, and encrypted parallel ecosystems that remain resilient precisely because they are decentralized and adaptive.

Externally, an increasingly repressive China risks catalyzing stronger responses from international actors. Multilateral organizations and democratic states may impose stricter technology export controls, sanctions on surveillance vendors, or coordinated support for civil-society circumvention efforts. At the same time, authoritarian-aligned states could take China’s model as a green light to expand their own controls, accelerating the Balkanization of the global internet. The result would be a sharper divide between “sovereign internets” that normalize repression and open networks that champion access, placing global institutions in a prolonged struggle over which model defines the standards of international governance.

The paradox, then, is that China’s tightening grip may secure short-term regime resilience at home while sowing the seeds of longer-term instability and resistance. As surveillance deepens, so too does the risk of overreach, where hyper-control undermines legitimacy and drives innovation in circumvention. On the world stage, Beijing’s hardening model could accelerate geopolitical polarization, forcing states to choose between integration into China’s censored, state-mediated sphere or alignment with more open, contested global frameworks. In both cases, the ultimate outcome is not stability, but fragility, a digital order defined less by uniform control than by the ceaseless negotiation between repression and resistance.

Conclusion

The Great Firewall is not just an internet control system, it is a pillar of China’s broader authoritarian toolkit. Its effectiveness lies in its quiet integration into daily digital life, shaping what can be seen, shared, or even imagined by hundreds of millions of citizens. Unlike blunt instruments of repression, the firewall functions with subtlety: it restricts choice by removing foreign competitors, embeds surveillance into domestic platforms, and fosters a normalized environment where censorship is an unremarkable fact of life. In this sense, the GFW is less a technical barrier than a lived reality, one that molds behavior and expectations in ways that reinforce the state’s authority.

Its design reflects China’s governing philosophy of centralized control, national data sovereignty, and cyber hegemony. By asserting that information space is equivalent to territorial space, the firewall operationalizes Beijing’s belief that sovereignty extends to the digital domain. The system’s modular architecture, spanning deep packet inspection, SNI filtering, proxy interception, and state-managed content platforms,  embodies a deliberate strategy to consolidate both power and legitimacy. It is not merely defensive but expansive: a mechanism for shaping global discourse, setting technical standards, and projecting influence abroad through the export of both infrastructure and ideology.

The evidence parsed from this leak lays bare the breadth and ambition of that vision. At home, the firewall enforces compliance and blunts dissent, ensuring that political stability is reinforced through technological design. Abroad, it provides a model for regimes seeking to replicate China’s balance of control and growth, creating a coalition of states aligned around the principles of cyber sovereignty. Taken together, the GFW is less an isolated technology than it is a strategic doctrine, one that defines China’s path toward digital authoritarianism and seeks to normalize it as a global standard.

Summary

This second installment in our series on the Great Firewall of China (GFW) focuses on the intricate technical infrastructure, operational logic, and strategic design underpinning China’s censorship ecosystem. Drawing from over 7,000 files in the 500GB GFW data dump, including internal spreadsheets, Visio network diagrams, packet captures, and metadata-rich control logs, this analysis offers an unprecedented reconstruction of the surveillance architecture at the heart of China's digital control apparatus.

At the core is the Traffic Secure Gateway (TSG) system: a modular, exportable DPI platform capable of application-layer proxying, SSL/TLS interception, and centralized policy enforcement. Designed with scale in mind, TSG is deployed across both national ISP backbones and regional access points, working in tandem with centralized command hubs such as the YGN Center. Integration with tools like Cyber Narrator, a suspected GFW dashboard, enables real-time session inspection, keyword flagging, and ruleset propagation across decentralized enforcement nodes.

Filtering is layered: SNI-based TLS detection isolates encrypted circumvention traffic (e.g., Psiphon, Shadowsocks, V2Ray), while URL, host header, and DNS hijack strategies block, redirect, or monitor suspect endpoints. Logs extracted from Redis telemetry, gohangout sessions, and custom firewall agents reveal fine-grained behavioral fingerprinting, tying user sessions to device IDs, session states, and remote IP patterns in near real time. The system also captures malformed packets, port scan anomalies, and misconfigured mirrors, supporting active countermeasure deployment through automated probe and reset mechanisms.

From spreadsheets detailing app endpoint behavior, user monitoring intervals, and hardware configurations to blueprint files illustrating node relationships and control flows, the data illustrates a highly centralized yet distributed architecture, built on cooperation between state-run ISPs, telecom vendors, university research labs, policy-design entities like the NCSC (National Counterintelligence and Security Center) and teams linked to Fang Binxing, the so-called father of the Great Firewall.

This report not only reveals how the GFW works but maps the operational logic, software structure, and institutional alignment driving it, setting the stage for deeper adversarial modeling and red team exploration in future entries.

The Great Firewall’s Purpose

The Great Firewall (GFW) is not merely a tool for filtering websites, it is the centerpiece of China’s digital repression strategy. Its technical architecture is designed not just to block content, but to control the behavior and perceptions of its users. Through mechanisms like Deep Packet Inspection (DPI), Server Name Indication (SNI) filtering, and active probing, the system enforces a state-defined version of reality where politically sensitive terms, foreign platforms, and civil society organizing are algorithmically suppressed. But beyond the code and configurations lies a deeper objective: manufacturing consensus by eliminating dissent before it forms. Through the GFW, the Chinese state does not only censor, it conditions. Platforms are scrubbed of forbidden narratives, while alternatives are either inaccessible or functionally degraded. Algorithms elevate compliant content and bury or erase anything that deviates from sanctioned ideology. This digital architecture is authoritarianism by proxy, embedding the logic of repression into every protocol layer.

At the same time, the GFW plays a crucial role in insulating China from global digital ecosystems. This is not just about keeping foreign narratives out, it is also about shielding Chinese data, behavior, and innovations from foreign intelligence collection and influence. The segmentation of China’s IPv6 networks, DNS sinkholes, and blackholing of VPN traffic represent a strategic decoupling from the global internet. Services like YouTube, Twitter, and Google are not merely blocked for ideological reasons; they are systematically replaced by domestic alternatives (e.g., Weibo, Baidu, Youku) which the state can surveil and manipulate. This creates a bifurcated internet: a “Splinternet” in which Chinese users live in an entirely separate informational universe, one optimized for control and ideological alignment. In this way, the GFW is both sword and shield, censoring the flow of dangerous information and shielding the population from outside influence, while enabling precise surveillance through data centralization and metadata capture. We will cover more on these issues in part three of this series on the Great Firewall; Inside The Great Firewall Part 3: Geopolitical and Societal Ramifications.

Vendor Integration: Building the Hardware and Software Foundations of the Great Firewall

The Great Firewall (GFW) is not a single product built by one agency; it is a distributed ecosystem of hardware, firmware, and software contributed by dozens of Chinese technology companies, each providing specialized modules under the supervision of state ministries. While telecommunications giants like China Telecom, China Unicom, and China Mobile operate the backbone infrastructure, the technical scaffolding of the firewall is delivered by a tightly knit network of trusted vendors and research labs. These vendors supply the routers, DPI (Deep Packet Inspection) cards, cryptographic modules, firmware updates, and orchestration platforms that allow the GFW to adapt to new protocols, scale across regions, and enforce rules at both the packet and behavioral levels.

One illustrative example from the leaked data is A Hamson Technology Co., Ltd., a company specializing in trusted computing, secure CPUs, cryptographic chips, and embedded operating systems. Corporate materials show that A Hamson counts among its customers the People’s Bank of China, State Grid, telecom carriers, and the Ministry of Public Security, all organizations appearing repeatedly in the metadata and spreadsheets of the GFW dataset. This vendor’s expertise in secure embedded systems and cryptographic modules aligns closely with what is visible in the leak: router firmware customized for keyword filtering, MAAT logs referencing embedded modules, and OA spreadsheets documenting device-level “责任人” (responsible person) fields for trusted platform modules. Such vendors effectively build the “trusted endpoints” of the GFW, routers, DPI blades, and gateways that are not just network devices but active surveillance nodes, capable of memory inspection, SNI fingerprinting, and remote policy injection.

Beyond A Hamson, the dataset also references vendors like Venustech, Topsec, and Huaxin, each of which has long been suspected of Ministry of State Security (MSS) affiliation. These firms provide everything from traffic shaping algorithms to exportable control interfaces and smart gateway solutions, which can be adapted for both domestic censorship and overseas “cyber sovereignty” projects. By coordinating multiple vendors under unified policy frameworks, the Chinese state achieves two objectives simultaneously: it keeps censorship infrastructure modular and upgradable, and it insulates the core policy apparatus from direct exposure by dispersing technical tasks to “private” firms under national security mandates. 

This structure explains the compartmentalized spreadsheets and Visio maps in the leak, regional operators work with vendor-supplied devices and dashboards but do not see the full system; vendors deliver modules that comply with MSS or MIIT standards without controlling overall policy. Together, this forms a state-industrial censorship complex that blends the agility of commercial R&D with the reach of government enforcement.

Core Technical Components

The Great Firewall (GFW) operates as a modular and hierarchical censorship system combining centrally managed orchestration with regionally distributed enforcement nodes. Its architecture, as revealed by internal logs and configuration schemas, revolves around dynamic packet inspection, traffic shaping, and fingerprint-based blocking, executed across both internet backbone infrastructure and local telecom gateways. At the core of this system lie Deep Packet Inspection (DPI) modules, which process TCP streams in real-time to extract HTTP headers, inspect TLS handshakes, and apply keyword filtering. These modules enforce protocol-aware blocking, often dynamically reacting to new patterns of encrypted circumvention traffic. Telemetry from MAAT (Monitoring and Analysis Audit Toolkit) exports and Gohangout logs show that DPI modules interface directly with Redis-backed rule engines to push immediate session resets or trigger stream flags. The presence of advanced JA3 and SNI fingerprinting, evidenced by log extracts matching V2Ray and Psiphon, demonstrates the GFW’s ability to identify encrypted channels even when domain information is obfuscated.

Additional files, including firewall monitoring exports and BGP route tables, indicate use of BGP prefix injection and routing hijacks, especially in cases of sinkhole or honeyport deployment. Sinkhole coordination appears distributed across regional telecom nodes, as seen in logs tied to "路由下发" (route issuance). IPv6 traffic is not exempt; spreadsheets such as “境内谷歌IPv6地址段” list specific address segments under active inspection, suggesting asymmetric routing filters or targeted isolation tactics. Finally, endpoint fingerprinting and active probing are routine: .vid telemetry exports show automated DNS/TLS/HTTP queries launched against suspected VPN exit nodes, with results fed into classification systems or further flagged for human review. This automation, spread across regionally deployed scanning agents, highlights a highly adaptive censorship strategy, one capable of matching user behavior to packet behavior in near real-time.

Monitoring and Logging Systems

The monitoring and logging infrastructure of the Great Firewall (GFW) is designed for pervasive visibility, continuous telemetry, and real-time policy enforcement. Key components include MAAT (Modular Automated Analysis Tool), Gohangout (a high-performance log processing framework), and Redis (a high-throughput in-memory data structure store), particularly the variant identified in logs as sd-redis. System logs such as firewall.sd.maat.status.txt capture status messages from firewalls across deployment nodes, indicating active polling of system states, service health, and traffic patterns. Meanwhile, MAAT acts as a central log aggregator and decision engine, ingesting stream data to feed classification engines. Gohangout configurations point to regex-based pattern extraction of domain names and behavior-triggered tags, likely used for classifying traffic by threat or censorship priority. Redis, via scripts like sd-redis-cli-info.txt, reveals in-memory statistics used for measuring response times, anomaly spikes, and user-session correlation.

More granular insights emerging from SQL-based telemetry indicate the GFW taps directly into production-level application telemetry, not just edge packet flows. This means that the system has visibility into how users are interacting with services in real-time, including authentication failures, long page loads, or forbidden response codes. These signals are likely used to dynamically update blacklists and whitelists, which are crucial components in filtering decisions. Blacklists identify VPN exit nodes, encrypted tunnel endpoints, and known circumvention platforms like Psiphon or V2Ray, while whitelists allow permitted services or government-approved content to flow without interference. Updates to these lists are driven by anomaly detection from the logs, matching both metadata (e.g., JA3/TLS fingerprints) and behavioral anomalies (e.g., repeated failed DNS queries or non-standard TLS extensions). This constant feedback loop demonstrates how the GFW is not just reactive but built for adaptive enforcement based on real-world usage patterns.

Endpoint and Device Mapping

One of the most revealing aspects of the Great Firewall (GFW) leak is the explicit linkage between physical infrastructure and the control logic that drives censorship operations. By cross-referencing internal spreadsheets along with telemetry logs from MAAT (Modular Application Audit Telemetry), we’ve reconstructed granular models that map the physical topology of surveillance networks to the logical flow of filtering and monitoring policies. Graphviz-based visualizations built from this data show how data packets are routed through a hierarchy of hardware, from edge-facing routers at telecom interchanges to midstream relays and deep packet inspection (DPI) modules. These DPI systems act as the primary content-filtering engines, enforcing keyword blacklists and TLS (Transport Layer Security) fingerprint-based rules. The data also identifies specific traffic redirection mechanisms, like sinkhole destinations, BGP (Border Gateway Protocol) rerouting triggers, and load-balancing scripts that dynamically respond to policy hits, suggesting an adaptive, programmable censorship environment.

What makes this infrastructure exceptionally traceable is the metadata present in device tracking sheets. Fields such as 设备类型 (Device Type), IP地址 (IP Address), 带宽 (Bandwidth), 使用率 (Usage Rate), and 责任人 (Responsible Party) expose a highly structured assignment of surveillance functions to individual device nodes and their regional operators. For example, specific router and relay MAC (Media Access Control) addresses are associated with application-layer inspection tasks or DNS query interception, depending on their role in the broader hierarchy. In tandem, OA (Office Automation) service logs and deployment documents indicate a centralized remote configuration push capability, allowing administrators in Beijing or provincial control centers to dispatch policy changes or firmware updates directly to edge units across the country. This strongly implies the presence of a secure command-and-control orchestration layer built atop LDAP-authenticated dashboards, with remote agents capable of rule enforcement and update ingestion in near real-time. The entire apparatus, as described in these files, operates as a tightly integrated censorship-industrial network with both technical and bureaucratic chains of command.

Behavioral Prediction Engines: Predictive Enforcement at National Scale

One of the most revealing discoveries from the leaked GFW dataset is the use of behavioral prediction systems that go beyond static rule enforcement. Evidence from application-layer sketch logs, memory and query telemetry and endpoint capture systems suggests the existence of real-time statistical baselining tools built to flag, and even act on, traffic that deviates from normal patterns before it explicitly violates any censorship policies.

These prediction mechanisms appear tightly integrated into the MAAT subsystem, where per-user session profiles are maintained and continuously compared against historical baselines. When a session exhibits abnormal latency, memory footprint, or access patterns, such as extended encrypted sessions, unexpected TLS version negotiation, or traffic bursts to unclassified IPs, the system preemptively routes the session through enhanced inspection modules, or terminates it altogether. This is done via a combination of Redis-based anomaly detectors, custom flagging in slow SQL query tables, and policy propagation recorded in MAAT static log sheets.

Notably, the system doesn’t only act after detection. For example, users opening encrypted proxies such as Shadowsocks or V2Ray may experience injection of failure responses or artificial latency even before their SNI or packet signatures match known blacklists. This illustrates that the GFW is not simply reactive, it is predictive. By monitoring systemic telemetry (CPU stats, session duration, port stability, TLS behavior), the firewall infers which sessions are likely to be circumvention attempts and flags them before content is even exchanged.

In essence, this subsystem makes the GFW function as a national-scale anomaly detection engine, assigning implicit trust scores to sessions in real time, and adapting its inspection depth accordingly. This significantly raises the bar for circumvention tool developers, as evading detection now requires mimicking not only protocol signatures but behavioral baselines, making tools like Psiphon or Lantern more vulnerable to dynamic fingerprinting.

Modular App Fingerprinting and Decision Systems

One of the most revealing components in the leaked dataset is the presence of a modular, multi-layered application fingerprinting system, which underpins much of the Great Firewall’s real-time traffic classification and enforcement logic. This system is not simply reliant on domain blacklists or static protocol rules but employs a dynamic, pluggable architecture where different modules, working in tandem, evaluate attributes of encrypted and plaintext traffic. The system performs deep traffic inspection based on JA3 TLS fingerprints (a method of profiling TLS client handshakes), Server Name Indication (SNI) strings, DNS query patterns, packet timing, and destination port behavior. Multiple heuristic layers are involved, where traffic is matched against known circumvention tools like Psiphon, Shadowsocks, and V2Ray, as well as commercial proxies and enterprise VPN suites.

The GFW’s fingerprinting pipeline does not stop at static rule matches. Once traffic flows are parsed by protocol modules, they are routed through behavioral filters that assess timing, packet size variability, and entropy characteristics. These traits are then scored by a lightweight machine learning classifier which, as seen in logs and decision outputs, assigns a confidence level to the classification. Depending on this confidence score, the decision engine passes traffic, flags it for review, or immediately disrupts the connection. This adaptive model, visible in both .maat telemetry and control command logs, suggests that the GFW does not operate purely on static lists, but instead evolves in near-real time by observing patterns and feeding results into training datasets. As a result, circumvention tools face a constantly shifting defensive surface, requiring continuous adaptation to avoid detection.

Decentralized Command Queues and Update Propagation

Another advanced feature uncovered in the dataset is the GFW’s tiered command-and-control architecture, which utilizes decentralized command queues to propagate filtering rules and scan directives and session control policies to regional enforcement nodes. This structure is not strictly top-down, but instead reflects a hub-and-spoke model whereby provincial or municipal GFW agents synchronize with national control hubs, receiving filtering updates while also reporting telemetry and detection feedback upstream. Evidence of this architecture is found in the spreadsheets and text files, which show user roles, scheduled update logs, and endpoint classifications across different administrative regions (e.g., Hebei, Guangdong, Shandong).

Update propagation mechanisms leverage remote configuration push systems, likely built atop web-based dashboards and LDAP-authenticated portals. These dashboards, visible in screenshot metadata and firewall controller logs, allow mid-tier administrators to schedule specific control flows, like blacklisting domains, injecting TCP RST packets, or initiating SNI-based filtering routines, targeted to regionally scoped IP ranges. Importantly, logs document queue flushing events and propagation success messages, indicating that rule updates are both time-sensitive and segmented by endpoint type. This modular push architecture ensures that detection heuristics and filtering capabilities can be deployed asymmetrically, tailored to regional priorities, while maintaining coherence across the national censorship system. It reflects a careful balance between operational flexibility and central control.

TLS Fingerprinting and Misclassification Errors

One of the more subtle yet technically revealing aspects of the Great Firewall (GFW) uncovered in the dataset is its heavy reliance on TLS fingerprinting mechanisms, including SNI (Server Name Indication) filtering and JA3 hashing. These techniques allow the system to classify encrypted traffic streams based on patterns in the TLS handshake process without decrypting content. The presence of logs and spreadsheets detailing SNI strings, matched fingerprints, and decision rules indicates that GFW operators are deploying modern passive fingerprinting to identify circumvention tools such as V2Ray, Shadowsocks, and Psiphon, even when encryption obfuscates content.

However, the sophistication of this fingerprinting is limited by its deterministic nature. Probe logs and several domain block tables demonstrate that the firewall infrastructure occasionally misclassifies benign traffic, particularly when updates to JA3-based signatures lag behind app version changes or new cipher suite deployments. Several documented instances show IP addresses or domain names related to major cloud providers like AWS or Google Cloud being blackholed or scanned due to signature collisions with VPN protocols. These “false positives” result in degraded user experience, unjustified blocking of non-malicious content, and in some cases, traffic rerouting to sinkholes.

The logs also show evidence of manual overrides or rule exceptions being implemented in response to these false positives, particularly in files documenting snapshot telemetry or slow query logs. This suggests that while the GFW employs sophisticated fingerprinting techniques, its architecture still requires human intervention to fine-tune classifications and mitigate over-blocking. These observations speak to the brittle nature of relying on opaque machine-learned or static TLS fingerprints at scale, especially when interacting with a fast-evolving internet ecosystem. In practice, the GFW’s fingerprinting capabilities walk a tightrope between aggressive censorship and functional collateral damage, revealing exploitable pressure points for both adversarial red teams and policy advocates.

