A Deep Dive into China’s 500GB+ Censorship Data Breach

Introduction

In a historic breach of China’s censorship infrastructure (September 2025), over 500 gigabytes of internal data were leaked from Chinese infrastructure firms associated with the Great Firewall (GFW). Researchers now estimate the full dump is closer to ~600 GB, with a single archive comprising around 500 GB alone.

The material includes more than 100,000 documents, internal source code, work logs, configuration files, emails, technical manuals, and operational runbooks. (WIRED) The number of files in the dump is reported to be in the thousands (though exact totals vary by source). (Bitdefender)

Among the revealed artifacts are:

• RPM packaging server files (the packaging infrastructure used for distributing software artifacts)
• Project management data (Jira, Confluence) showing internal tickets, feature requests, bug reports, and deployment histories
• Communications and engineering documents showing how censorship tools are tested against VPNs, Tor, and other circumvention methods; e.g. methods of DPI, SSL fingerprinting, and filtering logic. (Tom's Hardware)
• Deployment records indicating both domestic use (provinces like Xinjiang, Fujian, and Jiangsu) and export of censorship or surveillance systems to other countries, including Myanmar, Pakistan, Ethiopia, and Kazakhstan.

This report is the first in a three-part series which aims to document the dump’s contents, analyze its technical implications, and assess the geopolitical fallout stemming from the exposure of these sensitive tools and architectures.

Evidence of Failure and Oversight

The leaked IP logs and packet captures expose critical moments where the censorship apparatus faltered, revealing the inherent fragility of the Great Firewall’s distributed enforcement model. In multiple instances, cross-border leakage routes allowed foreign IPs to establish unfiltered sessions for extended periods, suggesting delays in rule propagation, temporary policy gaps, or the failure of heuristic detection systems. These lapses demonstrate that while the system is highly surveillant, it remains reactive and inconsistently enforced across regions.

Additionally, misconfigured mirrors inadvertently exposed internal blacklist data to external interfaces. These exposures included leaked regional UUIDs and configuration files, offering rare insight into the naming conventions and structural logic of localized rule deployment. Simultaneously, honeypot deployments on high-risk ports attracted and logged adversary interactions, including traceroutes and detailed packet-level reconnaissance, suggesting that foreign entities were already probing China’s defensive perimeter. These incidents, likely overseen by regional engineers or testbed maintainers, underscore the bureaucratic brittleness of a censorship regime built on siloed enforcement layers, inconsistent rule application, and latency in central-to-edge command synchronization.

The Nature of the Dump.

The dataset is a sprawling, multifaceted archive that lays bare the technical scaffolding of China's digital surveillance regime. It includes raw IP access logs from state-run telecom providers such as China Telecom, China Unicom, and China Mobile, revealing real-time traffic monitoring and endpoint interaction.*downloading and research of such data should be handled by professionals in protected environments due to potential malware and information*  

Packet captures (PCAPs) and routing tables are paired with blackhole sinkhole exports, detailing how traffic is intercepted, redirected, or silently dropped. A trove of Excel spreadsheets enumerates known VPN IP addresses, DNS query patterns, SSL certificate fingerprints, and behavioral signatures of proxy services, offering insight into identification and blocking heuristics. Visio diagrams (.vsd/.vsdx) map out the internal firewall architecture, from hardware deployments to logical enforcement chains spanning various ministries and provinces. Application-layer logs dissect tools like Psiphon, V2Ray, Shadowsocks, and corporate proxy gateways, capturing how these are tested, fingerprinted, and throttled. The dataset also contains databases of FQDNs, SNI strings, application telemetry, and “sketch logs”, showing serialized behavioral data scraped from mobile apps. System-level monitoring exports reveal server CPU usage, memory utilization, stream session logs, and real-time user states. Crucially, metadata leaked from Word, Excel, and PowerPoint files exposes the usernames, organizational affiliations, and edit trails of engineers and bureaucrats working on censorship infrastructure. Finally, OCR-processed screenshots illustrate the UI panels of traffic control dashboards, logging mechanisms, and internal tooling, offering a visual window into how the Great Firewall is operated in practice.

The dataset includes:

• Raw IP access logs from state-run service providers (e.g., China Telecom, Unicom, Mobile)
• Packet captures (PCAPs), routing tables, and blackhole sinkhole exports
• Excel spreadsheets listing VPN IPs, DNS logs, SSL certs, and proxy service patterns
• Visio (.vsd/.vsdx) files mapping internal firewall topology and logical enforcement chains
• Application-layer analyses of tools like Psiphon, V2Ray, Shadowsocks, and enterprise proxies
• Databases of FQDNs (fully qualified domain names), SNI patterns, app telemetry, and app "sketch" logs
• Monitoring exports for CPU usage, system state, user sessions, and stream logs
• Metadata leaks from Word, Excel, and PowerPoint documents exposing usernames, organizations, and edit histories
• OCR’d screenshots showing UI interfaces of control panels and logging dashboards

The Implications of a 500GB Breach

The leak of over 500 gigabytes of internal data from China's censorship infrastructure constitutes one of the most consequential exposures in the history of digital authoritarianism. Encompassing more than 7,000 files, the dataset provides not merely an isolated glimpse but an extended, multi-dimensional forensic cross-section of the Great Firewall's operational anatomy, revealing system telemetry, logic flows, user sessions, document metadata, application analyses, and network schematics. Far from being an accidental disclosure of logs, this archive represents a curated corpus likely compiled over a prolonged period, indicating either a trusted insider with comprehensive access or a methodical and externally orchestrated data exfiltration campaign.

Two plausible breach pathways emerge from the data. First, a deep internal compromise likely stems from an operator with privileged access, potentially a systems administrator, subcontractor, or disillusioned insider, working from a centralized infrastructure hub. The breadth of materials, including internal routing tables, packet captures, monitoring exports, and user-generated documents, suggests systemic access to both operational and administrative layers of the censorship stack. Metadata uniformity and filename consistency point to deliberate organization, likely done incrementally and with operational awareness. Alternatively, the diversity of systems accessed hints at a second possibility: a coordinated external exfiltration effort carried out by a sophisticated threat actor, such as a nation-state or specialized red team. In this scenario, misconfigurations in firewalls, insecure admin panels, and segmented network seams may have been exploited to gain footholds and siphon data over time. PCAP captures, CPU load logs, and Visio diagram exports suggest persistent access and automated tooling were in play.

Regardless of the breach mechanism, the consequences are profound. Technically, the leak has rendered much of China's detection arsenal obsolete: VPN heuristics, DPI rule sets, SNI-based fingerprinting algorithms, and application proxy classifiers are now open to scrutiny, replication, and evasion. Operationally, usernames, hostnames, and file authorship data risk exposing government contractors, telecom engineers, and researchers, increasing their vulnerability to naming and shaming, targeted sanctions, or exploitation by rival intelligence services. The documentation of flawed infrastructure, such as packet loss under scan load, looped sinkhole rules, and session state anomalies, presents ripe opportunities for adversarial exploitation. Strategically, this dataset arms censorship circumvention communities, policy advocates, and red teams with the ability to simulate and reverse-engineer enforcement logic, undermining the efficacy of centralized control. In sum, this breach collapses the asymmetry between censor and censored, offering, for the first time, a detailed blueprint of China’s digital surveillance leviathan.

Mapping the Human-Technical Interface

The organizational fingerprints uncovered within the leaked dataset provide a remarkably detailed view into the inner workings of the Great Firewall (GFW) and the ecosystem of actors that maintain and enforce it. Rather than a monolithic structure, the GFW emerges as a multi-tiered apparatus with clearly delineated, yet overlapping, spheres of responsibility. At the top are national censorship policy architects, likely operating under the auspices of the Ministry of State Security (MSS) or the Ministry of Industry and Information Technology (MIIT), who define strategic goals and traffic classification directives. These directives cascade down to regional enforcement units embedded within state-run ISPs like China Telecom, China Unicom, and China Mobile, where they are operationalized at backbone routers and internet exchange points. Academic collaborators, often based in state-linked institutions such as Tsinghua, USTC, or the Chinese Academy of Sciences, serve as technical force multipliers, crafting fingerprinting algorithms, traffic classifiers, and AI-driven detection heuristics. Finally, a shadow layer of software engineers and infrastructure operators maintain the technical systems, dashboards, scheduling agents, and rule propagation mechanisms that implement censorship policy at scale.