Protocol Deviation Handling and Anomaly Isolation

Another subtle yet technically sophisticated component set of the (GFW) is its capability to detect and respond to protocol deviations, instances where data flows do not conform to expected standards of HTTP, TLS, DNS, or QUIC traffic. These deviations are typically indicators of encrypted tunneling, obfuscation frameworks, or non-standard clients used for circumvention. The leaked telemetry logs, configuration spreadsheets, and packet inspection schemas provide evidence that the GFW uses a multi-layered response strategy against these anomalies.

At the first stage, stateful inspection engines scan for malformed packet structures, mismatched content-length headers, improper TLS handshake sequences, and DNS replies with unusual TTL values. Tools such as firewall.sd.maat.status.txt, slow query logs, and Redis-backed memory logs show that non-compliant behaviors are tagged with metadata flags like PROTO_DEVIATE, NONSTD_HEADER, or QUIC_FAULT. These sessions are then passed into either temporary quarantine routes, such as blackhole redirect IPs, or passed along for active probing to test for evasive tunneling behavior.

The second stage involves traffic replay and anomaly simulation, where the GFW replicates offending traffic patterns and injects them into sandboxed environments to confirm whether the payload corresponds to obfuscated VPNs, HTTP tunnels, or unauthorized encryption schemes. Logs document timed replay payloads and outbound test probes using crafted TLS or DNS packets. Some deviations are further escalated to manual triage teams or flagged in Graphviz-style flow control diagrams embedded in .vsd Visio files.

This protocol deviation handling system showcases not only the depth of the GFW’s reactive controls but also its ability to learn from emergent behavior, update heuristics dynamically, and enforce policy not just on known bad domains or IPs, but on the shape and rhythm of communication patterns themselves. This makes circumvention more difficult, as developers must now account for not only static blocklists but also behavioral anomaly detection systems embedded within China’s censorship infrastructure.

Integration of Surveillance Platforms and Data Fusion

One of the more formidable aspects of the Great Firewall’s (GFW) evolution is the integration of real-time network filtering with broader surveillance ecosystems. The data assessed from the 500GB breach confirms that firewall telemetry, such as flagged sessions, packet capture metadata, and access anomalies, is not siloed within the GFW apparatus. Instead, it feeds into centralized repositories where it is correlated with endpoint identity, system behavior, application telemetry, and even social profiling signals.

Logs analyzed from MAAT, sd-redis, and snapshot exports show distinct identifiers being used across firewall records, system monitors, and application-layer access logs. These identifiers, most notably persistent UUIDs, IMEI/IMSI hashes, and partial SSO tokens, indicate cross-platform tagging, likely used for behavioral correlation. This is supported by spreadsheets listing VPN server hits alongside cached user session data, and references to location-aware scanning logic embedded in regional configuration files. The presence of fields like 责任人 (responsible person) and user-role tags in spreadsheet metadata further indicates that system usage is attributable, not anonymized.

What emerges is a picture of data fusion at scale, where censorship enforcement is not merely technical, but linked to identity and reputation systems. It is likely that flagged activity within the GFW can escalate to surveillance review queues in platforms such as Skynet (天网) and Sharp Eyes (雪亮工程), integrating with national security databases. In this architecture, the GFW is not a wall, but a sieve, detecting, classifying, logging, and escalating infractions across bureaucratic and technological layers. The Chinese censorship regime thus operates not only as an information filter, but as a reputational sorting system, linking digital behavior to administrative consequences.

Remote Command Injection and Centralized Control Queues

One of the most significant revelations within the Great Firewall dataset is the use of remote command injection frameworks for real-time policy updates and enforcement. Analysis of the files, combined with metadata from .vsd network maps and firewall.sd.maat.status, suggests that the GFW supports a centralized command-and-control (C2) model for dynamically managing its censorship rules and behavioral triggers.

Unlike static firewall configurations typically associated with traditional network perimeter defense, the GFW employs push-based command execution. These are delivered to regional or localized DPI appliances, surveillance nodes, and edge routers via a tiered orchestration mechanism. The presence of fields like 部署方式 (deployment mode), 指令同步策略(instruction synchronization strategy), and 责任人 (responsible party) in the spreadsheet metadata illustrates a delegated enforcement model, where operators across various provinces and telecom backbones receive and execute filtering updates issued from a central authority, likely situated within Beijing or under Ministry of State Security (MSS) control.

The logs reveal that rule updates are batched and tagged with timestamps, UUIDs, and content categories, such as “VPN,” “sensitive term,” or “foreign platform.” In some cases, these are deployed with rollback triggers and can be toggled based on traffic spikes, public sentiment monitoring, or new circumvention tool detection. Custom scripts also suggest that updates can target infrastructure selectively, for example, only IPv6 subnets within 联通 (Unicom) in a specific region, or only mobile application traffic over TLS 1.3 from certain devices.

In essence, this system is not a passive firewall but a living censorship organism, capable of autonomous adaptation and centrally coordinated behavior modification. These command injection pathways are also likely tied into the metadata-based identity tracking system that feeds into China’s broader surveillance and social credit scoring architectures, ensuring that information control can be tuned at the individual, device, or regional level in real time.

China’s Social Credit Score System and the Great Firewall

The Chinese Social Credit Score System (SCS) is a sprawling, state-coordinated framework designed to promote "trustworthiness" and "moral behavior" among citizens, corporations, and institutions. Rooted in both government regulation and commercial participation, the system aggregates a wide array of behavioral, financial, legal, and social data to assign reputation-based scores to individuals and entities. The system is coordinated by central authorities like the National Development and Reform Commission (NDRC), the People’s Bank of China, and the Ministry of Public Security (MPS), with significant technical input from the Cyberspace Administration of China (CAC). These agencies collect data from legal rulings, bank transactions, police records, and even online activity logs. Citizens with high scores receive benefits such as loan approvals and travel priority, while low scores may lead to travel bans, throttled internet, and social blacklisting. Localized implementations by provincial governments and private corporations, such as Alibaba's Sesame Credit, create further layers of scoring, often blending regulatory enforcement with commercial incentives.

Within this architecture, the Great Firewall (GFW) acts as a technical enforcement and behavioral surveillance mechanism. Data gathered through DPI (Deep Packet Inspection), TLS interception, domain access logs, and behavioral telemetry is used to infer intent and compliance with state-defined norms. For example, users accessing blocked VPN services, attempting to reach blacklisted content, or demonstrating encrypted communication patterns may be flagged in monitoring systems like MAAT or Gohangout. These logs, in turn, feed into centralized analytics platforms that may update regional or national blacklists. Importantly, this technical data is not just used for censorship, it is increasingly integrated into risk models that feed back into the social credit system. The GFW thus becomes more than a digital barrier; it acts as a behavioral sieve, shaping how trustworthiness is algorithmically defined and enforced across China. This convergence of technical infrastructure and socio-political governance represents a profound fusion of surveillance capitalism and state control, with escalating implications for digital human rights.

Conclusion

The Great Firewall’s architecture is not a singular construct but a federated, modular system that reflects a deeply integrated model of scalable repression and technical precision. Rather than centralized omniscience, the system operates through layered enforcement, with real-time monitoring nodes deployed at key internet exchange points (IXPs), backbone service providers, and regional telecom branches. These nodes feed data into centralized analysis engines and regional control centers, where behavioral patterns, encrypted traffic markers, and protocol anomalies are processed through tools like MAAT, Gohangout, and customized Redis-backed monitoring agents. At the application layer, heuristics detect circumvention behavior ,  such as the use of Psiphon, V2Ray, or Shadowsocks, using techniques like SNI filtering, JA3 fingerprinting, and connection scheduling flags. DNS responses are spoofed or dropped depending on classification rules, while sessions may be hijacked or redirected via sinkholes and TCP reset injections. The underlying telemetry reveals how regional operators execute policies set by central authorities, supported by MSS-linked vendors providing firmware, DPI modules, and command-and-control dashboards.

Despite this sophistication, the leaked data exposed fault lines, including regionally misconfigured mirrors that unintentionally broadcast blacklist UUIDs, and BGP anomalies suggesting overly aggressive routing filters. These lapses highlight both the bureaucratic silos and technical brittleness of enforcing censorship at scale. Nonetheless, the architectural strategy is resilient: it favors redundancy, localized enforcement autonomy, and reactive filtering rather than static rulesets. What emerges is not just a firewall in the traditional sense, but a living ecosystem of algorithmic governance. The next phase of analysis will step beyond the command-line telemetry and log files to examine the broader implications,  the geopolitical consequences of codified information suppression, and the mounting human cost of building a surveillance state at the scale of 1.4 billion people.

APPENDIX: A File List

File list of dump translated from Mandarin

Network Research Report.docx

27712684_attachments_20220419-Zhang Qingfeng-Daily Communication Record.docx

695411_attachments_Phishing Website Detection System Manual.docx

105873423_attachments_20240423 Meeting Minutes - Feedback Version.docx

27712684_attachments_20220420-Wang Meiqi-Daily Communication Minutes.docx

695411_attachments_Appendix 1: University of Chinese Academy of Sciences Graduate Dissertation Midterm Report.docx

105873423_attachments_clearn.docx

27712684_attachments_20220420-Gao Yue-Daily Communication Minutes.docx

695452_attachments_A Method and Device for Multipath TCP Protocol Function Restriction.docx

105873423_attachments_MAAT Regularization Test.docx

27712684_attachments_April 2022 Meeting Minutes.docx

695452_attachments_Explanation on Voluntary Waiver of Remuneration for Work-Related Inventions and Creations (Template)_1.docx

105873423_attachments_MAAT Test String Regularization Test Report.docx

27716205_attachments_【Reference】Departmental Approval.docx

695452_attachments_Amplification of Reflection Attack Detection System Code.doc

105873423_attachments_MAAT Network Flow Processing Configuration Unified Description Framework - Learning Annotation Version.docx

27716205_attachments_Graduate Registration Form.doc

695452_attachments_Amplification of Reflection Attack Detection System Specification.docx

105873423_attachments_Memory Growth Problem Troubleshooting Report 20240326.docx

27716205_attachments_Attachment 1-1: Departmental Approval.docx

695452_attachments_Voluntary Waiver of Invention Benefits Statement (Template).docx

105873423_attachments_Blocking Status Query Program Abnormal Troubleshooting Process.docx

27716205_attachments_Attachment 16: Graduate Registration Form.docx

695452_attachments_Zou Yuting_University of Chinese Academy of Sciences Graduate Thesis Midterm Report.docx

105873423_attachments_Crash Information.docx

27716205_attachments_Attachment 1: Defense Application.doc

695452_attachments_Zou Yuting_University of Chinese Academy of Sciences Graduate Thesis Proposal.docx

105873423_attachments_Document Notes.docx

27716205_attachments_Attachment 21: Scientific Research Achievement Certification Template.docx

695452_attachments_Zou Yuting's Graduation Remarks.docx

105873423_attachments_Source Code Notes.docx

27716205_attachments_Attachment 2: Revision Instructions for Dissertation Revisions after the Pre-Defense.docx

695502_attachments_Regulations on the Management of Mid-term Assessments for Dissertations of the Institute of Information Engineering, Chinese Academy of Sciences (Interim).doc

105873437_attachments_20240423 Meeting Minutes - Feedback Version.docx

27716205_attachments_Attachment 4: Pre-Defense Committee Member Review Form.docx

695502_attachments_Institute of Information Engineering Master's Degree - Class of 2017 - Mid-term Assessment Registration Form - Shang Jingjing.doc

105873437_attachments_clearn.docx

27716205_attachments_Attachment 5: Doctoral Dissertation Pre-Defense Review Form.doc

695502_attachments_Institute of Information Engineering Master's Degree - Class of 2017 - Thesis Proposal - Shang Jingjing_1.doc

105873437_attachments_MAAT Regular Expression Test.docx

27720755_attachments_Attachment 17: Guidance on Writing Standards for Graduate Degree Dissertations at University of Chinese Academy of Sciences.doc

695502_attachments_Institute of Information Engineering Master's Degree - Class of 2017 - Thesis Proposal Registration Form - Shang Jingjing.doc

105873437_attachments_MAAT Test String Regular Expression Test Report.docx

27721697_attachments_Work Introduction.docx

695502_attachments_Government, Enterprise, and University Email System Security Measurement Report.docx

105873437_attachments_MAAT Network Flow Processing Configuration Unified Description Framework - Learning Annotation Version.docx

39127869_attachments_Offline Deployment SENTRY.docx

695502_attachments_Shucun Government Email System Security Measurement Report.docx

105873437_attachments_Memory Growth Troubleshooting Report 20240326.docx

39129077_attachments_OLP-BP User Manual (Dual-Fiber Bidirectional).doc

695502_attachments_Graduation Reflections.docx

105873437_attachments_Blocking Status Query Program Abnormal Troubleshooting Process.docx

39129077_attachments_Optical Protection Diversion Interoperability Instructions - Communication Instructions.docx

695502_attachments_Email Security Extension Protocol Application Analysis.docx

105873437_attachments_Crash Information.docx

39129436_attachments_Compilation Environment.docx

695502_attachments_Network Mail Service Detection System Manual.docx

105873437_attachments_Documentation Notes.docx

39129436_attachments_Video Recording.doc

695502_attachments_Design Documents.docx

105873437_attachments_Source Code Notes.docx

3.NMS Administrator Manual_V1.0_CH.docx

695502_attachments_Mail Repository Table.docx

106104952_attachments_Psiphon Phenomenon Analysis.docx

40.166 Crash Investigation Document.docx

695502_attachments_Mail Service Provider Reputation Assessment System Manual.docx

106105540_attachments_IP Traceability Report.docx

44990672_attachments_2022.04 Daily Communication Minutes.docx

695502_attachments_Email Service Provider Reputation Assessment System Source Code.docx

106105561_attachments_DPI Benchmark Test Plan.docx

44990672_attachments_20220507-Zhang Qingfeng-Daily Communication Record.docx

695502_attachments_Email System Advanced Features Description 20191022.docx

106106530_attachments_Lesson Plan and Answer Sheet.docx

44990672_attachments_20220520-Wang Meiqi-Daily Communication Minutes.docx

695678_attachments_BillGates, Mayday, and XorDDos Family Traffic Characteristics.docx

106106532_attachments_Fang Ban - Lesson Plan and Answer Sheet - Zhang Linkang.docx

44990672_attachments_20220520 - Gao Yue - Daily Communication Minutes.docx

695678_attachments_Kafka Setup Process.docx

106106535_attachments_Zhang Linkang - Lesson Plan and Answer Sheet.docx

44990672_attachments_April 2022 Meeting Minutes.docx

695678_attachments_Institute of Information Engineering Master's Degree - Class of 2017 - Thesis Proposal Registration Form - Wang Yu.doc

106107220_attachments_Defense Record.docx

44990894_attachments_(Reference Template) Appendix 9: Revision Notes for the Dissertation after Review.docx

695678_attachments_Notice on Voluntary Waiver of Remuneration for Work-Related Inventions and Creations.docx

106107951_attachments_Defense Record.docx

44990894_attachments_Attachment 9: Revision Notes for the Dissertation After Review.docx

695678_attachments_Malicious Service IPv6 Address Discovery and Assessment System Manual.docx

106109482_attachments_Li Zhuo - Defense Opinion.docx

44992427_attachments_Resolution of the Second Research Laboratory Dissertation Defense - Reference Template (including PhD and Master's) 2022.doc

695678_attachments_Malicious Service IPv6 Address Discovery and Assessment System Source Code.docx

106109964_attachments_Advantages of Upgrading_v2.doc

44992427_attachments_Attachment 14: Defense Committee Resolution and Voting Results (Reference Template).docx

695678_attachments_Graduation Reflections - Wang Yu.docx

106109964_attachments_Advantages of Text Upgrade.doc

44992427_attachments_Attachment 2: Defense Committee Resolution (Blank).docx

695678_attachments_Attachment 1: Midterm Report of Graduate Dissertation from University of Chinese Academy of Sciences - Wang Yu.docx

106109974_attachments_Kafka Component Parameters and Frequently Asked Questions.docx

47251516_attachments_2022.05 Daily Communication Minutes.docx

695678_attachments_Attachment 2: Midterm Assessment Registration Form for Graduate Dissertation from University of Chinese Academy of Sciences - Wang Yu.doc

106110644_attachments_Reflections on the Encrypted Video Content Recognition Test Invitational Competition - TikTok - Yang Chen.docx

47251516_attachments_20220601 - Zhang Qingfeng - Daily Communication Records.docx

695874_attachments_CMAF Research and Analysis.docx

106110644_attachments_Competition Exchange - Zhang Xiyuan.docx

47251516_attachments_20220620-Wang Meiqi-Daily Communication Minutes.docx

695874_attachments_Regulations on the Management of Mid-term Assessments of Degree Thesis of the Institute of Information Engineering, Chinese Academy of Sciences (Interim).doc

106110644_attachments_Competition Replay_Tang Weitao_1.docx

47253181_attachments_2022-06-01 Pre-Application Kick-off Meeting and Technical Exchange Meeting.docx

695874_attachments_Institute of Information Engineering Master's Degree - Class of 2017 - Mid-term Assessment Registration Form - Shang Jingjing.doc

106110644_attachments_Shenzhen Competition Replay_Cui Chenyang_1.docx

48042345_attachments_Spring Boot HTTPS.docx

695874_attachments_Institute of Information Engineering Master's Class of 2017 - Project Proposal - Shang Jingjing.doc

106111885_attachments_User Manual.docx

49185937_attachments_20220620 - Wang Meiqi - Daily Communication Minutes.docx

695874_attachments_Institute of Information Engineering Master's Class of 2017 - Project Proposal - Liu Youting.doc

106112252_attachments_CRDT Research.docx

49185937_attachments_2022.06 Daily Communication Minutes.docx

695874_attachments_Institute of Information Engineering Master's Class of 2017 - Project Proposal Registration Form - Shang Jingjing.doc

106113119_attachments_qps Test bind9 vscoredns.docx

49185937_attachments_20220701-Zhang Qingfeng-Daily Communication Record.docx

695874_attachments_Institute of Information Engineering Master's Degree-2017-Project Proposal Registration Form-Liu Youting.doc

106113320_attachments_Flink Troubleshooting Manual.doc

49185937_attachments_20220701-Wang Meiqi-Daily Communication Record.docx

695874_attachments_Government, Enterprise, and University Email System Security Measurement Report.docx

106113349_attachments_Apache Doris Configuration Items

106113349_attachments_Application Notes.docx

49185937_attachments_April 2022 Meeting Minutes.docx

695874_attachments_Shucun Government Email System Security Measurement Report.docx

106113365_attachments_Offline Deployment SENTRY.docx

49186474_attachments_20220715 - Gao Yue - Daily Communication Minutes.docx

695874_attachments_Graduation Reflections.docx

106113392_attachments_Optical Protection Diversion Interoperability Instructions - Communication Instructions.docx

49186474_attachments_20220715 - Zhang Qingfeng - Daily Communication Record.docx

695874_attachments_Email Security Extension Protocol Application Analysis.docx

106113394_attachments_Compilation Environment.docx

49186474_attachments_20220715 - Wang Meiqi - Daily Communication Record.docx

695874_attachments_Network Mail Service Detection System Manual.docx

106113399_attachments_Video Recording.doc

49186474_attachments_April 2022 Meeting Minutes.docx

695874_attachments_Design Documents.docx

106113405_attachments_NMS Administrator Manual_V1.0_CH.docx

49187953_attachments_20220801 - Gao Yue - Daily Communication Minutes.docx

695874_attachments_Mail Repository Table.docx

106113406_attachments_Psiphon Phenomenon Analysis.docx

49187953_attachments_20220801 - Zhang Qingfeng - Daily Communication Record.docx

695874_attachments_Mail Service Provider Reputation Assessment System Manual.docx

106113411_attachments_IP Traceability Report.docx

49187953_attachments_20220801 - Wang Meiqi - Daily Communication Record.docx

695874_attachments_Email Service Provider Reputation Assessment System Source Code.docx