Drawing from Excel logs, packet captures, and Visio topology diagrams, a clearer human and technical map is emerging. Dozens of usernames and hostnames traced across file metadata tie specific individuals to roles such as hardware engineering, data center administration, and network research. Internal monitoring logs document the real-time execution of regional scanning scripts; app-layer inspection routines flagging encrypted VPN protocols; and automated classification of TLS handshakes through SNI fingerprinting. Further network telemetry reveals sophisticated TCP/UDP port scanning patterns, clearly aligned with foreign traffic signature identification. Notably, even as these systems operate with impressive precision, lapses are evident: logs show instances of cross-border traffic escaping inspection, internal blacklist mirrors exposed through misconfiguration, and honeypots receiving foreign reconnaissance traffic. These data points not only reinforce the highly compartmentalized structure of GFW enforcement, but also highlight critical seams in its defensive perimeter, seams that adversaries could exploit with careful targeting.

Metadata Exposure: Attribution Through Digital Breadcrumbs

One of the most revealing and strategically valuable components of the GFW data dump lies not in the structured log files or architectural diagrams, but in the metadata accidentally embedded across thousands of files. These residual traces, often overlooked in threat modeling, offer a rare glimpse into the human and organizational machinery behind China’s censorship apparatus.

The dump exposes dozens of unique usernames, many of which follow consistent naming conventions indicative of internal departmental hierarchies. These include system-level account names (e.g., admin-jw, it_ops_lh, yunwei-wang) and author tags in Office documents, enabling correlation to individual operators. In many cases, authorship data and revision histories link technical documents, such as server topology diagrams, SQL queries, and application configuration logs, to specific personnel across government agencies, telecom subsidiaries, and third-party contractors.

Cross-referencing these metadata fields with known Chinese corporate entities and state-linked research institutes has enabled the construction of preliminary attribution clusters. These clusters show clear ties to China Telecom, China Unicom, and China Mobile, as well as connections to academic partners (including digital forensics labs) and MSS-linked infrastructure vendors such as Tietong, CETC, and provincial branches of the MIIT.

Notably, multiple files retain internal IP address references and machine hostnames mapped to sandbox and testbed environments used for evaluating censorship evasion tools. These include systems tagged for Psiphon, V2Ray, and Shadowsocks analysis. Some remote server addresses and reverse-proxy logs point to GFW staging zones used to pilot domain interdiction and traffic shaping prior to national rollout.

This corpus of metadata, when enriched through Whois pivots, OSINT facial recognition, and password reuse enumeration, allows for the development of organizational maps and adversary role modeling. These in turn can inform future red-team operations targeting the GFW’s human operators, backend infrastructure, and chain-of-command logic. With metadata drawn from Word, Excel, Visio, and network logs, researchers now hold the building blocks for a relational understanding of censorship personnel and policy execution, from engineers and system admins to project managers and analysts.

This is not just a technical leak, it is a rare unmasking of the people behind the policy.

Among the most valuable aspects of this dump are the accidental leaks of metadata that revealed:

• Dozens of usernames tied to internal departments
• System usernames and document authorship tied to technical operators and analysts
• Organizational affiliations across telecoms, research labs, and suspected MSS-linked infrastructure vendors
• Tracebacks to IP addresses tied to GFW testbed deployments and server farms

A correlation of this data has begun to yield early attribution clusters and organizational modeling, laying the groundwork for adversarial red teaming against censorship controls.

Organizational Fingerprints: Mapping the Bureaucracy Behind the Great Firewall

Beyond the technical evidence of censorship and traffic manipulation, the leaked dataset offers a rare opportunity to construct a socio-technical map of the Great Firewall (GFW) apparatus, not just how it works, but who builds it, who maintains it, and how China's censorship ecosystem is organizationally compartmentalized.

The metadata extracted from over 7,000 documents, spreadsheets, Visio network maps, text logs, dashboards, and software configuration files reveals a complex lattice of state-linked entities operating in tightly controlled silos. Through usernames, author tags, internal IP assignments, system banners, and internal routing headers, we’ve begun to correlate individuals to functional roles and institutional affiliations.

The internal architecture of the Great Firewall is supported by a network of organizations ranging from state-owned enterprises to elite research institutions and private sector vendors. Core traffic monitoring and enforcement responsibilities are handled by China Telecom, China Unicom, and China Mobile, whose infrastructure appears repeatedly in PCAP logs, IP registries, and system-level telemetry. Metadata from Visio diagrams and scanning scripts links regional enforcement activities to provincial branches such as 广东联通 and 河北电信, indicating decentralized operational cells. At the academic and research level, contributors from the Chinese Academy of Sciences, CNCERT, Tsinghua University, and USTC are implicated in traffic modeling, VPN fingerprinting, and algorithmic SNI detection, functioning in a science-to-policy pipeline. Additional entities like Huaxin, Venustech, and Topsec, believed to have ties to the Ministry of State Security (MSS), appear responsible for developing packet inspection hardware, “smart gateways,” and modular control interfaces. System topology files suggest regional hubs under provincial control, with metadata pointing to a tiered model of command, central rule authors in Beijing, and localized operators managing disruptions and resets.