106113416_attachments_DPI Benchmark Test Plan.docx

49187953_attachments_April 2022 Meeting Minutes.docx

695874_attachments_Email System Advanced Features Description 20191022.docx

106113421_attachments_Lesson Plan and Answer Sheet.docx

49189242_attachments_20220815 - Gao Yue - Daily Communication Minutes.docx

695874_attachments_BillGates, Mayday, and XorDDos Family Traffic Characteristics.docx

106113422_attachments_Fang Ban - Lesson Plan and Answer Sheet - Zhang Linkang.docx

49189242_attachments_20220815 - Zhang Qingfeng - Daily Communication Record.docx

695874_attachments_Kafka Setup Process.docx

106113423_attachments_Zhang Linkang - Lesson Plan and Answer Sheet.docx

49189242_attachments_20220815 - Wang Meiqi - Daily Communication Record.docx

695874_attachments_Institute of Information Engineering Master's Degree - Class of 2017 - Thesis Proposal Registration Form - Wang Yu.doc

106113424_attachments_Defense Record.docx

49189242_attachments_April 2022 Meeting Minutes.docx

695874_attachments_Notice on Voluntary Waiver of Remuneration for Work-Related Inventions and Creations.docx

106113425_attachments_Defense Record.docx

49190679_attachments_20220901 - Gao Yue - Daily Communication Minutes.docx

695874_attachments_Malicious Service IPv6 Address Discovery and Assessment System Manual.docx

106113426_attachments_Li Zhuo - Defense Opinion.docx

49190679_attachments_20220901 - Zhang Qingfeng - Daily Communication Record.docx

695874_attachments_Malicious Service IPv6 Address Discovery and Assessment System Source Code.docx

106113427_attachments_Advantages of Upgrading_v2.doc

49190679_attachments_20220901 - Wang Meiqi - Daily Communication Record.docx

695874_attachments_Graduation Reflections - Wang Yu.docx

106113428_attachments_Advantages of Text Upgrade.doc

49190679_attachments_April 2022 Meeting Minutes.docx

695874_attachments_Attachment 1: Midterm Report of Graduate Dissertation from University of Chinese Academy of Sciences - Wang Yu.docx

106113429_attachments_Kafka Component Parameters and Frequently Asked Questions.docx

49192059_attachments_20220915 - Gao Yue - Daily Communication Minutes.docx

695874_attachments_Attachment 2: Midterm Assessment Registration Form for Graduate Dissertation from University of Chinese Academy of Sciences - Wang Yu.doc

106113430_attachments_Reflections on the Encrypted Video Content Recognition Test Invitational Competition - TikTok - Yang Chen.docx

49192059_attachments_20220915 - Zhang Qingfeng - Daily Communication Record.docx

695874_attachments_CMAF Research and Analysis.docx

106113431_attachments_Competition Exchange - Zhang Xiyuan.docx

49192059_attachments_20220915 - Wang Meiqi - Daily Communication Record.docx

695874_attachments_Regulations on the Management of Mid-term Assessments of Degree Thesis of the Institute of Information Engineering, Chinese Academy of Sciences (Interim).doc

106113432_attachments_Competition Replay_Tang Weitao_1.docx

49192059_attachments_April 2022 Meeting Minutes.docx

695874_attachments_Institute of Information Engineering Master's Degree - Class of 2017 - Mid-term Assessment Registration Form - Shang Jingjing.doc

106113433_attachments_Shenzhen Competition Replay_Cui Chenyang_1.docx

49193421_attachments_20221001 - Gao Yue - Daily Communication Minutes.docx

695874_attachments_Institute of Information Engineering Master's Class of 2017 - Project Proposal - Shang Jingjing.doc

106113434_attachments_User Manual.docx

49193421_attachments_20221001 - Zhang Qingfeng - Daily Communication Record.docx

695874_attachments_Institute of Information Engineering Master's Class of 2017 - Project Proposal - Liu Youting.doc

106113435_attachments_CRDT Research.docx

49193421_attachments_20221001 - Wang Meiqi - Daily Communication Record.docx

695874_attachments_Institute of Information Engineering Master's Class of 2017 - Project Proposal Registration Form - Shang Jingjing.doc

106113436_attachments_qps Test bind9 vscoredns.docx

49193421_attachments_April 2022 Meeting Minutes.docx

695874_attachments_Institute of Information Engineering Master's Degree-2017-Project Proposal Registration Form-Liu Youting.doc

106113437_attachments_Flink Troubleshooting Manual.doc

49194719_attachments_20221015 - Gao Yue - Daily Communication Minutes.docx

695874_attachments_Government, Enterprise, and University Email System Security Measurement Report.docx

106113438_attachments_Application Notes.docx

49194719_attachments_20221015 - Zhang Qingfeng - Daily Communication Record.docx

695874_attachments_Shucun Government Email System Security Measurement Report.docx

A Deep Dive into China’s 500GB+ Censorship Data Breach

Introduction

In a historic breach of China’s censorship infrastructure (September 2025), over 500 gigabytes of internal data were leaked from Chinese infrastructure firms associated with the Great Firewall (GFW). Researchers now estimate the full dump is closer to ~600 GB, with a single archive comprising around 500 GB alone.

The material includes more than 100,000 documents, internal source code, work logs, configuration files, emails, technical manuals, and operational runbooks. (WIRED) The number of files in the dump is reported to be in the thousands (though exact totals vary by source). (Bitdefender)

Among the revealed artifacts are:

• RPM packaging server files (the packaging infrastructure used for distributing software artifacts)
• Project management data (Jira, Confluence) showing internal tickets, feature requests, bug reports, and deployment histories
• Communications and engineering documents showing how censorship tools are tested against VPNs, Tor, and other circumvention methods; e.g. methods of DPI, SSL fingerprinting, and filtering logic. (Tom's Hardware)
• Deployment records indicating both domestic use (provinces like Xinjiang, Fujian, and Jiangsu) and export of censorship or surveillance systems to other countries, including Myanmar, Pakistan, Ethiopia, and Kazakhstan.

This report is the first in a three-part series which aims to document the dump’s contents, analyze its technical implications, and assess the geopolitical fallout stemming from the exposure of these sensitive tools and architectures.

Evidence of Failure and Oversight

The leaked IP logs and packet captures expose critical moments where the censorship apparatus faltered, revealing the inherent fragility of the Great Firewall’s distributed enforcement model. In multiple instances, cross-border leakage routes allowed foreign IPs to establish unfiltered sessions for extended periods, suggesting delays in rule propagation, temporary policy gaps, or the failure of heuristic detection systems. These lapses demonstrate that while the system is highly surveillant, it remains reactive and inconsistently enforced across regions.

Additionally, misconfigured mirrors inadvertently exposed internal blacklist data to external interfaces. These exposures included leaked regional UUIDs and configuration files, offering rare insight into the naming conventions and structural logic of localized rule deployment. Simultaneously, honeypot deployments on high-risk ports attracted and logged adversary interactions, including traceroutes and detailed packet-level reconnaissance, suggesting that foreign entities were already probing China’s defensive perimeter. These incidents, likely overseen by regional engineers or testbed maintainers, underscore the bureaucratic brittleness of a censorship regime built on siloed enforcement layers, inconsistent rule application, and latency in central-to-edge command synchronization.

The Nature of the Dump.

The dataset is a sprawling, multifaceted archive that lays bare the technical scaffolding of China's digital surveillance regime. It includes raw IP access logs from state-run telecom providers such as China Telecom, China Unicom, and China Mobile, revealing real-time traffic monitoring and endpoint interaction.*downloading and research of such data should be handled by professionals in protected environments due to potential malware and information*  

Packet captures (PCAPs) and routing tables are paired with blackhole sinkhole exports, detailing how traffic is intercepted, redirected, or silently dropped. A trove of Excel spreadsheets enumerates known VPN IP addresses, DNS query patterns, SSL certificate fingerprints, and behavioral signatures of proxy services, offering insight into identification and blocking heuristics. Visio diagrams (.vsd/.vsdx) map out the internal firewall architecture, from hardware deployments to logical enforcement chains spanning various ministries and provinces. Application-layer logs dissect tools like Psiphon, V2Ray, Shadowsocks, and corporate proxy gateways, capturing how these are tested, fingerprinted, and throttled. The dataset also contains databases of FQDNs, SNI strings, application telemetry, and “sketch logs”, showing serialized behavioral data scraped from mobile apps. System-level monitoring exports reveal server CPU usage, memory utilization, stream session logs, and real-time user states. Crucially, metadata leaked from Word, Excel, and PowerPoint files exposes the usernames, organizational affiliations, and edit trails of engineers and bureaucrats working on censorship infrastructure. Finally, OCR-processed screenshots illustrate the UI panels of traffic control dashboards, logging mechanisms, and internal tooling, offering a visual window into how the Great Firewall is operated in practice.

The dataset includes:

• Raw IP access logs from state-run service providers (e.g., China Telecom, Unicom, Mobile)
• Packet captures (PCAPs), routing tables, and blackhole sinkhole exports
• Excel spreadsheets listing VPN IPs, DNS logs, SSL certs, and proxy service patterns
• Visio (.vsd/.vsdx) files mapping internal firewall topology and logical enforcement chains
• Application-layer analyses of tools like Psiphon, V2Ray, Shadowsocks, and enterprise proxies
• Databases of FQDNs (fully qualified domain names), SNI patterns, app telemetry, and app "sketch" logs
• Monitoring exports for CPU usage, system state, user sessions, and stream logs
• Metadata leaks from Word, Excel, and PowerPoint documents exposing usernames, organizations, and edit histories
• OCR’d screenshots showing UI interfaces of control panels and logging dashboards

The Implications of a 500GB Breach

The leak of over 500 gigabytes of internal data from China's censorship infrastructure constitutes one of the most consequential exposures in the history of digital authoritarianism. Encompassing more than 7,000 files, the dataset provides not merely an isolated glimpse but an extended, multi-dimensional forensic cross-section of the Great Firewall's operational anatomy, revealing system telemetry, logic flows, user sessions, document metadata, application analyses, and network schematics. Far from being an accidental disclosure of logs, this archive represents a curated corpus likely compiled over a prolonged period, indicating either a trusted insider with comprehensive access or a methodical and externally orchestrated data exfiltration campaign.

Two plausible breach pathways emerge from the data. First, a deep internal compromise likely stems from an operator with privileged access, potentially a systems administrator, subcontractor, or disillusioned insider, working from a centralized infrastructure hub. The breadth of materials, including internal routing tables, packet captures, monitoring exports, and user-generated documents, suggests systemic access to both operational and administrative layers of the censorship stack. Metadata uniformity and filename consistency point to deliberate organization, likely done incrementally and with operational awareness. Alternatively, the diversity of systems accessed hints at a second possibility: a coordinated external exfiltration effort carried out by a sophisticated threat actor, such as a nation-state or specialized red team. In this scenario, misconfigurations in firewalls, insecure admin panels, and segmented network seams may have been exploited to gain footholds and siphon data over time. PCAP captures, CPU load logs, and Visio diagram exports suggest persistent access and automated tooling were in play.

Regardless of the breach mechanism, the consequences are profound. Technically, the leak has rendered much of China's detection arsenal obsolete: VPN heuristics, DPI rule sets, SNI-based fingerprinting algorithms, and application proxy classifiers are now open to scrutiny, replication, and evasion. Operationally, usernames, hostnames, and file authorship data risk exposing government contractors, telecom engineers, and researchers, increasing their vulnerability to naming and shaming, targeted sanctions, or exploitation by rival intelligence services. The documentation of flawed infrastructure, such as packet loss under scan load, looped sinkhole rules, and session state anomalies, presents ripe opportunities for adversarial exploitation. Strategically, this dataset arms censorship circumvention communities, policy advocates, and red teams with the ability to simulate and reverse-engineer enforcement logic, undermining the efficacy of centralized control. In sum, this breach collapses the asymmetry between censor and censored, offering, for the first time, a detailed blueprint of China’s digital surveillance leviathan.

Mapping the Human-Technical Interface

The organizational fingerprints uncovered within the leaked dataset provide a remarkably detailed view into the inner workings of the Great Firewall (GFW) and the ecosystem of actors that maintain and enforce it. Rather than a monolithic structure, the GFW emerges as a multi-tiered apparatus with clearly delineated, yet overlapping, spheres of responsibility. At the top are national censorship policy architects, likely operating under the auspices of the Ministry of State Security (MSS) or the Ministry of Industry and Information Technology (MIIT), who define strategic goals and traffic classification directives. These directives cascade down to regional enforcement units embedded within state-run ISPs like China Telecom, China Unicom, and China Mobile, where they are operationalized at backbone routers and internet exchange points. Academic collaborators, often based in state-linked institutions such as Tsinghua, USTC, or the Chinese Academy of Sciences, serve as technical force multipliers, crafting fingerprinting algorithms, traffic classifiers, and AI-driven detection heuristics. Finally, a shadow layer of software engineers and infrastructure operators maintain the technical systems, dashboards, scheduling agents, and rule propagation mechanisms that implement censorship policy at scale.

Drawing from Excel logs, packet captures, and Visio topology diagrams, a clearer human and technical map is emerging. Dozens of usernames and hostnames traced across file metadata tie specific individuals to roles such as hardware engineering, data center administration, and network research. Internal monitoring logs document the real-time execution of regional scanning scripts; app-layer inspection routines flagging encrypted VPN protocols; and automated classification of TLS handshakes through SNI fingerprinting. Further network telemetry reveals sophisticated TCP/UDP port scanning patterns, clearly aligned with foreign traffic signature identification. Notably, even as these systems operate with impressive precision, lapses are evident: logs show instances of cross-border traffic escaping inspection, internal blacklist mirrors exposed through misconfiguration, and honeypots receiving foreign reconnaissance traffic. These data points not only reinforce the highly compartmentalized structure of GFW enforcement, but also highlight critical seams in its defensive perimeter, seams that adversaries could exploit with careful targeting.

Metadata Exposure: Attribution Through Digital Breadcrumbs

One of the most revealing and strategically valuable components of the GFW data dump lies not in the structured log files or architectural diagrams, but in the metadata accidentally embedded across thousands of files. These residual traces, often overlooked in threat modeling, offer a rare glimpse into the human and organizational machinery behind China’s censorship apparatus.

The dump exposes dozens of unique usernames, many of which follow consistent naming conventions indicative of internal departmental hierarchies. These include system-level account names (e.g., admin-jw, it_ops_lh, yunwei-wang) and author tags in Office documents, enabling correlation to individual operators. In many cases, authorship data and revision histories link technical documents, such as server topology diagrams, SQL queries, and application configuration logs, to specific personnel across government agencies, telecom subsidiaries, and third-party contractors.

Cross-referencing these metadata fields with known Chinese corporate entities and state-linked research institutes has enabled the construction of preliminary attribution clusters. These clusters show clear ties to China Telecom, China Unicom, and China Mobile, as well as connections to academic partners (including digital forensics labs) and MSS-linked infrastructure vendors such as Tietong, CETC, and provincial branches of the MIIT.

Notably, multiple files retain internal IP address references and machine hostnames mapped to sandbox and testbed environments used for evaluating censorship evasion tools. These include systems tagged for Psiphon, V2Ray, and Shadowsocks analysis. Some remote server addresses and reverse-proxy logs point to GFW staging zones used to pilot domain interdiction and traffic shaping prior to national rollout.

This corpus of metadata, when enriched through Whois pivots, OSINT facial recognition, and password reuse enumeration, allows for the development of organizational maps and adversary role modeling. These in turn can inform future red-team operations targeting the GFW’s human operators, backend infrastructure, and chain-of-command logic. With metadata drawn from Word, Excel, Visio, and network logs, researchers now hold the building blocks for a relational understanding of censorship personnel and policy execution, from engineers and system admins to project managers and analysts.

This is not just a technical leak, it is a rare unmasking of the people behind the policy.

Among the most valuable aspects of this dump are the accidental leaks of metadata that revealed:

• Dozens of usernames tied to internal departments
• System usernames and document authorship tied to technical operators and analysts
• Organizational affiliations across telecoms, research labs, and suspected MSS-linked infrastructure vendors
• Tracebacks to IP addresses tied to GFW testbed deployments and server farms

A correlation of this data has begun to yield early attribution clusters and organizational modeling, laying the groundwork for adversarial red teaming against censorship controls.

Organizational Fingerprints: Mapping the Bureaucracy Behind the Great Firewall

Beyond the technical evidence of censorship and traffic manipulation, the leaked dataset offers a rare opportunity to construct a socio-technical map of the Great Firewall (GFW) apparatus, not just how it works, but who builds it, who maintains it, and how China's censorship ecosystem is organizationally compartmentalized.

The metadata extracted from over 7,000 documents, spreadsheets, Visio network maps, text logs, dashboards, and software configuration files reveals a complex lattice of state-linked entities operating in tightly controlled silos. Through usernames, author tags, internal IP assignments, system banners, and internal routing headers, we’ve begun to correlate individuals to functional roles and institutional affiliations.

The internal architecture of the Great Firewall is supported by a network of organizations ranging from state-owned enterprises to elite research institutions and private sector vendors. Core traffic monitoring and enforcement responsibilities are handled by China Telecom, China Unicom, and China Mobile, whose infrastructure appears repeatedly in PCAP logs, IP registries, and system-level telemetry. Metadata from Visio diagrams and scanning scripts links regional enforcement activities to provincial branches such as 广东联通 and 河北电信, indicating decentralized operational cells. At the academic and research level, contributors from the Chinese Academy of Sciences, CNCERT, Tsinghua University, and USTC are implicated in traffic modeling, VPN fingerprinting, and algorithmic SNI detection, functioning in a science-to-policy pipeline. Additional entities like Huaxin, Venustech, and Topsec, believed to have ties to the Ministry of State Security (MSS), appear responsible for developing packet inspection hardware, “smart gateways,” and modular control interfaces. System topology files suggest regional hubs under provincial control, with metadata pointing to a tiered model of command, central rule authors in Beijing, and localized operators managing disruptions and resets.

Supporting this infrastructure is a suite of internal tools, including web dashboards for traffic classification, rule propagation, and keyword blacklisting, many of which rely on LDAP-based access and appear to be integrated with institutional Single Sign-On systems. Screenshots and logs expose dynamic control capabilities such as automated session disruption and region-specific enforcement thresholds. Crucially, the dataset reveals extensive metadata leakage: usernames and computer hostnames link individuals to telecom offices and technical roles; document authorship trails help establish personal and institutional attribution. The documents further expose how responsibilities are compartmentalized, illustrating a strict vertical segmentation between engineering, monitoring, and enforcement functions. Overlapping IP clusters, authorship patterns, and PCAP exports across regions hint at interagency coordination, albeit scoped and isolated. Together, these findings allow for the construction of an emerging socio-technical map of the GFW’s human infrastructure, forming the groundwork for attribution modeling and adversarial counter-censorship strategy.

Technical Overview: Core Mechanisms of the GFW Architecture

The leaked dataset exposes a highly modular and deeply integrated censorship architecture underlying the Great Firewall of China. Rather than operating as a single centralized filter, the GFW is revealed to be a distributed system of surveillance and control spanning national, regional, and local network layers. Its enforcement mechanisms include everything from DPI inspection at major internet exchange points to application-layer behavioral analysis and live session manipulation through web-based dashboards. Across the dataset, there is a recurring pattern of siloed technical roles operating under central orchestration, with regional enforcement nodes acting as both detection points and policy executors.

At the core of traffic interception are the state-run ISPs, China Telecom, China Unicom, and China Mobile, which serve as both service providers and surveillance intermediaries. Logs from these providers document the interception and classification of traffic based on packet content, with the use of deep packet inspection techniques. These techniques target TLS/HTTPS session metadata, such as (SNI) fields, and distinguish potentially suspicious connections based on protocol anomalies, including entropy, timing patterns, and payload structures. The infrastructure supports detection of known circumvention tools such as Shadowsocks, V2Ray, and Psiphon. Visio network diagrams show these DPI modules deployed at key peering points, especially in major metropolitan areas and provincial backbones, suggesting a tiered control model.

Application-level analysis is conducted using fingerprinting heuristics derived from both raw network characteristics and behavioral modeling. Various Excel spreadsheets and telemetry exports include references to TLS fingerprinting rules, heuristic classifiers for VPN/proxy traffic, and statistical models used to flag encrypted tunnels. These analyses rely on databases of SNI patterns, handshake behaviors, and traffic volume profiles. Simpler applications are captured through static indicators, while more sophisticated obfuscated traffic is subjected to sketch-based detection, a form of lightweight signature modeling. This reveals a layered approach to detection, with different modules specializing in different levels of granularity and evasiveness.

Routing logic and censorship enforcement are governed by automated scripts and control schemas that appear to be distributed from centralized locations to regional nodes. Python and shell scripts uncovered in the dataset automate the scanning of IP ranges, the classification of foreign nodes, and the deployment of routing directives. Routing tables, sinkhole IP lists, and blackhole redirects provide insight into how traffic is rerouted or silently dropped based on the policy logic defined upstream. Several control files appear to be distributed on a schedule or in response to live triggers, showing both manual and autonomous enforcement methods. This system likely allows Beijing-based control centers to push directives to provincial-level enforcement arms, where localized engineers and systems perform filtering or inspection with scoped authority.

Operational state is maintained through a robust internal monitoring ecosystem. Included in the leak are comprehensive exports of CPU usage, memory performance, service uptime logs, and stream-based telemetry. These system-wide diagnostics provide not only visibility into the technical health of enforcement systems, but also allow higher-level auditing of session disruptions, filtering efficacy, and infrastructure stability. Screenshots from management interfaces and logs from web-based control dashboards suggest that operators are provided with real-time analytics, interactive filtering toggles, and user/session views. Most of these systems rely on enterprise-grade authentication mechanisms, such as LDAP-based Single Sign-On (SSO), indicating tight coupling between enforcement tooling and institutional IT frameworks.

An unexpected but critical component of the breach is the metadata embedded within documents and logs. Authorship tags, file paths, and computer hostnames have linked hundreds of documents to individual users, systems, and organizations. These human fingerprints offer unprecedented visibility into the organizational structure behind the GFW’s operation. Engineers, data analysts, lab researchers, and regional technicians are all traceable by name or system alias. Many entries refer to known ISPs, national labs, or university-affiliated nodes, suggesting that the enforcement apparatus spans a wide constellation of public-private partnerships, military-academic collaborations, and centralized policy deployment.

Together, these findings constitute a unique technical cross-section of the Chinese censorship-industrial complex, revealing not just what is filtered or how, but who enforces it, who maintains the infrastructure, and how decisions flow through the layered topology of digital control.

What Comes Next

This report represents only the first installment in a three-part investigative series into the unprecedented breach of China’s censorship apparatus. While this Part 1 has centered on exposing the dataset’s contents and evaluating its technical, organizational, and strategic significance, it is only the beginning. The sheer scale and complexity of the leak, over 500GB of internal GFW infrastructure data, demands a methodical, layered approach to fully grasp its implications. The next two parts in this series will delve even deeper, uncovering the architecture of China’s censorship regime and examining the wider consequences for global digital governance.

Part 2 – The Architecture will offer a forensic reconstruction of how the Great Firewall actually works at the technical level. Leveraging the internal Visio network diagrams, log schematics, scanning schedules, app fingerprinting routines, and heuristic rule exports uncovered in the dump, we will map the core design of the censorship stack. This includes how packets are intercepted, filtered, redirected, or dropped; how apps like Psiphon and V2Ray are detected at the protocol level; and how traffic shaping is deployed based on geography, ISP, or session context. The analysis will also break down the GFW’s modular enforcement structure, highlighting regional control points, the roles of telecom and research institutions, and the likely contribution of vendors with MSS affiliations in building out control interfaces and automated classifiers.

Part 3 – Geopolitics and The Fallout will address the broader implications. This breach does more than just reveal technical controls, it changes the strategic calculus of censorship resistance. We will assess how the exposure reshapes China’s ability to sustain its domestic information control and international cyber operations, and how it informs countermeasures by VPN developers, privacy advocates, and democratic governments. Ethical and legal questions will also be raised: what does responsible engagement with such data look like? And how should open societies use this moment to harden digital rights, strengthen transparency norms, and resist the spread of authoritarian control models abroad? With this series, we aim to present not just the most complete picture yet of the GFW, but a roadmap for pushing back against the machinery of state censorship.

Cybercriminals are orchestrating a cryptocurrency “wallet drain” conspiracy that spans sketchy browser extensions, mobile profile phishing, and sham cryptocurrency trading platforms, all tied together by a single web of infrastructure. In this investigative deep dive, we expose how multiple scam websites such as medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com were hosted on the same server IP address, 8.221.100[.]222. These sites formed a coordinated infrastructure used to steal cryptocurrency from unsuspecting users. As of September 25, the A record for novacrypt[.]net stopped resolving to this IP address, which could indicate that the attackers have shifted infrastructure or that the domain has been taken down. The scams range from browser extension popups and iPhone configuration profile traps to fraudulent web trading apps, all of which are backed by clever social engineering. Below, we break down each component of this operation, provide code snippets and network maps, and outline Indicators of Compromise (IOCs) to help you recognize and avoid these threats.

MedAI Genesis – A Fake Medical DAO With a Draining Agenda

One of the more elaborate fronts in this scam network is medaigenesis[.]cc, which presents itself as a next generation healthcare initiative powered by blockchain and artificial intelligence. Styled as “MedAI Genesis,” the site promotes itself as the future of personalized health management, backed by buzzwords such as AI 5.0, on chain biometric data, and health NFTs.

“Redistribution of medical resources,” it claims. “Rise of the health currency.”

At first glance, it reads like a cryptocurrency investor’s dream married to a healthcare revolution. The platform boasts features like:

• AI-driven medical consultation,
  
• NFT-based health records,
  
• On-chain health governance voting,
  
• A utility token called MDAI.
  

But under the hood, this is a scam in a lab coat.

Instead of delivering health features, the site launches a wallet connect popup through a  browser extension. Its objective is to drain cryptocurrency holdings under the guise of activating access features. The scam blends health tech themes with cryptocurrency mechanics to create a believable front that convinces victims to interact with their wallets, triggering the theft.

How it works: The CSS from Trust Wallet’s Chrome extension (ID egjidjbpglichdcondbcbdnbeeppgdph) is a key mechanism to provide styling and fonts. The risk arises when scammers replicate this styling to create a phishing site that appears identical to a legitimate Trust Wallet connect prompt. On a fake site, clicking “Connect” does not trigger a secure wallet handshake, instead, the site can hide code that makes your wallet approve a dangerous transaction. It may look like you are just connecting, but if you click approve, the scammer could get permission to take your money.

Scam in Action: Imagine visiting a new cryptocurrency platform and seeing a familiar professional-looking “Connect Trust Wallet” dialog. Believing it is safe, you click connect only to be asked to sign a transaction that silently hands control of your wallet to the scammer. Functions like setApprovalForAll or direct transfers can then be abused to drain assets if you approve.

Notably, the extension’s ID corresponds to a Trust Wallet extension listed on the official Chrome Web Store, which raised alarms. The extension’s review page is filled with reports of stolen funds, scam, and backdoors. It appears scammers either published a fake but convincing “Trust Wallet” extension or leveraged the legitimate one. Either way, its presence in the victim’s browser is what enables the “Fake Wallet Connect” popup to appear.

This tactic is especially dangerous because the CSS makes the interface appear authentic, while the real attack would occur in the underlying JavaScript. In this case, the phishing site (for example, a staged platform like “MedAI Genesis”) appears to still be under construction. The look-alike Trust Wallet pop-up is present in the code but not fully functional, as several links return errors or placeholders, and even the Telegram channel is commented out. These indicators suggest the threat actor could be staging the site for a future campaign. In the meantime, the page is decorated with fake features such as “AI-Powered diagnostic service payments” and “Global health data NFTization,” along with unverifiable profiles and logos from real companies like Pinksale and Binance Smart Chain. These credibility tricks are designed to lower a victim’s guard once the phishing flow is fully enabled.

Cleverly, the phishing kit may even embed Trust Wallet style fonts via chrome extension:// URLs to mimic the look of the genuine extension UI. This does not grant access to the real extension but enhances the deception.

Figure: CSS from the fake Trust Wallet extension loading a Binance font – indicating the extension is active on the page

Endgame: Once a victim signs the malicious transaction, the attacker has the permissions needed to siphon cryptocurrency assets at will. This is a classic wallet drain; a convincing façade powered by copied CSS and branding, but with the theft executed entirely by malicious JavaScript hidden beneath.

Fake Trust Wallet CSS code snippet for a popup:  

Phishing via iPhone Profile:  The Novacrypt “App”

Another facet of this scam nexus targets mobile users, especially iPhone owners, by distributing a malicious Apple configuration profile (.mobileconfig) that masquerades as a new cryptocurrency trading app called Novacrypt. Instead of a real app, victims end up installing a WebClip – essentially a fake app icon that opens a phishing site. This is a stealthy method to phish cryptocurrency exchange credentials via what appears to be a standard app installation.

How it works: The scammers set up a fake “App Store” download page prompting users to install the Novacrypt app for iOS. When the user agrees, they receive a .mobileconfig file from the Novacrypt site (e.g., novacrypt.net/.../Novacrypt.mobileconfig). This configuration profile, when opened on an iPhone, prompts the user to install a new profile, which most users interpret as installing an app or enabling certain functionality.

Let’s break down key parts of the Novacrypt mobileconfig payload:

Figure: Excerpt from the Novacrypt.mobileconfig file, showing it creates a WebClip named "Novacrypt" that opens a URL to h5.novacryptmax[.]com.

• PayloadDisplayName = “Novacrypt” – The name shown to the user during install, making it appear official.
• PayloadType = com.apple.webClip.managed – This indicates the profile will install a Web Clip (shortcut) on the home screen.
• Label = “Novacrypt” – The label under the home screen icon, so it looks like a real app named Novacrypt.
• URL = https://h5.novacryptmax[.]com/#/pages/auth/sign-in – The crux of the scam: this is the URL that the WebClip opens. It’s a fake login page on a domain (novacryptmax[.]com) that appears to be related to Novacrypt but is entirely under the scammer’s control.

Additionally, the profile includes a base64-encoded icon image (to make the WebClip icon resemble a legitimate app logo), and it is digitally signed (likely with a self issued certificate). Interestingly, the profile’s signature references “Let’s Encrypt” and a domain 360[.]icu, suggesting that the threat actor used a free certificate (possibly a deceptive one named to appear trustworthy) and potentially hosted the profile on a domain like 360[.]icu. This shows the lengths to which the scammers go to make the profile appear “verified” to the user.

Step-by-step, the attack unfolds as:

1. Bait – The victim receives a link (via email, social media, etc.) to download the “Novacrypt crypto trading app.” The link directs users to a page that mimics an official app store, prompting the installation of an iOS configuration profile.
2. Install – The user installs the profile on their iPhone, ignoring iOS warnings. Because the profile is named “Novacrypt” and has a nice icon, it appears legitimate. A new “Novacrypt” icon now appears on the home screen, as if a real app had been installed. 
3. Phishing – When the victim taps the Novacrypt icon, it doesn’t launch a real app; instead, it quietly opens Safari to h5.novacryptmax[.]com/#/pages/auth/sign-in, a phishing webpage. The page likely impersonates a login screen for a cryptocurrency exchange or wallet.
4. Credentials Theft – Believing this to be part of setting up the app, the user enters their username, password, 2FA, etc. Those credentials are immediately sent to the attacker. The victim might even be redirected or shown an error after to avoid suspicion. Meanwhile, the attackers can use those stolen logins to empty the victim’s accounts or wallets on real exchanges.

H5.novacryptmax[.]com 

This scheme abuses Apple’s enterprise device management feature to add a phishing shortcut on the user’s phone. It appears to install an app, but in reality it is only a bookmark to a fraudulent site. No malware is installed on the device, the “app” is simply Safari redirected to the attacker’s page. 

The Novacrypt phish’s infrastructure reveals some interesting connections: the phishing site utilizes the domain novacryptmax[.]com (with subdomains such as h5., web., etc.), which was registered through the same registrar (Gname) as the other scam domains and hosted behind Cloudflare. The decoy download page was on novacrypt[.]net (hosted at 8.221.100[.]222), and its “App Store” button simply served the mobileconfig from that domain. There was even an Android variant attempt – the “Google Play” button on the site pointed to googleplay.nova-reviews[.]com (likely intended to drop an APK or guide Android users, though by the time of analysis, that domain wasn’t resolving).

The “ZZZTD” Web Trader - Fake Platform with Malicious Code

The third pillar of this scam nexus is a fake online cryptocurrency trading/investment platform hosted on zzztd[.]com (also on 8.221.100].]222). At first glance, zzztd[.]com appears to be a cryptocurrency or financial trading web application. However, buried in its code are suspicious scripts that suggest it may be stealing data or loading malware in the background.

On zzztd[.]com’s homepage, researchers found references to two main JavaScript files: chunk-vendors.f0dabee900057778.js and app.46e5246269e54881.js. These appear to be typical for a web app (the former likely containing third party library code, and the latter the app’s own code). The HTML uses <script defer> tags to load these, meaning they execute after the page loads:

Figure: Code snippet from zzztd[.]com loading JavaScript files for the web application. The defer attribute indicates these scripts run only after the HTML is parsed, ensuring the page renders first.

A VirusTotal scan of the app.46e5246269e54881.js file showed 0 antivirus detections, which isn’t uncommon for custom JavaScript (most AV engines don’t flag obfuscated JS files). However, the behavioral analysis on VirusTotal yielded a clue: it revealed that this script (or something it loaded) tried to contact a suspicious domain, anedhaude[.]xyz. That domain is not currently publicly active, but further investigation uncovered an Android Trojan sample (“ioeai.apk”) that also communicated with anedhaude[.]xyz. In other words, the zzztd[.]com web app shares infrastructure or code with known malware, strongly suggesting that if a user interacted with zzztd[.]com (or downloaded anything from it), they could be infected or have their data sent to the attackers’ server.

It’s possible that zzztd[.]com was set up to either phish for login credentials to cryptocurrency accounts (by mimicking a trading dashboard and tricking users into inputting private keys or exchange logins) or to deliver malware (like the mentioned Android APK) to users under the guise of a mobile trading app. The site’s code, including references to an external C2 domain (anedhaude[.]xyz), is a red flag – legitimate cryptocurrency trading platforms wouldn’t embed calls to random .xyz domains. This pattern connects zzztd[.]com back to the same threat actor’s toolkit.

• app.46e5246269e54881.js-https://www.virustotal.com/gui/file/430a73bc2a01dd1c5c84c5cc8bf0c65b163198a39910d66dc93f23fcea458fbe/behavior

• ioeai.apk-https://www.virustotal.com/gui/file/884cc0b03fbb7f8282916433987ccd8573460d8c2daa33fe1da211a13331b1e7/behavior

Connecting the Dots: One IP, Many Scams

What ties MedAI Genesis, Novacrypt, and ZZZTD together? The investigation found that all these seemingly disparate scams were hosted on a single IP address: 8.221.100[.]222. This IP address (an Alibaba Cloud server in Asia) served as a one stop hosting hub for the scammer, hosting multiple domains for various fraud schemes. At least eight domains sharing this server have been identified, including those involved in the scams above and others:

• medaigenesis[.]cc – Fake cryptocurrency/AI investment site (wallet drainer stage)
• novacrypt[.]net – Host for the fake app mobileconfig and website
• zzztd[.]com – Fake cryptocurrency trading platform with malicious JS
• n58[.]bet – Likely another scam site (one reference suggests it was a fake gaming site in Chinese)
• ewnai[.]com – A fake AI technology site 
• app.tiktoks[.]cc – A short lived domain 
• admin.zzztd[.]com, web.zzztd[.]com – Subdomains related to zzztd[.]com
• web.novacrypt[.]net – Subdomain which, interestingly, was misconfigured to display content from EWN AI (ewnai[.]com), accidentally linking the Novacrypt scam to the EWN AI scam by content reuse.

Subdomain resolving to a different IP, hosting a fake gaming site.

kook1.ewnai[.]com (103.235.174.202)

Web.novacrypt[.]net (misconfigured to display content from EWN AI (ewnai[.]com)

Most of these domains were registered through the same registrar (Gname.com Pte. Ltd.), reinforcing that they are controlled by the same actor or group. Passive DNS records indicate that this infrastructure has been in use since at least April 2025 and remained active until August 2025, suggesting an ongoing campaign.

The threat actor behind this nexus appears to be quite versatile: not only targeting cryptocurrency investors through multiple avenues (sketchy extensions, fake apps, and fake platforms), but also dabbling in other forms of fraud, such as a fake TikTok Shop scam. One of the scam sites was a gaming/gambling site in Chinese, hinting that the operators might be based in or targeting users in East Asia (or trying a variety of lures to see what sticks). The range of themes, from AI startups to cryptocurrency exchanges to e-commerce, shows a wide-reaching fraud operation managed by a single actor.

Below is a network map connecting the key domains and infrastructure:

Figure: Network map of the scam nexus, showing domains hosted on 8.221.100[.]222 (center) and their relationships. The fake Trust Wallet popup and external phishing domains (novacryptmax[.]com, etc.) are also linked to the core cluster.

Despite the variety of themes these platforms use (AI token site, trading platform, mobile app), these scams share common tactics. They all rely on social engineering to get the victim to take a harmful action willingly, such as installing an extension or profile, clicking a connect button, or typing in a password. The technical traps (malicious code injection, webclip profiles, obfuscated scripts) are combined with psychological lures (shiny websites, promises of big profits, or urgent investment opportunities). It’s a potent mix that has likely claimed many victims.

Conclusion

This cluster of scams demonstrates how threat actors combine technical methods with deception to steal cryptocurrency. By controlling multiple domains and even a browser extension, they exploit trust at several levels: browser add-ons, app installation processes, and convincing web design. The single infrastructure behind these schemes also highlights how a determined attacker can leverage one setup to run multiple scams, from cryptocurrency theft to fake e-commerce.

Staying safe requires a mix of technical defenses and skepticism: avoid installing browser extensions or mobile profiles from unverified sources, double check URLs (a legit project won’t ask you to install a profile for an “app”), and be wary of any unexpected wallet transaction requests. As the “Cryptocurrency Drain Conspiracy” shows, even a legitimate looking prompt could be a trap. Always verify through official channels, and when in doubt, don’t click “Connect” or “Install”, that split second decision can make the difference between keeping your assets secure or seeing them wiped out.

Indicators of Compromise (IOCs)

For quick reference, here is a summary of known indicators associated with this scam nexus. Security teams and vigilant users can use these to detect or block related activity:

Executive Summary

Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since at least 2019, Salt Typhoon has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications metadata, VoIP configurations, lawful intercept data, and subscriber profiles from telecom providers and adjacent critical infrastructure sectors.

Salt Typhoon operates with both direct MSS oversight and the support of pseudo-private contractor ecosystems, leveraging front companies and state-linked firms to obscure attribution. Recent legal and intelligence reporting confirms that Salt Typhoon maintains operational ties to i-SOON (Anxun Information Technology Co., Ltd.), a prominent MSS contractor known for enabling offensive cyber operations through leased infrastructure, technical support, and domain registration pipelines.

Salt Typhoon’s targeting profile spans the U.S., U.K., Taiwan, and EU, with confirmed breaches in at least a dozen U.S. telecom firms, multiple state National Guard networks, and allied communications providers. Their campaigns utilize bespoke malware, living-off-the-land binaries (LOLBINs), and stealthy router implants, and are notable for their use of publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.

Background

Salt Typhoon is a state-sponsored advanced persistent threat (APT) group attributed to the People’s Republic of China (PRC) and aligned specifically with the Ministry of State Security (MSS). First observed in 2019, the group has become increasingly active and visible through public indictments, technical advisories, and leaked contractor documents—exposing not only its campaigns but also the hybrid contractor-state model behind its operations.

Salt Typhoon is part of a larger naming taxonomy introduced by Microsoft, which classifies Chinese nation-state actors under the “Typhoon” label. It is believed to overlap with or operate in conjunction with previously known clusters such as Ghost Emperor (Kaspersky), FamousSparrow (ESET), Earth Estrie (Trend Micro), and UNC2286 (Mandiant). Some infrastructure and malware characteristics have also shown ties to UNC4841, further blurring attribution boundaries within China’s expansive APT ecosystem.

What distinguishes Salt Typhoon from other PRC-linked actors is its direct targeting of global telecommunications infrastructure for long-term signals intelligence (SIGINT) collection. The group has demonstrated sophisticated tradecraft in:

• Exploiting network edge devices (routers, VPN gateways, firewalls),
• Maintaining long-dwell persistence via firmware/rootkit implants,
• Harvesting lawful intercept data, VoIP configurations, and subscriber metadata from telecom providers,
• And using plausibly deniable contractor infrastructure to obscure attribution.

This report consolidates known intelligence, indictments, IOCs, and operational profiles for Salt Typhoon to support attribution, detection, and threat modeling.

Salt Typhoon within the Chinese Nation-State Cyber Intelligence Structure

Salt Typhoon represents not merely a loose collection of intrusion campaigns, but a state-directed cyber espionage program embedded within the operational apparatus of the People’s Republic of China (PRC). Its activity is consistent with the model observed across other PRC “Typhoon” actors: centralized tasking from the Ministry of State Security (MSS), supplemented by the use of contractor and front-company ecosystems that provide scalable infrastructure, tooling, and deniability. The group’s consistent focus on U.S. telecommunications providers, defense-adjacent networks, and allied critical infrastructure sectors is aligned with MSS priorities of foreign intelligence collection, counterintelligence support, and preparation of the battle space.

Although the MSS remains the primary beneficiary of Salt Typhoon operations, technical overlaps with missions traditionally associated with the People’s Liberation Army Strategic Support Force (PLA SSF) suggest that elements of the PLA’s mandate, particularly communications exploitation, SIGINT, and critical infrastructure disruption planning—are also served by this program. By embedding implants in routers, VPN gateways, and telecom backbone equipment, Salt Typhoon delivers persistent access not only for espionage but also for long-term contingency operations, ensuring that PRC intelligence and military planners can monitor, disrupt, or degrade communications infrastructure if required during geopolitical crises. In this sense, Salt Typhoon should be understood as a dual-use capability: a cyberespionage engine serving day-to-day intelligence needs while simultaneously providing the technical foundation for potential wartime cyber operations.

MSS and PLA Roles

Ministry of State Security (MSS):

• The MSS is the primary civilian intelligence service responsible for foreign intelligence, counterintelligence, and cyber-enabled espionage.
  
• Salt Typhoon shows operational hallmarks of MSS regional bureaus, particularly the Chengdu presence, leveraging local contractors and front companies.
  
• Firms like Sichuan Juxinhe and Beijing Huanyu Tianqiong are assessed to be either fronts or semi-integrated subsidiaries, mirroring MSS’s historical practice of using corporate cut-outs.
  

People’s Liberation Army (PLA):

• PLA units (particularly under the Strategic Support Force) have historically targeted communications infrastructure for SIGINT and C4ISR disruption.
  
• While PLA attribution to Salt Typhoon is less direct, the targeting of backbone and edge routers suggests technical overlap with PLA’s mandate to prepare battlefields in cyberspace.
  
• Contractors such as Sichuan Zhixin Ruijie may provide dual-use capabilities for both MSS espionage and PLA operational readiness.

Chinese Corporate Hacking Support Infrastructure

The recent joint cybersecurity advisory (August 2025) shed light on three Chinese companies implicated in supporting the operations of Salt Typhoon: Sichuan Juxinhe Network Technology (四川聚信和), Beijing Huanyu Tianqiong Information Technology (北京寰宇天穹), and Sichuan Zhixin Ruijie Network Technology (四川智信锐捷). Each entity demonstrates a different operational model: front companies serving as covers for MSS-linked divisions, and contractors providing technical products and services with both defensive and offensive applications. This model aligns closely with previously documented ecosystems, such as the exposure of i-SOON (安洵科技), where corporate structures serve dual purposes as commercial entities and enablers of state espionage campaigns.

Salt Typhoon-Linked Firms

Sichuan Juxinhe Network Technology

• Likely MSS front company, minimal legitimate business presence.
  
• Unusual element: 15 software copyrights possibly registered on behalf of an MSS division.
  
• Fits classic indicators of a cut-out entity used to mask state cyber operations.

Beijing Huanyu Tianqiong Information Technology

• Founded in 2021, coinciding with early Salt Typhoon activity.
  
• Operates a Zero Trust Defense Lab, offering both legitimate security services (penetration testing, IR) and products with potential C2 and covert access functions (e.g., Shadow Network).
  
• Evidence suggests hybrid role: front company characteristics with some self-sustaining innovation, patents, and recruitment efforts.
  
• Proximity to Sichuan Zhixin Ruijie’s Chengdu office suggests co-location strategy for operational synergy.

Sichuan Zhixin Ruijie Network Technology

• Established 2018, later certified as a high-tech SME and contractor for government/military clients.
  
• Products such as router control systems and network traffic monitoring platforms possess clear offensive potential.
  
• Functions as a legitimate contractor rather than a pure front, demonstrating how PRC state cyber programs leverage existing commercial capacity for deniable operations.

Parallels and Overlaps with i-SOON

The Salt Typhoon corporate ecosystem echoes the i-SOON leaks (2024), which revealed:

• Direct contracting relationships between Chinese intelligence services (MSS, PLA) and nominally private cybersecurity companies.
  
• Use of hybrid companies mixing legitimate commercial activities with covert offensive cyber tasks.
  
• Shared personnel pools, with employees oscillating between state agencies, private firms, and academic research labs.
  

Like i-SOON, Salt Typhoon’s supporting companies illustrate how the PRC cyber apparatus blurs the lines between state, semi-private, and private entities. Both ecosystems leverage:

1. Front companies (minimal digital presence, few employees, registered IP) to obscure attribution.
   
2. Legitimate contractors (with patents, certifications, government clients) to provide scalable, high-quality tools and services.
   
3. Innovation-driven hybrids, balancing R&D, patents, and proprietary software development with covert tasking.

Front Company Infrastructure

Multiple companies have been sanctioned or named as enablers in Salt Typhoon’s tradecraft, including:

• Sichuan Juxinhe Network Technology Co., Ltd.: Tied to Yin Kecheng; facilitated domain control, server management, and malware staging.
• Shanghai Heiying Information Technology Co., Ltd.: Tied to Zhou Shuai; enabled data laundering and resale of stolen network access.

These entities provided infrastructure, logistics, and plausible deniability, allowing MSS operators to mask espionage as commercial or third-party actions.

Ties to i-SOON: China’s Hacker-for-Hire Engine

i-SOON (Anxun Information Technology Co., Ltd.) is a Chinese cyber contractor linked to both the Ministry of State Security (MSS) and Ministry of Public Security (MPS). The company gained international attention following a 2024 GitHub data leak that exposed internal documents, tools, and tasking relationships with state clients.

i-SOON operates as a pseudo-private offensive cyber firm, bridging the gap between state priorities and a scalable, deniable contractor ecosystem. Their services include:

• Custom malware and implant development
• Infrastructure registration (e.g., domains, cloud servers)
• Threat actor support tooling (e.g., internal C2 kits)
• OSINT scraping and target profiling modules

Confirmed Connections to Salt Typhoon

Significance of i-SOON Ties

• Operational Deniability: Salt Typhoon’s use of i-SOON demonstrates how the MSS leverages contractor cutouts to distance itself from direct attribution.
• Scalable Infrastructure: The company’s support enabled Salt Typhoon to deploy repeatable, automated domain registration templates, malware logistics, and support tooling.
• Repeatable Tradecraft: Patterns seen in Salt Typhoon’s infrastructure (e.g., ProtonMail Whois records, registrant personas, toolkits) align with systems leaked in the i-SOON dump—suggesting shared toolchains or operational guidance.

Strategic Implications

• Operational Flexibility: The PRC can allocate missions across fronts and contractors depending on risk tolerance and technical requirements.
  
• Attribution Challenges: By embedding cyber operations within commercial ecosystems, Beijing complicates efforts by defenders to distinguish legitimate activity from state-directed espionage.
  
• Sustainability: Firms like Huanyu Tianqiong and Zhixin Ruijie may represent a next generation of i-SOON-style contractors, where state-directed offensive tasks are embedded within otherwise legitimate market-facing companies.
  
• Geographic Concentration: The clustering of these firms in Chengdu and Beijing reflects established hubs for MSS-linked cyber operations, similar to how i-SOON operated from Hainan.

Strategic Placement

• Salt Typhoon should be understood not as a single APT but as a programmatic campaign, reflecting MSS tasking and PLA technical priorities.
  
• It operates at the intersection of espionage and contractor ecosystems, embodying China’s blended cyber force structure:
  
  • MSS → espionage, influence, covert penetration
    
  • PLA → strategic SIGINT, military preparation, infrastructure disruption
    
  • Corporate cut-outs → tools, cover, scalability
    

This layered integration allows Salt Typhoon to persist globally, masking state direction behind a facade of “legitimate” Chinese technology firms.

Known Campaigns & Motivations

Salt Typhoon has carried out a series of highly targeted cyber espionage campaigns since at least 2019, primarily focused on telecommunications infrastructure, military networks, and intelligence collection across strategic geographies. These operations are consistent with Ministry of State Security (MSS) tasking, reflecting objectives such as signals intelligence acquisition, persistent access to critical infrastructure, and preparation of the battle-space for potential geopolitical escalation.

Below is a breakdown of major campaigns attributed to Salt Typhoon:

U.S. Telecom Metadata Breach

Timeframe: Early to Late 2024
Region: United States
Victims: AT&T, Verizon, T-Mobile, Lumen, Windstream, and other major telecoms
Tactics: Exploitation of router/firewall CVEs, configuration hijacking, long-dwell persistence
Data Exfiltrated:

Subscriber metadata

Call detail records (CDRs)

VoIP infrastructure configs

Lawful intercept logs
Motivation:
To collect high-value SIGINT across U.S. telecom layers, including surveillance of communications and infrastructure maps. Likely tasking involved PRC state priorities around counterintelligence and strategic insight into U.S. domestic and foreign communications channels.

U.S. National Guard Network Intrusions

Timeframe: March–December 2024
Region: United States
Victims: State-level National Guard military networks
Tactics: Exploitation of VPN gateways and edge devices; lateral movement
Data Exfiltrated:

Network diagrams

VPN configs

Credentials

Incident response playbooks
Motivation:
Preparation of the battle space and long-term espionage within defense-adjacent infrastructure. Access to National Guard systems may serve to identify mobilization thresholds, crisis response mechanisms, or gaps in Cybersecurity posture.

British Critical Infrastructure Breach

Time-frame: 2023–2024
Region: United Kingdom
Victims: Unspecified entities within government, military, transportation, and telecom sectors
Tactics: Edge device compromise, deep persistence, VoIP and metadata collection
Data Exfiltrated:

Communications routing info

Geo-location metadata

Secure messaging infrastructure details
Motivation:
Strategic espionage against a key U.S. ally and Five Eyes member. Objectives likely included monitoring of UK national security communications, potential identification of surveillance chokepoints, and tactical SIGINT acquisition.

Router Hijacking Across the EU

Timeframe: 2022–2023
Region: Netherlands, Germany, France, and other EU states
Victims: Small-to-mid-tier internet service providers (ISPs)
Tactics: Exploitation of firmware and remote management services
Persistence:

Custom router implants

Backdoored updates
Motivation:
Infrastructure-level access in support of broader SIGINT harvesting and as potential staging points for operations elsewhere in Europe. These footholds may enable covert redirection of traffic, credential theft, or passive surveillance of encrypted communications.

i-SOON-Enabled Espionage Campaigns

Timeframe: Ongoing (2019–Present)
Region: Global – activity observed across U.S., Taiwan, EU, and Southeast Asia
Infrastructure:

Domains registered using fake U.S. identities and ProtonMail accounts

Toolkits developed or leased via i-SOON (Anxun Information Technology Co., Ltd.)
Motivation:
These campaigns reflect China’s shift toward a contractor-enabled cyber espionage model, allowing deniability while scaling operations. i-SOON support enables Salt Typhoon to outsource infrastructure management, domain procurement, and OPSEC tooling, aligning with MSS tradecraft evolution toward privatized cyber outsourcing.

Domain Infrastructure & Tradecraft

Salt Typhoon has developed and sustained a large-scale, repeatable domain registration infrastructure that has enabled the public attribution of at least 45 domains to its campaigns between 2020 and 2025. This extensive exposure represents a significant operational security failure for a Chinese state-aligned threat group, especially compared to the more opaque infrastructure practices seen in other MSS-directed operations.

The domains were consistently registered using ProtonMail email addresses and fabricated U.S. personas, often featuring plausible American names and residential addresses in cities like Los Angeles and Miami. Common registrant names included:

• Monica Burch (Los Angeles)
• Monica Gonzalez Serrano (Burgos)
• Shawn Francis (Miami)
• Tommie Arnold (Miami)
• Geralyn Pickens (linked to overlapping UNC4841 infrastructure)
• Larry Smith (Illinois) 

This infrastructure supported several key phases in Salt Typhoon’s intrusion lifecycle:

Several domains mimicked legitimate technology or telecom services, enhancing perceived authenticity. Notable examples include:

• cloudprocenter[.]com
• imap.dateupdata[.]com
• requiredvalue[.]com
• e-forwardviewupdata[.]com
• dateupdata[.]com
• availabilitydesired.us

Domain Registration, Infrastructure & Tradecraft

Salt Typhoon’s domain infrastructure exhibits a contractor-driven, modular tradecraft aligned with long-term scalability and operational deniability. Unlike traditional Chinese APTs that rely on obscure or concealed infrastructure, Salt Typhoon routinely registers English-language domains using fabricated U.S. personas, a notable operational security lapse that reflects the outsourcing of infrastructure to pseudo-private contractors, including entities like i‑SOON, Zhixin Ruijie, and Huanyu Tianqiong.

While prior assessments emphasized domains mimicking telecom portals (e.g., routerfirmwareupdate[.]net, servicecloudconnect[.]com), updated analysis of actor-controlled domains reveals a different pattern:

• Many domains employ action-oriented language (getdbecausehub[.]com, solveblemten[.]com, lookpumrron[.]com) that simulates benign SaaS or internal productivity tools.
  
• A smaller subset of nonsensical domain names (xdmgwctese[.]com) points to automated or randomized generation—possibly for backup C2s.
  
• Direct telecom brand mimicry is absent in this dataset, indicating a shift toward subtle obfuscation over spoofing.
  

Infrastructure telemetry shows:

• Consistent use of ProtonMail accounts for Whois registration, often in combination with fictitious U.S. addresses (e.g., Lena, IL or Miami, FL).
  
• Clustering around shared DNS hosts, including value-domain.com, and common TLS issuers such as GoDaddy Secure and Sectigo RSA DV CA.
  
• Timeline analysis reveals batch provisioning of domains and certificates, indicative of centralized tooling and bulk operational logistics.
  

This tradecraft suggests integration with dual-use contractor toolkits (e.g., Shadow Network/Defense), where C2 channels are disguised as routine update or sync services. It reinforces the hypothesis that Salt Typhoon operates as a state-aligned offensive platform fueled by commercial intermediaries, blurring the line between espionage infrastructure and legitimate cloud services.

This approach underscores the hybrid MSS contractor model: the Ministry of State Security directs tasking while corporate cut-outs register domains, lease infrastructure, and package turnkey C2 kits. The resulting infrastructure is repeatable and industrialized, but not airtight. Its reliance on predictable naming templates, overlapping infrastructure, and false U.S. identities creates attributional fingerprints that defenders can exploit for pivoting. 

• Top fake registrant names:
  • Shawn Francis (8 domains)
  • Monica Burch, Tommie Arnold, Larry Smith (4–5 each)
  • Others include “Geralyn Pickens” and privacy placeholders like “Domain Admin” or “REDACTED FOR PRIVACY”
• Email Domains:
  • protonmail.com used in 47% of records, indicating consistent OPSEC tooling reuse.
• Registrant Addresses:
  • Most addresses list Miami, FL or Lena, IL, using street names like “Lowland Drive” and “Trails End Road,” suggesting automation, scraped identity data or just creative writing.

Salt Typhoon’s decision to register domains using fabricated U.S.-based identities and ProtonMail accounts, rather than relying on anonymized Whois services or privacy proxies, may reflect a calculated tradecraft decision rather than simple OPSEC failure. This approach allowed the group to craft infrastructure that appeared more legitimate to automated detection systems, phishing targets, and threat intelligence filters, thereby increasing the likelihood of successful intrusion or lateral movement. The use of plausible names (e.g., “Shawn Francis,” “Monica Burch”) and real-sounding U.S. addresses likely helped the domains blend into domestic traffic patterns and evade geo-IP or heuristic-based scrutiny. Moreover, the repeated structure and reuse of ProtonMail accounts suggest a contractor-enabled, semi-automated provisioning model, likely stemming from entities like i‑SOON. This infrastructure pipeline likely prioritized speed, scalability, and low-friction staging environments over long-term stealth. While it ultimately enabled attribution and exposure, it reveals a key insight into the industrialization of Chinese cyber operations: where the demand for deniability is often subordinated to operational efficiency and technical convenience.

DNS & Name Server Infrastructure

Analysis of DNS records reveals significant clustering around shared name server infrastructure, indicating that Salt Typhoon domains are not provisioned independently but rather through centralized pipelines. Many of the identified domains resolve to the same or closely related sets of authoritative name servers, often hosted within low-density VPS environments controlled by a limited number of providers. This pattern reduces operational overhead for the attackers, allowing bulk management of dozens of domains from a single administrative point, but it also introduces a major attributional weakness. By pivoting on recurring NS records, defenders can uncover entire clusters of infrastructure tied to Salt Typhoon, even when individual domains use different registrars, registrant details, or privacy-protection services. The concentration of these resources strongly suggests the involvement of contractor-managed hosting accounts or automation scripts, reinforcing the view that Salt Typhoon relies on semi-privatized service providers to industrialize domain management at scale.

• Name Server Hosts (Top):
  • irdns.mars.orderbox-dns.com (8 domains)
  • ns4.1domainregistry.com and value-domain.com (5–6 each)
  • MonoVM-branded servers like earth.monovm.com, mars.monovm.com also appear
• Name Server IP Clusters:
  • 162.251.82.125, 162.251.82.252, and 162.251.82.253 support up to 7 domains each
  • IPs belong to OrderBox / PublicDomainRegistry infrastructure, suggesting templated registrar setup

SSL Certificates Use

Salt Typhoon prefers commercial domain-validated (DV) certificates issued by authorities such as GoDaddy and Sectigo, deliberately avoiding free certificate providers like Let’s Encrypt. This choice reflects an intent to make their infrastructure appear more legitimate to both automated security systems and human analysts, since certificates from well-known commercial issuers are less likely to trigger suspicion than those from free, disposable services. The use of DV certificates also allows operators to rapidly provision SSL/TLS coverage across large batches of domains with minimal validation requirements, streamlining the deployment of C2 and staging servers. While this practice raises the cost and complexity slightly compared to using free providers, it demonstrates Salt Typhoon’s emphasis on credibility and persistence over short-term economy, fitting with their long-dwell operations against telecom and defense-adjacent networks. For defenders, the clustering of GoDaddy- and Sectigo-issued certificates across multiple Salt Typhoon domains provides an additional pivot point, exposing infrastructure reuse and linking seemingly unrelated assets back to the same operational ecosystem.

• Top SSL Issuers:
  • GoDaddy Secure Certificate Authority – G2 (18 certs)
  • Sectigo RSA DV Secure Server CA (4 certs)
• Common CNs:
  • *.myorderbox.com appeared across 4 domains, indicating use of wildcard certs from shared panels
• Durations:
  • Certificates typically last 366 days, aligning with default DV settings
• Timeline:
  • Issuance ranges from late 2024 to present, directly aligning with publicly known Salt Typhoon campaign windows

Tradecraft Insights & Behavioral Patterns

Insights into Salt Typhoon’s tradecraft and behavioral patterns highlight a disciplined but contractor-driven approach that balances operational sophistication with repeatable, industrialized methods. The group consistently targets telecom and defense-adjacent infrastructure, using edge devices as durable entry points to achieve long-term persistence and intelligence collection. Their domain and infrastructure choices reveal reliance on bulk registration pipelines, shared DNS backends, and commercial DV certificates, suggesting a semi-outsourced model where private firms handle provisioning at scale. On the operational side, Salt Typhoon implants exhibit regular beaconing intervals, encrypted communications disguised as service updates, and selective exfiltration of metadata such as call records, VoIP configs, and lawful intercept logs. Despite attempts at obfuscation, their preference for predictable domain theming, clustering around specific registrars, and infrastructure overlaps across campaigns creates investigative seams that defenders can exploit, underscoring the tension between scalability and stealth in their tradecraft.

Strategic Implications

Salt Typhoon’s infrastructure carries clear strategic implications for both attribution and defense. Its scalability, enabled by outsourced provisioning through pseudo-private contractors, shows that future campaigns can be rapidly spun up with minimal overhead. At the same time, the template-driven nature of its setup, relying on recurring domain themes, registrar preferences, and automation pipelines, introduces predictable patterns that defenders can baseline and monitor. Most importantly, persistent OPSEC lapses such as the reuse of identical fake personas, recycled name server and certificate infrastructure, and reliance on a small pool of providers (notably PDR, MonoVM, and GMO) create durable fingerprints. This combination of scale and sloppiness means Salt Typhoon campaigns can be tracked over time using passive DNS clustering, SSL certificate pivots, registrar telemetry, and persona overlap, offering defenders viable opportunities to anticipate and disrupt the group’s infrastructure before it matures into active operations.

Salt Typhoon’s infrastructure is:

• Scalable: suggesting outsourced provisioning,
• Template-driven: exposing predictable setup patterns,
• Attributable: due to OPSEC oversights and reuse of NS/CN/IPs.

These characteristics make it possible to track future campaigns using:

• Passive DNS clusters
• Reused fake personas or address strings
• SSL cert patterns
• Registrar telemetry from known providers (PDR, MonoVM, GMO)

Targeting Profiles

Named Individuals & Indictments

Public attribution of Salt Typhoon’s operations has revealed the involvement of named Chinese nationals tied to cyberespionage infrastructure, contractor networks, and front companies aligned with the Ministry of State Security (MSS). These individuals have been subject to U.S. indictments, sanctions, and international arrest warrants, providing rare legal and intelligence visibility into the human operators behind Salt Typhoon’s campaigns.

Yin Kecheng

• Status: Indicted (DOJ), Sanctioned (OFAC), FBI wanted; $2 million reward issued for information leading to arrest.
• Role: Key infrastructure operator and hacker for Salt Typhoon; believed to have led or coordinated exfiltration and long-term C2 operations.
• Affiliations: Tied to Sichuan Juxinhe Network Technology Co., Ltd., a front company sanctioned by the U.S. for enabling espionage against U.S. telecom providers.
• Links to i-SOON: Embedded in broader contractor ecosystem supporting MSS-directed cyber ops (Source: DOJ, NextGov, FBI).

Role: MSS-affiliated infrastructure operator and intrusion specialist
Affiliation: Sichuan Juxinhe Network Technology Co., Ltd.
Targeting Characteristics:

‍

Motivation Profile:
Yin’s role suggests a SIGINT-centric mission, focused on covert, technical persistence inside telecommunications networks to enable real-time surveillance and metadata harvesting on behalf of the MSS.

Zhou Shuai (aka “Coldface”)

• Status: Indicted (DOJ), Sanctioned (OFAC), FBI wanted; $2 million reward offered.
• Role: Broker and strategic operator involved in Salt Typhoon’s data resale and operational planning.
• Affiliations:
  • Former employee of Shanghai Heiying Information Technology Co., Ltd., a data brokerage firm sanctioned for selling compromised infrastructure access.
  • Worked within the Strategic Consulting Division of i-SOON, an MSS-linked contractor with deep involvement in cyberespionage tooling and infrastructure provisioning.
• Activities: Played a role in coordinating front-company logistics, C2 setup, and interfacing with MSS tasking structures (Source: DOJ, FBI, IC3).

Role: Strategic broker, contractor liaison, infrastructure manager
Affiliation: Shanghai Heiying Information Tech, i-SOON Strategic Consulting Division
Targeting Characteristics:

‍

Operational Synergy Between Yin & Zhou

‍

Implications for Attribution & Defense

The identification of Yin Kecheng and Zhou Shuai as central figures within Salt Typhoon's operational structure illustrates the group’s hybridized threat architecture, wherein distinct roles are distributed between technical operators and strategic brokers. This configuration is emblematic of a broader trend in Chinese cyber espionage: the convergence of state objectives with contractor-enabled execution.

• Yin Kecheng, operating within the i‑SOON-aligned ecosystem and affiliated with Sichuan Juxinhe Network Technology Co., Ltd., is positioned as a core technical enabler—responsible for domain infrastructure, implant deployment, and network exploitation. His work supports the persistent collection of high-value SIGINT from U.S. and allied telecommunications systems.
  
• In contrast, Zhou Shuai (alias Coldface), as an indicted operator and data broker behind Shanghai Heiying Information Technology, represents the strategic/logistical tier of the adversary model. His activities center on the resale, exfiltration coordination, and monetization of stolen data, often functioning as a bridge between operational teams and institutional customers (e.g., MSS units or secondary clients).
  

Together, these roles reinforce three defining characteristics of Salt Typhoon:

1. A Layered Adversary Model: Salt Typhoon is structured to separate tasking, execution, and monetization across organizational layers, mirroring corporate operational design. Strategists like Zhou interface with planners and consumers of intelligence, while technicians like Yin handle access and persistence operations.
   
2. Geopolitically Aligned SIGINT Targeting: The campaigns attributed to Salt Typhoon are consistent with Chinese state intelligence priorities: telecommunications metadata, National Guard network maps, lawful intercept systems, and VoIP infrastructure—each of which supports surveillance, counterintelligence, and wartime preparation objectives.
   
3. Deniable Outsourcing through i‑SOON and Pseudo-Private Fronts: The use of companies such as i‑SOON, Juxinhe, and Heiying exemplifies the PRC’s plausible deniability strategy, delegating technical tradecraft to commercial entities while maintaining indirect command-and-control via the Ministry of State Security. This contractor-enabled cyber espionage model provides scalability, compartmentalization, and diplomatic insulation.
   

In total, the Yin Zhou configuration is a case study in modern Chinese cyber operational design: contractor-driven, state-aligned, and strategically layered, with each actor occupying a clearly defined but mutually reinforcing position within the broader offensive ecosystem.

Final Assessment

Salt Typhoon stands as a premier exemplar of Ministry of State Security (MSS)-directed cyber espionage, executed through a contractor-enabled operational model that blends state tasking with private-sector tradecraft. This group embodies the evolving doctrine of the Chinese cyber apparatus: plausibly deniable intrusion capability at scale, leveraging a network of technology firms, freelance operators, and corporate front entities.

Salt Typhoon’s operational architecture is significantly shaped by its integration with firms like i‑SOON (Anxun Information Technology Co., Ltd.), as well as affiliated contractors such as Sichuan Juxinhe and Shanghai Heiying. These organizations provide both the logistical substrate, domain registrations, infrastructure management, and toolkits, and the personnel support needed to execute MSS priorities without direct attribution. This contractor hybridization illustrates the maturation of China’s cyber outsourcing economy, where state objectives are achieved via technically sophisticated but commercially masked operations.

From a detection and tracking perspective, Salt Typhoon represents one of the most publicly exposed and traceable “Typhoon” groups to date. Their repeated use of:

• ProtonMail email accounts,
  
• fabricated U.S.-based personas, and
  
• consistent  domain naming and hosting practices
  

has enabled defenders to build infrastructure-based detections, correlate activity across campaigns, and map the actor’s footprint across global telco and government targets.

Despite these OPSEC lapses, Salt Typhoon has demonstrated high capability in: long-dwell access; lawful intercept system compromise; and configuration hijacking across telecom, defense, and critical infrastructure layers.

The group’s campaigns, tools, and contractor dependencies reflect a broader shift within Chinese offensive cyber strategy, away from monolithic APT groups and toward fragmented, contractor-leveraged, industrial-scale operations. This model poses significant challenges for attribution, legal countermeasures, and international response.

In sum, Salt Typhoon is not merely another state-backed APT. It is a prototype of China’s next-generation cyber espionage model, where covert access is privatized, capabilities are modular, and deniability is built into every layer of the intrusion lifecycle.

APPENDIX A:

DOSSIERS

Dossier: Named Individuals of Salt Typhoon

Dossier: Yin Kecheng (尹克成)

• Name: Yin Kecheng
  
• Alias: YKCAI (Federal Bureau of Investigation)
  
• Nationality: Chinese (Federal Bureau of Investigation)
  
• Date of Birth (used in filings): December 8, 1986 (Federal Bureau of Investigation)
  

Last Known Location

• Last Known Residence: Shanghai, China (Federal Bureau of Investigation)
  

Legal Status & Sanctions

• OFAC Designation: Yin Kecheng is sanctioned by the U.S. Treasury (OFAC) for his involvement in the Salt Typhoon cyber espionage campaign, including a network breach at the U.S. Department of the Treasury. (U.S. Department of the Treasury)
  
• Indictments: Charged via DOJ press releases — the March 5, 2025, Justice Department action links him to unauthorized access, data exfiltration, wire fraud, identity theft, and conspiracy with i‑SOON‑aligned actors. (Department of Justice)
  
• Reward: U.S. authorities (State Department / Transnational Organized Crime Rewards program) have offered up to $2,000,000 for information leading to his arrest or conviction. (Federal Bureau of Investigation)
  

Role and Alleged Actions

• MSS‑aligned actor: He is affiliated with (or working for) China’s Ministry of State Security (MSS) as a cyber actor. (U.S. Department of the Treasury)
  
• Infrastructure operator: Alleged to have operated or given direction over intrusions into U.S. telecom and internet service provider networks, via Sichuan Juxinhe Network Technology Co. Ltd., among others. (U.S. Department of the Treasury)
  
• Malware usage: In DOJ / FBI statements, accused of using tools such as PlugX to maintain persistence, reconnaissance, and data exfiltration from multiple victim networks. (Federal Bureau of Investigation)

Personal Details:

While Yin Kecheng has no widely publicized hacker handle like “White” or “0ktapus” actors, the following alias is mentioned in DOJ materials:

• YKCAI — Possibly short for “Yin Kecheng China AI” or a custom alias derived from initials.
  

Additional OSINT from leaks (like the i‑SOON GitHub archive) may associate email aliases, QQ numbers, or internal employee codes (e.g., ykc_ops@163[.]com, yk@isoon[.]cn) — but these have not been publicly confirmed.

Involvement in the Chinese Hacking Ecosystem

Yin Kecheng is reportedly part of:

• The contractor-enabled MSS ecosystem, specifically through Sichuan Juxinhe Network Technology Co., Ltd.
  
• This company appears to be a shell for MSS cyber ops, functioning like i‑SOON in providing leased infrastructure, phishing support, domain pipelines, etc.
  

Reports also indicate:

• Overlap with APT27 (Emissary Panda) and UNC4841 infrastructure.
  
• He is implicated in breaches of critical infrastructure, particularly telecom and data center targets in the U.S., Taiwan, and the EU.
  
• Part of a broader strategy to outsource technical operators under cover of “private” Chinese companies (like Huanyu Tianqiong and Zhixin Ruijie).
  

Position Within the Diaspora

• Not a forum-branded figure (e.g. not known to frequent Ghost Market, HackForum equivalents)
  
• Instead, fits the quasi-civilian, contractor-for-the-state model — part of China’s hacker-for-hire wave following 2018+
  
• Possibly involved in internal MSS training pipelines (speculation based on role and patterns seen in other MSS-aligned operators)
  
• May be a technical leader rather than an OPSEC/espionage strategist

Zhou Shuai ("Coldface")

Chinese Name & Translation

• Romanization: Zhou Shuai
  
• Simplified Chinese: 周帅 (Zhōu Shuài)
  
  • 周 (Zhōu) — a common Chinese surname
    
  • 帅 (Shuài) — means “handsome”, “commander”, or “to lead”
    

Identity & Biographical Data

Known Roles, Activities & Connections

• Data Broker & Infrastructure Operator: According to U.S. Treasury/OFAC, Zhou Shuai runs or is majority‑owner of Shanghai Heiying Information Technology Company, Limited, and is involved in brokering stolen data and network access. (U.S. Department of the Treasury)
  
• Contractor Ecosystem: He is tied to China’s “hacker‑for‑hire” ecosystem—specifically the private sector firms used by the MSS and MPS to carry out intrusions and data theft. He’s alleged to have operated both under tasking and on his own initiative. (Department of Justice)
  
• Target Types & Data: Victims include technology firms, cleared defense contractors, think tanks, government entities, foreign ministries, etc. Stolen data includes personally identifying info, telecommunications/border‑crossing data, personnel info of religious/media sectors, etc. (U.S. Department of the Treasury)
  
• Legal Charges & Sanctions: Charged by DOJ in March 2025 alongside Yin Kecheng for wire fraud, unauthorized access, identity theft, conspiracy, etc. Also sanctioned by OFAC. (U.S. Department of the Treasury)
  

Hacker Aliases & Diaspora

• Aliases:
  
  • Coldface 冷脸 (Lěng liǎn), 冷面 (Lěng miàn), 冷哥 (Lěng gē)
    
  • Coldface Chow (variant)
    
• Connection to APT Groups / Contractor Overlaps:
  
  • Zhou is named in the DOJ indictment tied to APT27 operations and alongside Yin Kecheng in large‑scale global intrusion campaigns. (Department of Justice)
    
  • He is listed in sanction documents as part of the i‑SOON contracting / hacker‑for‑hire supply chain. (Department of Justice)
    
• Activity Span: Public reports indicate activity from ~2018 through 2025. Data shows that some of his operations include brokering exfiltrated data, managing or enabling infrastructure, participating in profit‑oriented intrusions. (U.S. Department of the Treasury)
  

Front Companies & Institutional Support

• Sichuan Juxinhe Network Technology Co., Ltd.
  • Front company tied to Yin Kecheng; involved in Salt Typhoon’s infrastructure ops like domain registration and staging.
    (U.S. Department of the Treasury, Reuters)
• Shanghai Heiying Information Technology Co., Ltd.
  • Owned and operated by Zhou Shuai; used to broker stolen data and support contractor-enabled tradecraft.
    (U.S. Department of the Treasury)
• i-SOON (Anxun Information Technology Co., Ltd.)
  • Recruiter and operational facilitator blending covert state tasking (MSS/MPS) with outsourced hacker-for-hire ecosystems.
  • Employed both Yin and Zhou (or their firms) for domain, server, and tooling infrastructure provisioning.
    (Federal Bureau of Investigation, Department of Justice)

Summary Table of Salt Typhoon known actors

‍

APPENDIX B:

Salt Typhoon (IOCs) and TTP’s

Indicators of Compromise (IOCs)

Salt Typhoon operations leave behind both infrastructure and behavioral indicators:

• Infrastructure Domains: Numerous domains registered with fraudulent U.S. personas; some linked to contractor ecosystems such as i-SOON.
  
• Malware Implants: Bespoke router firmware/rootkits deployed on Cisco, Ivanti, and Palo Alto devices to enable long-dwell persistence.
  
• Certificates: Use of self-signed TLS certificates on C2 servers to blend into encrypted traffic.
  
• Network Artifacts:
  
  • Modified router configs with unauthorized SSH authorized_keys entries.
    
  • Indicators of lawful intercept logs exfiltrated from telecom systems.
    
• Observed CVEs exploited:
  
  • Cisco IOS XE Web UI (CVE-2023-20198)
    
  • Ivanti Connect Secure Authentication Bypass (CVE-2023-35082)
    
  • Palo Alto PAN-OS GlobalProtect flaws (CVE-2024-3400 series).
    

Indicator of Compromise (IOCs) – Salt Typhoon Telco Campaigns

Name Server Hosts/IPs:

• irdns.mars.orderbox-dns.com
• ns4.1domainregistry.com
• ns1.value-domain.com
• earth.monovm.com, mars.monovm.com

IP Cluster:

• 162.251.82.125, 162.251.82.252, 172.64.53.3

SSL Certificate Indicators:

• Common Names (CN):
  • *.myorderbox.com
  • www.solveblemten.com
• Issuers:
  • GoDaddy Secure CA – G2
  • Sectigo RSA DV CA

Malware/Toolkit Hashes (from public reporting)*:

(Note: full hashes not released publicly for Demodex/SigRouter due to classified status. Sample placeholders below.)

• Demodex (custom rootkit):
  • SHA256 (sample): 6a2f9a...e3b1b7a
• SigRouter:
  • SHA256 (sample): d23cb5...af3f8b2
• China Chopper Web Shell:
  • MD5: e99a18c428cb38d5f260853678922e03

Other:

• Email Infrastructure:
  • ProtonMail accounts (used in Whois): e.g., ethdbnsnmskndjad55@protonmail.com
• Whois Fake Registrants:
  • “Shawn Francis”, “Monica Burch”, “Tommie Arnold”

Domains Created:

aria-hidden.com  

asparticrooftop.com  

availabilitydesired.us  

caret-right.com  

chekoodver.com  

clubworkmistake.com  

col-lg.com  

dateupdata.com  

e-forwardviewupdata.com  

fessionalwork.com  

fitbookcatwer.com  

fjtest-block.com  

gandhibludtric.com  

gesturefavour.com  

getdbecausehub.com  

hateupopred.com  

incisivelyfut.com  

lookpumrron.com  

materialplies.com  

onlineeylity.com  

redbludfootvr.com  

requiredvalue.com  

ressicepro.com  

shalaordereport.com  

siderheycook.com  

sinceretehope.com  

solveblemten.com  

togetheroffway.com  

toodblackrun.com  

troublendsef.com  

verfiedoccurr.com  

waystrkeprosh.com  

xdmgwctese.com  

Personae Used

‍

Protonmail Use:

‍

ATT&CK Mapping:

MITRE ATT&CK Mapping – Salt Typhoon (Telco Operations)

‍

Tactics, Techniques, and Procedures (TTPs)

Initial Access

• Exploitation of router, firewall, and VPN gateway vulnerabilities to penetrate telecom and military networks.
  
• Targeting network edge devices as initial footholds — chosen for both persistence and data collection value.
  

Persistence

• Deployment of firmware/rootkit implants on routers and firewalls to maintain covert, long-term access.
  
• Modification of SSH authorized_keys for persistence across reboots (MITRE ATT&CK T1098.004).
  

Privilege Escalation & Defense Evasion

• Abuse of SeDebugPrivilege, token adjustments, and LOLBINs to escalate rights and avoid detection.
  
• Use of encoded PowerShell commands and service manipulation to obscure activity.
  
• Config hijacking and log manipulation on telecom infrastructure devices.
  

Credential Access

• Dumping credentials via comsvcs.dll with rundll32.
  
• Keying into router/vpn credential stores for lateral expansion.
  

Discovery

• Network mapping using tasklist, wevtutil, and queries of machine GUIDs and crypto keys.
  

Lateral Movement

• Leveraging trusted ISP-to-ISP connections to pivot into partner environments.
  
• VPN exploitation to move laterally across National Guard and defense-adjacent networks.
  

Collection & Exfiltration

• Harvesting:
  
  • Subscriber metadata & CDRs (Call Detail Records)
    
  • VoIP configurations
    
  • Lawful intercept logs
    
  • Incident response playbooks (from military networks).
    
• Data staged within compromised routers before exfiltration to external C2.
  

Command & Control (C2)

• Use of beacon-based implants masquerading as legitimate Zero Trust or router monitoring tools (e.g., Shadow Network/Defense from Huanyu Tianqiong).
  
• TLS-encrypted channels with minimal jitter to blend into telecom backbone traffic.
  

Strategic Patterns

• Focus: Telecommunications and military/defense-adjacent networks for SIGINT.
  
• Contractor Integration: Heavy reliance on MSS-linked companies (Juxinhe, Zhixin Ruijie, Huanyu Tianqiong) and overlaps with i-SOON infrastructure.
  
• Long-Dwell Operations: Persistence for months/years in backbone routers, enabling surveillance at scale.
  
• Geographic Reach: Over 600 organizations breached worldwide, including 200 in the U.S. and operations across 80+ countries.

APPENDIX C: Corporate Connections

Contents:
Part I: Technical Analysis
Part II: Goals Analysis
Part III: Threat Intelligence Report

Executive Summary

A rare and revealing breach attributed to a North Korean-affiliated actor, known only as “Kim” as named by the hackers who dumped the data, has delivered a new insight into Kimsuky (APT43) tactics, techniques, and infrastructure. This actor's operational profile showcases credential-focused intrusions targeting South Korean and Taiwanese networks, with a blending of Chinese-language tooling, infrastructure, and possible logistical support. The “Kim” dump, which includes bash histories, phishing domains, OCR workflows, compiled stagers, and rootkit evidence, reflects a hybrid operation situated between DPRK attribution and Chinese resource utilization.

This report is broken down into three parts: 

• Technical Analysis of the dump materials
• Motivation and Goals of the APT actor (group)
• A CTI report compartment for analysts

While this leak only gives a partial idea of what the Kimusky/PRC activities have been, the material provides insight into the expansion of activities, nature of the actor(s), and goals they have in their penetration of the South Korean governmental systems that would benefit not only DPRK, but also PRC.

Without a doubt, there will be more coming out from this dump in the future, particularly if the burned assets have not been taken offline and access is still available, or if others have cloned those assets for further analysis. We may revisit this in the future if additional novel information comes to light.

Part I: Technical Analysis

The Leak at a Glance

The leaked dataset attributed to the “Kim” operator offers a uniquely operational perspective into North Korean-aligned cyber operations. Among the contents were terminal history files revealing active malware development efforts using NASM (Netwide Assembler), a choice consistent with low-level shellcode engineering typically reserved for custom loaders and injection tools. These logs were not static forensic artifacts but active command-line histories showing iterative compilation and cleanup processes, suggesting a hands-on attacker directly involved in tool assembly.

In parallel, the operator ran OCR (Optical Character Recognition) commands against sensitive Korean PDF documents related to public key infrastructure (PKI) standards and VPN deployments. These actions likely aimed to extract structured language or configurations for use in spoofing, credential forgery, or internal tool emulation.

Privileged Access Management (PAM) logs also surfaced in the dump, detailing a timeline of password changes and administrative account use. Many were tagged with the Korean string 변경완료 (“change complete”), and the logs included repeated references to elevated accounts such as oracle, svradmin, and app_adm01, indicating sustained access to critical systems.

The phishing infrastructure was extensive. Domain telemetry pointed to a network of malicious sites designed to mimic legitimate Korean government portals. Sites like nid-security[.]com were crafted to fool users into handing over credentials via advanced AiTM (Adversary-in-the-Middle) techniques.

Finally, network artifacts within the dump showed targeted reconnaissance of Taiwanese government and academic institutions. Specific IP addresses and .tw domain access, along with attempts to crawl .git repositories, reveal a deliberate focus on high-value administrative and developer targets.

Perhaps most concerning was the inclusion of a Linux rootkit using syscall hooking (khook) and stealth persistence via directories like /usr/lib64/tracker-fs. This highlights a capability for deep system compromise and covert command-and-control operations, far beyond phishing and data theft.

Artifacts recovered from the dump include:

• Terminal history files demonstrating malware compilation using NASM
  
• OCR commands parsing Korean PDF documents related to PKI and VPN infrastructure
  
• PAM logs reflecting password changes and credential lifecycle events
  
• Phishing infrastructure mimicking Korean government sites
  
• IP addresses indicating reconnaissance of Taiwanese government and research institutions
  
• Linux rootkit code using syscall hooking and covert channel deployment
  

Credential Theft Focus

The dump strongly emphasizes credential harvesting as a central operational goal. Key files such as 136백운규001_env.key (The presence of 136백운규001_env.key is a smoking gun indicator of stolen South Korean Government PKI material, as its structure (numeric ID + Korean name + .key) aligns uniquely with SK GPKI issuance practices and provides clear evidence of compromised, identity-tied state cryptographic keys.) This was discovered alongside plaintext passwords, that indicate clear evidence of active compromise of South Korea’s GPKI (Government Public Key Infrastructure). Possession of such certificates would allow for highly effective identity spoofing across government systems.

PAM logs further confirmed this focus, showing a pattern of administrative account rotation and password resets, all timestamped and labeled with success indicators (변경완료: Change Complete). The accounts affected were not low-privilege; instead, usernames like oracle, svradmin, and app_adm01, often used by IT staff and infrastructure services, suggested access to core backend environments.

These findings point to a strategy centered on capturing and maintaining access to privileged credentials and digital certificates, effectively allowing the attacker to act as an insider within trusted systems.

• Leaked .key files (e.g., 136백운규001_env.key) with plaintext passwords confirm access to GPKI systems
  
• PAM logs show administrative password rotations tagged with 변경완료 (change complete)
  
• Admin-level accounts such as oracle, svradmin, and app_adm01 repeatedly appear in compromised logs
  

Phishing Infrastructure

The operator’s phishing infrastructure was both expansive and regionally tailored. Domains such as nid-security[.]com and webcloud-notice[.]com mimicked Korean identity and document delivery services, likely designed to intercept user logins or deploy malicious payloads. More sophisticated spoofing was seen in sites that emulated official government agencies like dcc.mil[.]kr, spo.go[.]kr, and mofa.go[.]kr.

Burner email usage added another layer of operational tradecraft. The address jeder97271[@]wuzak[.]com is likely linked to phishing kits that operated through TLS proxies, capturing credentials in real time as victims interacted with spoofed login forms.

These tactics align with previously known Kimsuky behaviors but also demonstrate an evolution in technical implementation, particularly the use of AiTM interception rather than relying solely on credential-harvesting documents.

• Domains include: nid-security[.]com, html-load[.]com, webcloud-notice[.]com, koala-app[.]com, and wuzak[.]com
  
• Mimicked portals: dcc.mil[.]kr, spo.go[.]kr, mofa.go[.]kr
  
• Burner email evidence: jeder97271[@]wuzak[.]com
  
• Phishing kits leveraged TLS proxies for AiTM credential capture
  

Malware Development Activity

Kim’s malware development environment showcased a highly manual, tailored approach. Shellcode was compiled using NASM, specifically with flags like -f win32, revealing a focus on targeting Windows environments. Commands such as make and rm were used to automate and sanitize builds, while hashed API call resolution (VirtualAlloc, HttpSendRequestA, etc.) was implemented to evade antivirus heuristics.

The dump also revealed reliance on GitHub repositories known for offensive tooling. TitanLdr, minbeacon, Blacklotus, and CobaltStrike-Auto-Keystore were all cloned or referenced in command logs. This hybrid use of public frameworks for private malware assembly is consistent with modern APT workflows.

A notable technical indicator was the use of the proxyres library to extract Windows proxy settings, particularly via functions like proxy_config_win_get_auto_config_url. This suggests an interest in hijacking or bypassing network-level security controls within enterprise environments.

• Manual shellcode compilation via nasm -f win32 source/asm/x86/start.asm
  
• Use of make, rm, and hash obfuscation of Win32 API calls (e.g., VirtualAlloc, HttpSendRequestA)
  
• GitHub tools in use: TitanLdr, minbeacon, Blacklotus, CobaltStrike-Auto-Keystore
  
• Proxy configuration probing through proxyres library (proxy_config_win_get_auto_config_url)

Rootkit Toolkit and Implant Structure

The Kim dump offers deep insight into a stealthy and modular Linux rootkit attributed to the operator’s post-compromise persistence tactics. The core implant, identified as vmmisc.ko (alternatively VMmisc.ko in some shells), was designed for kernel-mode deployment across multiple x86_64 Linux distributions and utilizes classic syscall hooking and covert channeling to maintain long-term undetected access.

Google Translation of Koh doc: Rootkit Endpoint Reuse Authentication Tool

“This tool uses kernel-level rootkit hiding technology, providing a high degree of stealth and penetration connection capability. It can hide while running on common Linux systems, and at the kernel layer supports connection forwarding, allowing reuse of external ports to connect to controlled hosts. Its communication behavior is hidden within normal traffic.

The tool uses binary merging technology: at compile time, the application layer program is encrypted and fused into a .ko driver file. When installed, only the .ko file exists. When the .ko driver starts, it will automatically decompress and release the hidden application-layer program.

Tools like chkrootkit, rkhunter, and management utilities (such as ps, netstat, etc.) are bypassed through technical evasion and hiding, making them unable to detect hidden networks, ports, processes, or file information.

To ensure software stability, all functions have also passed stress testing.

Supported systems: Linux Kernel 2.6.x / 3.x / 4.x, both x32 and x64 systems”.

Implant Features and Behavior

This rootkit exhibits several advanced features:

• Syscall Hooking: Hooks critical kernel functions (e.g., getdents, read, write) to hide files, directories, and processes by name or PID.
• SOCKS5 Proxy: Integrated remote networking capability using dynamic port forwarding and chained routing.
• PTY Backdoor Shell: Spawns pseudoterminals that operate as interactive reverse shells with password protection.
• Encrypted Sessions: Session commands must match a pre-set passphrase (e.g., testtest) to activate rootkit control mode.

Once installed (typically using insmod vmmisc.ko), the rootkit listens silently and allows manipulation via an associated client binary found in the dump. The client supports an extensive set of interactive commands, including:

+p              # list hidden processes

+f              # list hidden files

callrk          # load client ↔ kernel handshake

exitrk          # gracefully unload implant

shell           # spawn reverse shell

socks5          # initiate proxy channel

upload / download # file transfer interface

These capabilities align closely with known DPRK malware behaviors, particularly from the Kimsuky and Lazarus groups, who have historically leveraged rootkits for lateral movement, stealth, persistence, and exfiltration staging.

Observed Deployment

Terminal history (.bash_history) shows the implant was staged and tested from the following paths:

.cache/vmware/drag_and_drop/VMmisc.ko

/usr/lib64/tracker-fs/vmmisc.ko

Execution logs show the use of commands such as:

insmod /usr/lib64/tracker-fs/vmmisc.ko

./client 192.168.0[.]39 testtest

These paths were not random—they mimic legitimate system service locations to avoid detection by file integrity monitoring (FIM) tools.

This structure highlights the modular, command-activated nature of the implant and its ability to serve multiple post-exploitation roles while maintaining stealth through kernel-layer masking.

Strategic Implications

The presence of such an advanced toolkit in the “Kim” dump strongly suggests the actor had persistent access to Linux server environments, likely via credential compromise. The use of kernel-mode implants also indicates long-term intent and trust-based privilege escalation. The implant's pathing, language patterns, and tactics (e.g., use of /tracker-fs/, use of test passwords) match TTPs previously observed in operations attributed to Kimsuky, enhancing confidence in North Korean origin.

OCR-Based Recon

A defining component of Kim’s tradecraft was the use of OCR to analyze Korean-language security documentation. The attacker issued commands such as ocrmypdf -l kor+eng "file.pdf" to parse documents like 별지2)행정전자서명_기술요건_141125.pdf (“Appendix 2: Administrative Electronic Signature_Technical Requirements_141125.pdf”) and SecuwaySSL U_카달로그.pdf (“SecuwaySSL U_Catalog.pdf”). These files contain technical language around digital signatures, SSL implementations, and identity verification standards used in South Korea’s PKI infrastructure.

This OCR-based collection approach indicates more than passive intelligence gathering - it reflects a deliberate effort to model and potentially clone government-grade authentication systems. The use of bilingual OCR (Korean + English) further confirms the operator’s intention to extract usable configuration data across documentation types.

• OCR commands used to extract Korean PKI policy language from PDFs such as (별지2)행정전자서명_기술요건_141125.pdf and SecuwaySSL U_카달로그.pdf
  • 별지2)행정전자서명_기술요건_141125.pdf → (Appendix 2: Administrative Electronic Signature_Technical Requirements_141125.pdf
  • SecuwaySSL U_카달로그.pdf → SecuwaySSL U_Catalog.pdf
    
• Command examples: ocrmypdf -l kor+eng "file.pdf"
  

SSH and Log-Based Evidence

The forensic evidence contained within the logs, specifically SSH authentication records and PAM outputs, provides clear technical confirmation of the operator’s tactics and target focus.

Several IP addresses stood out as sources of brute-force login attempts. These include 23.95.213[.]210 (a known VPS provider used in past credential-stuffing campaigns), 218.92.0[.]210 (allocated to a Chinese ISP), and 122.114.233[.]77 (Henan Mobile, China). These IPs were recorded during multiple failed login events, strongly suggesting automated password attacks against exposed SSH services. Their geographic distribution and known history in malicious infrastructure usage point to an external staging environment, possibly used for pivoting into Korean and Taiwanese systems.

Beyond brute force, the logs also contain evidence of authentication infrastructure reconnaissance. Multiple PAM and OCSP (Online Certificate Status Protocol) errors referenced South Korea’s national PKI authority, including domains like gva.gpki.go[.]kr and ivs.gpki.go[.]kr. These errors appear during scripted or automated access attempts, indicating a potential strategy of credential replay or certificate misuse against GPKI endpoints, an approach that aligns with Kim’s broader PKI-targeting operations.

Perhaps the most revealing detail was the presence of successful superuser logins labeled with the Korean term 최고 관리자 (“Super Administrator”). This suggests the actor was not just harvesting credentials but successfully leveraging them for privileged access, possibly through cracked accounts, reused credentials, or insider-sourced passwords. The presence of such accounts in conjunction with password rotation entries marked as 변경완료 (“change complete”) further implies active control over PAM-protected systems during the operational window captured in the dump.

Together, these logs demonstrate a methodical campaign combining external brute-force access, PKI service probing, and administrative credential takeover, a sequence tailored for persistent infiltration and lateral movement within sensitive government and enterprise networks.

• Brute-force IPs: 23.95.213[.]210, 218.92.0[.]210, 122.114.233[.]77

• PAM/OCSP errors targeting gva.gpki.go[.]kr, ivs.gpki.go[.]kr
  
• Superuser login events under 최고 관리자 (Super Administrator)

Part II: Goals Analysis

Targeting South Korea: Identity, Infrastructure, and Credential Theft

The “Kim” operator’s campaign against South Korea was deliberate and strategic, aiming to infiltrate the nation’s digital trust infrastructure at multiple levels. A central focus was the Government Public Key Infrastructure (GPKI), where the attacker exfiltrated certificate files, including .key and .crt formats, some with plaintext passwords, and attempted repeated authentication against domains like gva.gpki.go[.]kr and ivs.gpki.go[.]kr. OCR tools were used to parse Korean technical documents detailing PKI and VPN architectures, demonstrating a sophisticated effort to understand and potentially subvert national identity frameworks. These efforts were not limited to reconnaissance; administrative password changes were logged, and phishing kits targeted military and diplomatic webmail, including clones of mofa.go[.]kr and credential harvesting through adversary-in-the-middle (AiTM) proxy setups.

Beyond authentication systems, Kim targeted privileged accounts (oracle, unwadm, svradmin) and rotated credentials to maintain persistent administrative access, as evidenced by PAM and SSH logs showing elevated user activity under the title 최고 관리자 (“Super Administrator”). The actor also showed interest in bypassing VPN controls, parsing SecuwaySSL configurations for exploitation potential, and deployed custom Linux rootkits using syscall hooking to establish covert persistence on compromised machines. Taken together, the dump reveals a threat actor deeply invested in credential dominance, policy reconnaissance, and system-level infiltration, placing South Korea’s public sector identity systems, administrative infrastructure, and secure communications at the core of its long-term espionage objectives.

Taiwan Reconnaissance

Among the most notable aspects of the “Kim” leak is the operator’s deliberate focus on Taiwanese infrastructure. The attacker accessed a number of domains with clear affiliations to the island’s public and private sectors, including tw.systexcloud[.]com (linked to enterprise cloud solutions), mlogin.mdfapps[.]com (a mobile authentication or enterprise login portal), and the .git/ directory of caa.org[.]tw, which belongs to the Chinese Institute of Aeronautics, a government-adjacent research entity.

This last domain is especially telling. Accessing .git/ paths directly implies an attempt to enumerate internal source code repositories, a tactic often used to discover hardcoded secrets, API keys, deployment scripts, or developer credentials inadvertently exposed via misconfigured web servers. This behavior points to  more technical depth than simple phishing; it indicates supply chain reconnaissance and long-term infiltration planning.

The associated IP addresses further reinforce this conclusion. All three, 163.29.3[.]119, 118.163.30[.]45, and 59.125.159[.]81, are registered to academic, government, or research backbone providers in Taiwan. These are not random scans; they reflect targeted probing of strategic digital assets.

Summary of Whois & Ownership Insights

• 118.163.30[.]45
  • Appears as part of the IP range used for the domain dtc-tpe.com[.]tw, linked to Taiwan’s HINET provider (118.163.30[.]46 )Site Indices page of HINET provider.
• 163.29.3[.]119
  • Falls within the 163.29.3[.]0/24 subnet identified with Taiwanese government or institutional use, notably in Taipei. This corresponds to B‑class subnets assigned to public/government entities IP地址 (繁體中文).
• 59.125.159[.]81
  
  • Belongs to the broader 59.125.159[.]0–59.125.159[.]254 block, commonly used by Taiwanese ISP operators such as Chunghwa Telecom in Taipei

Taken together, this Taiwan-focused activity reveals an expanded operational mandate. Whether the attacker is purely DPRK-aligned or operating within a DPRK–PRC fusion cell, the intent is clear: compromise administrative and developer infrastructure in Taiwan, likely in preparation for broader credential theft, espionage, or disruption campaigns.

• Targeted domains: tw.systexcloud[.]com, caa.org[.]tw/.git/, mlogin.mdfapps[.]com
  
• IPs linked to Taiwanese academic/government assets: 163.29.3[.]119, 118.163.30[.]45, 59.125.159[.]81
  
• Git crawling suggests interest in developer secrets or exposed tokens
  

Hybrid Attribution Model

The “Kim” operator embodies the growing complexity of modern nation-state attribution, where cyber activities often blur traditional boundaries and merge capabilities across geopolitical spheres. This case reveals strong indicators of both North Korean origin and Chinese operational entanglement, presenting a textbook example of a hybrid APT model.

On one hand, the technical and linguistic evidence strongly supports a DPRK-native operator. Terminal environments, OCR parsing routines, and system artifacts consistently leverage Korean language and character sets. The operator’s activities reflect a deep understanding of Korean PKI systems, with targeted extraction of GPKI .key files and automation to parse sensitive Korean government PDF documentation. These are hallmarks of Kimsuky/APT43 operations, known for credential-focused espionage against South Korean institutions and diplomatic targets. The intent to infiltrate identity infrastructure is consistent with North Korea’s historical targeting priorities. Notably, the system time zone on Kim's host machine was set to UTC+9 (Pyongyang Standard Time), reinforcing the theory that the actor maintains direct ties to the DPRK’s internal environment, even if operating remotely.

However, this actor’s digital footprint extends well into Chinese infrastructure. Browser and download logs reveal frequent interaction with platforms like gitee[.]com, baidu[.]com, and zhihu[.]com, highly popular within the PRC but unusual for DPRK operators who typically minimize exposure to foreign services. Moreover, session logs include simplified Chinese content and PRC browsing behaviors, suggesting that the actor may be physically operating within China or through Chinese-language systems. This aligns with longstanding intelligence on North Korean cyber operators stationed in Chinese border cities such as Shenyang and Dandong, where DPRK nationals often conduct cyber operations with tacit approval or logistical consent from Chinese authorities. These locations provide higher-speed internet, relaxed oversight, and convenient geopolitical proximity.

The targeting of Taiwanese infrastructure further complicates attribution. Kimsuky has not historically prioritized Taiwan, yet in this case, the actor demonstrated direct reconnaissance of Taiwanese government and developer networks. While this overlaps with Chinese APT priorities, recent evidence from the “Kim” dump, including analysis of phishing kits and credential theft workflows, suggests this activity was likely performed by a DPRK actor exploring broader regional interests, possibly in alignment with Chinese strategic goals. Researchers have noted that Kimsuky operators have recently asked questions in phishing lures related to potential Chinese-Taiwanese conflicts, implying interest beyond the Korean peninsula.

Some tooling overlaps with PRC-linked APTs, particularly GitHub-based stagers and proxy-resolving modules, but these are not uncommon in the open-source malware ecosystem and may reflect opportunistic reuse rather than deliberate mimicry.

IMINT Analysis: Visual Tradecraft and Cultural Camouflage

A review of image artifacts linked to the "Kim" actor reveals a deliberate and calculated use of Chinese social and technological visual content as part of their operational persona. These images, extracted from browser history and uploads attributed to the actor, demonstrate both strategic alignment with DPRK priorities and active cultural camouflage within the PRC digital ecosystem.

The visual set includes promotional graphics for Honor smartphones, SoC chipset evolution charts, Weibo posts featuring vehicle registration certificates, meme-based sarcasm, and lifestyle imagery typical of Chinese internet users. Notably, the content is exclusively rendered in simplified Chinese, reinforcing prior assessments that the operator either resides within mainland China or maintains a working digital identity embedded in Chinese platforms. Devices and services referenced, such as Xiaomi phones, Zhihu, Weibo, and Baidu, suggest intimate familiarity with PRC user environments.

Operationally, this behavior achieves two goals. First, it enables the actor to blend in seamlessly with native PRC user activity, which complicates attribution and helps bypass platform moderation or behavioral anomaly detection. Second, the content itself may serve as bait or credibility scaffolding (e.g. A framework to give the illusion of trust to allow for easier compromise ) in phishing and social engineering campaigns, especially those targeting developers or technical users on Chinese-language platforms.

Some images, such as the detailed chipset timelines and VPN or device certification posts, suggest a continued interest in supply chain reconnaissance and endpoint profiling—both tradecraft hallmarks of Kimsuky and similar APT units. Simultaneously, meme humor, sarcastic overlays, and visual metaphors (e.g., the “Kaiju’s tail is showing” idiom) indicate the actor’s fluency in PRC netizen culture and possible mockery of operational security breaches—whether their own or others’.

Taken together, this IMINT corpus supports the broader attribution model: a DPRK-origin operator embedded, physically or virtually, within the PRC, leveraging local infrastructure and social platforms to facilitate long-term campaigns against South Korea, Taiwan, and other regional targets while maintaining cultural and technical deniability.

Attribution Scenarios:

• Option A: DPRK Operator Embedded in PRC
  
  • Use of Korean language, OCR targeting of Korean documents, and focus on GPKI systems strongly suggest North Korean origin.
    
  • Use of PRC infrastructure (e.g., Baidu, Gitee) and simplified Chinese content implies the operator is physically located in China or benefits from access to Chinese internet infrastructure.
    
• Option B: PRC Operator Emulating DPRK
  
  • Taiwan-focused reconnaissance aligns with PRC cyber priorities.
    
  • Use of open-source tooling and phishing methods shared with PRC APTs could indicate tactical emulation.

The preponderance of evidence supports the hypothesis that “Kim” is a North Korean cyber operator embedded in China or collaborating with PRC infrastructure providers. This operational model allows the DPRK to amplify its reach, mask attribution, and adopt regional targeting strategies beyond South Korea, particularly toward Taiwan. As this hybrid model matures, it reflects the strategic adaptation of DPRK-aligned threat actors who exploit the permissive digital environment of Chinese networks to evade detection and expand their operational playbook.

Targeting Profiles

The “Kim” leak provides one of the clearest windows to date into the role-specific targeting preferences of the operator, revealing a deliberate focus on system administrators, credential issuers, and backend developers, particularly in South Korea and Taiwan.

In South Korea, the operator’s interest centers around PKI administrators and infrastructure engineers. The recovered OCR commands were used to extract technical details from PDF documents outlining Korea’s digital signature protocols, such as identity verification, certificate validation, and encrypted communications, components that form the backbone of Korea’s secure authentication systems. The goal appears to be not only credential theft but full understanding and potential replication of government-trusted PKI procedures. This level of targeting suggests a strategic intent to penetrate deeply trusted systems, potentially for use in later spoofing or identity masquerading operations.

In Taiwan, the operator shifted focus to developer infrastructure and cloud access portals. Specific domains accessed, like caa.org[.]tw/.git/, indicate attempts to enumerate internal repositories, most likely to discover hardcoded secrets, authentication tokens, or deployment keys. This is a classic supply chain targeting method, aiming to access downstream systems via compromised developer credentials or misconfigured services.

Additional activity pointed to interaction with cloud service login panels such as tw.systexcloud[.]com and mlogin.mdfapps[.]com. These suggest an attempt to breach centralized authentication systems or identity providers, granting the actor broader access into enterprise or government networks with a single credential set.

Taken together, these targeting profiles reflect a clear emphasis on identity providers, backend engineers, and those with access to system-level secrets. This reinforces the broader theme of the dump: persistent, credential-first intrusion strategies, augmented by reconnaissance of authentication standards, key management policies, and endpoint development infrastructure.

South Korean:

• PKI admins, infrastructure engineers
  
• OCR focus on Korean identity standards
  

Taiwanese:

• Developer endpoints and internal .git/ repos
  
• Access to cloud panels and login gateways
  

Final Assessment

The “Kim” leak represents one of the most comprehensive and technically intimate disclosures ever associated with Kimsuky (APT43) or its adjacent operators. It not only reaffirms known tactics, credential theft, phishing, and PKI compromise, but exposes the inner workings of the operator’s environment, tradecraft, and operational intent in ways rarely observed outside of active forensic investigations.

At the core of the leak is a technically competent actor, well-versed in low-level shellcode development, Linux-based persistence mechanisms, and certificate infrastructure abuse. Their use of NASM, API hashing, and rootkit deployment points to custom malware authorship. Furthermore, the presence of parsed government-issued Korean PDFs, combined with OCR automation, shows not just opportunistic data collection but a concerted effort to model, mimic, or break state-level identity systems, particularly South Korea's GPKI.

The operator’s cultural and linguistic fluency in Korean, and their targeting of administrative and privileged systems across South Korean institutions, support a high-confidence attribution to a DPRK-native threat actor. However, the extensive use of Chinese platforms like gitee[.]com, Baidu, and Zhihu, and Chinese infrastructure for both malware hosting and browsing activity reveals a geographical pivot or collaboration: a hybrid APT footprint rooted in DPRK tradecraft but operating from or with Chinese support.

Most notably, this leak uncovers a geographical expansion of operational interest; the actor is no longer solely focused on the Korean peninsula. The targeting of Taiwanese developer portals, government research IPs, and .git/ repositories shows a broadened agenda that likely maps to both espionage and supply chain infiltration priorities. This places Taiwan, like South Korea, at the forefront of North Korean cyber interest, whether for intelligence gathering, credential hijacking, or as staging points for more complex campaigns.

The threat uncovered here is not merely malware or phishing; it is an infrastructure-centric, credential-first APT campaign that blends highly manual operations (e.g., hand-compiled shellcode, direct OCR of sensitive PDFs) with modern deception tactics such as AiTM phishing and TLS proxy abuse.

Organizations in Taiwan and South Korea, particularly those managing identity, certificate, and cloud access infrastructure, should consider themselves under persistent, credential-focused surveillance. Defensive strategies must prioritize detection of behavioral anomalies (e.g., use of OCR tools, GPKI access attempts), outbound communications with spoofed Korean domains, and the appearance of low-level toolchains like NASM or proxyres-based scanning utilities within developer or admin environments.

In short: the “Kim” actor embodies the evolution of nation-state cyber threats—a fusion of old-school persistence, credential abuse, and modern multi-jurisdictional staging. The threat is long-term, embedded, and adaptive.

Part III: Threat Intelligence Report

TLP WHITE:

Targeting Summary

The analysis of the “Kim” operator dump reveals a highly focused credential-theft and infrastructure-access campaign targeting high-value assets in both South Korea and Taiwan. Victims were selected based on their proximity to trusted authentication systems, administrative control panels, and development environments.

‍

Indicators of Compromise (IOCs)

Domains

• Phishing: nid-security[.]com, html-load[.]com, wuzak[.]com, koala-app[.]com, webcloud-notice[.]com
• Spoofed portals: dcc.mil[.]kr, spo.go[.]kr, mofa.go[.]kr
• Pastebin raw links: Used for payload staging and malware delivery

IP Addresses

• External Targets (Taiwan):
  • 163.29.3[.]119     National Center for High-performance Computing
  • 118.163.30[.]45   Taiwanese government subnet
  • 59.125.159[.]81   Chunghwa Telecom
• Brute Forcing / Infrastructure Origins:
  • 23.95.213[.]210   VPS provider with malicious history
  • 218.92.0[.]210     China Unicom
  • 122.114.233[.]77  Henan Mobile, PRC

Internal Host IPs (Operator Environment)

• 192.168.130[.]117
• 192.168.150[.]117
• 192.168.0[.]39

Operator Environment: Internal Host IP Narrative

The presence of internal IP addresses such as 192.168.130[.]117, 192.168.150[.]117, and 192.168.0[.]39 within the dump offers valuable insight into the attacker’s local infrastructure, an often-overlooked element in threat intelligence analysis. These addresses fall within private, non-routable RFC1918 address space, commonly assigned by consumer off-the-shelf (COTS) routers and small office/home office (SOHO) network gear.

The use of the 192.168.0[.]0/16 subnet, particularly 192.168.0.x and 192.168.150.x, strongly suggests that the actor was operating from a residential or low-profile environment, not a formal nation-state facility or hardened infrastructure. This supports existing assessments that North Korean operators, particularly those affiliated with Kimsuky, often work remotely from locations in third countries such as China or Southeast Asia, where they can maintain inconspicuous, low-cost setups while accessing global infrastructure.

Moreover, the distinction between multiple internal subnets (130.x, 150.x, and 0.x) may indicate segmentation of test environments or multiple virtual machines running within a single NATed network. This aligns with the forensic evidence of iterative development and testing workflows seen in the .bash_history files, where malware stagers, rootkits, and API obfuscation utilities were compiled, cleaned, and rerun repeatedly.

Together, these IPs reveal an operator likely working from a clandestine, residential base of operations, with modest hardware and commercial-grade routers. This operational setup is consistent with known DPRK remote IT workers and cyber operators who avoid attribution by blending into civilian infrastructure. It also suggests the attacker may be physically located outside of North Korea, possibly embedded in a friendly or complicit environment, strengthening the case for China-based activity by DPRK nationals.

MITRE ATT&CK Mapping

‍

Tooling and Capabilities

The actor’s toolkit spans multiple disciplines, blending malware development, system reconnaissance, phishing, and proxy evasion:

• NASM-based shellcode loaders: Compiled manually for Windows execution.
• Win32 API hashing: Obfuscated imports via hashstring.py to evade detection.
• GitHub/Gitee abuse: Tooling hosted or cloned from public developer platforms.
• OCR exploitation: Used ocrmypdf to parse Korean PDF specs related to digital certificates and VPN appliances.
• Rootkit deployment: Hidden persistence paths including /usr/lib64/tracker-fs and /proc/acpi/pcicard.
• Proxy config extraction: Investigated PAC URLs using proxyres-based recon.

Attribution Confidence Assessment

Assessment: The actor appears to be a DPRK-based APT operator working from within or in partnership with Chinese infrastructure, representing a hybrid attribution model.

Defensive Recommendations

APPENDIX A

Overlap or Confusion with Chinese Threat Actors

There is notable evidence of operational blur between Kimsuky and Chinese APTs in the context of Taiwan. The 2025 “Kim” data breach revealed an attacker targeting Taiwan whose tools and phishing kits matched Kimsuky’s, yet whose personal indicators (language, browsing habits) suggested a Chinese national. Researchers concluded this actor was likely a Chinese hacker either mimicking Kimsuky tactics or collaborating with them.. In fact, the leaked files on DDoS Secrets hint that Kimsuky has “openly cooperated with other Chinese APTs and shared their tools and techniques”. This overlap can cause attribution confusion - a Taiwan-focused operation might initially be blamed on China but could involve Kimsuky elements, or vice versa. So far, consensus is that North Korean and Chinese cyber operations remain separate, but cases like “Kim” show how a DPRK-aligned actor can operate against Taiwan using TTPs common to Chinese groups, muddying the waters of attribution.

File List from dump:

Master Evidence Inventory:

Deceptive websites are mimicking popular Android application install pages on the Google Play Store to lure victims into downloading AndroidOS SpyNote malware, a potent Android RAT used for surveillance, data exfiltration, and remote control. This report highlights the resurfacing of SpyNote activity by the same actor in the previous DTI report in April and provides additional information around the recent activity and changes in tactics since the prior report. Notably, the actor made minor changes in IP resolutions and added additional anti-analysis in the APK dropper in an attempt to protect the SpyNote payload from detection.

Details

SpyNote is a highly intrusive Android Remote Access Trojan (RAT) with extensive capabilities for surveillance, data exfiltration, and device manipulation. It can remotely control a device’s camera and microphone, manage phone calls, and execute commands. Of particular concern is its keylogging functionality, which targets application credentials and abuses Android’s Accessibility Services to steal two-factor authentication (2FA) codes. Beyond data theft, SpyNote can also perform on-device actions like displaying overlay attacks for clickjacking. If granted administrator privileges, it gains the power to remotely wipe data, lock the device, or install additional malicious applications, making it a formidable threat for espionage and cybercrime.

The pages shown below are static clones, using HTML and CSS copied from the actual Google Play Store to appear legitimate. Their primary purpose is to trick users into downloading and installing an Android application package (.apk file). The “Install” button triggers a JavaScript function to download an .apk file directly from the malicious website.

Delivery Domain Registration and Website Patterns

Registrar

• NameSilo, LLC
• XinNet Technology Corporation

IP ISP:

• Lightnode Limited
• Vultr Holdings LLC

SSL Issuer:

• R10
• R11

Nameserver

• dnsowl[.]com
• xincache[.]com

Server Type:

• nginx

Prominent IP Resolved:

• 154.90.58[.]26
• 199.247.6[.]61

Frequent HTML Code Inclusions

• https[:]//unpkg[.]com/current-device@0.10.2/umd/current-device.min.js
• “sBw2N8uateIzRr93vmFze5MF_35vMk5F1wG04L5JcJE”
• “PJKdyVFC5jlu_l8Wo_hirJkhs1cmitmn44fgpOc3zFc”

Malware Delivery Website Review

The download() function is the core of the page’s malicious functionality.

It creates a hidden iframe and sets its source to a JavaScript URI that triggers a navigation to Chrome.apk. This is a common technique to initiate a file download from the browser without the user leaving the current page.

Malware Execution

1. Initial Dropper Decrypts Payload: The first APK reads encrypted assets, generates a key from its manifest, and decrypts the second-stage SpyNote payload.

The malware employs a dynamic payload technique to conceal its primary functions, loading them from a separate file only after the application is installed and running. This is achieved using a code injection method known as DEX Element Injection. The malware uses reflection to access and modify the app’s core ClassLoader at runtime, inserting its own malicious code elements at the very beginning of the code lookup path. This forces the Android system to prioritize and execute the malicious code over the app’s legitimate code, enabling it to bypass static security analysis and hijack application functions to intercept data.

The AndroidManifest file is protected and contains details needed to retrieve the AES decryption key from the Chrome.apk. In this case, the package name “rogcysibz.wbnyvkrn.sstjjs” is needed to retrieve the 16-byte AES key “62646632363164386461323836333631”.

Chrome.apk (Dropper)
48aa5f908fa612dcb38acf4005de72b9379f50c7e1bc43a4e64ce274bb7566e8

Classes.dex (SpyNote)
86e8d3716318e9bb63b86aebe185db5db6718cb3ddea7fbafefa8ebfb674b9e8

Decrypted 000 + 001 (SpyNote * its assets/base dex File containing its C2 configurations)
b81febd19a457e6814d7e28d68742ae25fc4cf6472289a481e262048e9d8eee4
703d62470d31866ccecb66f0083084c478e9e92916041216ec8d839afed0d0d6

Within the assets/base/ folder there are two files: 000 and 001. The dropper essentially works by joining the 000 and 001 files (combined_assets). It then decrypts the combined assets with the AES key before gzip decompresses it. The resulting file is the SpyNote APK, which it loads in. This happens once the user installs the dropper, runs it, and taps a prompt in the app’s load screen. The decrypted file is another APK that the dropper loads which contains the main SpyNote functionality and configuration details for the command-and-control server (C2).

2. SpyNote Payload Loads C2 Logic: The main SpyNote APK dynamically loads another DEX file from its own `assets/base` folder. This DEX file contains the actual C2 connection logic.

3. C2 Logic Establishes Connection: The dynamically loaded DEX file contains the code to build the WebSocket URL for the C2 server.

In previously reported configurations, the C2s were hardcoded directly in the functions for sending traffic. In recent samples, they use control flow obfuscation and identifier obfuscation through random variations of o, O, and 0 for all names in an attempt to make it difficult to understand the program’s logic through static analysis.

Sample identifier obfuscation in a loaded DEX file:

4. C2 Domain Selection Logic: A utility method selects a domain from a predefined list, making the malware more resilient.

5. Hardcoded C2 Domain List: The final destination is a simple class that acts as a container for the hardcoded C2 domains.

Threat Actor Analysis

The threat actor distributing SpyNote malware exhibits persistence and limited technical adaptability. They consistently use deceptive Google Play Store clones to lure victims, a social engineering tactic that remains central to their operations. Despite previous exposure, their infrastructure remains confined to two primary IP addresses, showing a restricted capacity for diversification, though they do rotate specific IP resolutions. The anti-analysis techniques used in their APK droppers are relatively simple, employing basic obfuscation and dynamic payload decryption to protect the SpyNote payload.

The APK filenames suggest the spoofed brands or applications fall into these categories:

• Social & Dating Apps: iHappy, CamSoda, Kismia, yome, TmmTmm
• Gaming Apps: 8 Ball Pool, Block Blast
• General Utility/Productivity Apps: Chrome, meus arquivos 2025, Beauty, Faísca Inicial, Compras Online, LoveVideo, GlamLive, Holding Hands

This actor is suspected of broadly targeting consumers with lures mimicking popular applications, including those related to fashion, social networking, and general utilities, as well as ubiquitous apps like Chrome and Zoom. This wide net, coupled with the surveillance and data exfiltration capabilities of SpyNote, strongly suggests a financially motivated objective. While the delivery code contains Chinese language comments, the specific attribution for this persistent and opportunistic threat actor remains unknown.

Conclusion

This report details a persistent SpyNote malware campaign by an actor relying on deceptive Google Play Store clones for delivery. Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis. The actor’s limited infrastructure adaptability and broad consumer targeting for financial gain highlight their opportunistic yet effective approach. This persistent activity underscores the ongoing threat of mobile RATs and the need for continuous vigilance against social engineering tactics, even from actors with limited technical sophistication.

Security Recommendations

To better protect consumers from threats like SpyNote, key players in the security ecosystem can enhance their defenses:

Browser Developers: Consider strengthening built-in malicious site warnings to automatically flag and block access to deceptive download pages such as fake Google Play Store sites. This helps users avoid suspicious sites entirely.

Android Antivirus Providers and Mobile OS Developers: Focus on advancing automated analysis of app downloads to quickly detect and prevent the installation of harmful software, even when it tries to hide. This provides a crucial layer of defense directly on the device.

Mobile VPN Providers: Explore integrating network-level security features that automatically filter out or alert to connections to known malicious servers. This adds another protective barrier, stopping threats before they can reach the user’s device.

IOCs

Malware Delivery

‍

Droppers

‍

‍SpyNote

‍

Command & Control

‍

Shodan Hunting Queries

Tip: Look for fake Google Play Store sites or suspicious iframe JavaScript sources for file downloads.

‍

SpyNote Mobile ATT&CK Matrix

Reference: https://attack.mitre.org/matrices/mobile/

‍