Supporting this infrastructure is a suite of internal tools, including web dashboards for traffic classification, rule propagation, and keyword blacklisting, many of which rely on LDAP-based access and appear to be integrated with institutional Single Sign-On systems. Screenshots and logs expose dynamic control capabilities such as automated session disruption and region-specific enforcement thresholds. Crucially, the dataset reveals extensive metadata leakage: usernames and computer hostnames link individuals to telecom offices and technical roles; document authorship trails help establish personal and institutional attribution. The documents further expose how responsibilities are compartmentalized, illustrating a strict vertical segmentation between engineering, monitoring, and enforcement functions. Overlapping IP clusters, authorship patterns, and PCAP exports across regions hint at interagency coordination, albeit scoped and isolated. Together, these findings allow for the construction of an emerging socio-technical map of the GFW’s human infrastructure, forming the groundwork for attribution modeling and adversarial counter-censorship strategy.

Technical Overview: Core Mechanisms of the GFW Architecture

The leaked dataset exposes a highly modular and deeply integrated censorship architecture underlying the Great Firewall of China. Rather than operating as a single centralized filter, the GFW is revealed to be a distributed system of surveillance and control spanning national, regional, and local network layers. Its enforcement mechanisms include everything from DPI inspection at major internet exchange points to application-layer behavioral analysis and live session manipulation through web-based dashboards. Across the dataset, there is a recurring pattern of siloed technical roles operating under central orchestration, with regional enforcement nodes acting as both detection points and policy executors.

At the core of traffic interception are the state-run ISPs, China Telecom, China Unicom, and China Mobile, which serve as both service providers and surveillance intermediaries. Logs from these providers document the interception and classification of traffic based on packet content, with the use of deep packet inspection techniques. These techniques target TLS/HTTPS session metadata, such as (SNI) fields, and distinguish potentially suspicious connections based on protocol anomalies, including entropy, timing patterns, and payload structures. The infrastructure supports detection of known circumvention tools such as Shadowsocks, V2Ray, and Psiphon. Visio network diagrams show these DPI modules deployed at key peering points, especially in major metropolitan areas and provincial backbones, suggesting a tiered control model.

Application-level analysis is conducted using fingerprinting heuristics derived from both raw network characteristics and behavioral modeling. Various Excel spreadsheets and telemetry exports include references to TLS fingerprinting rules, heuristic classifiers for VPN/proxy traffic, and statistical models used to flag encrypted tunnels. These analyses rely on databases of SNI patterns, handshake behaviors, and traffic volume profiles. Simpler applications are captured through static indicators, while more sophisticated obfuscated traffic is subjected to sketch-based detection, a form of lightweight signature modeling. This reveals a layered approach to detection, with different modules specializing in different levels of granularity and evasiveness.

Routing logic and censorship enforcement are governed by automated scripts and control schemas that appear to be distributed from centralized locations to regional nodes. Python and shell scripts uncovered in the dataset automate the scanning of IP ranges, the classification of foreign nodes, and the deployment of routing directives. Routing tables, sinkhole IP lists, and blackhole redirects provide insight into how traffic is rerouted or silently dropped based on the policy logic defined upstream. Several control files appear to be distributed on a schedule or in response to live triggers, showing both manual and autonomous enforcement methods. This system likely allows Beijing-based control centers to push directives to provincial-level enforcement arms, where localized engineers and systems perform filtering or inspection with scoped authority.

Operational state is maintained through a robust internal monitoring ecosystem. Included in the leak are comprehensive exports of CPU usage, memory performance, service uptime logs, and stream-based telemetry. These system-wide diagnostics provide not only visibility into the technical health of enforcement systems, but also allow higher-level auditing of session disruptions, filtering efficacy, and infrastructure stability. Screenshots from management interfaces and logs from web-based control dashboards suggest that operators are provided with real-time analytics, interactive filtering toggles, and user/session views. Most of these systems rely on enterprise-grade authentication mechanisms, such as LDAP-based Single Sign-On (SSO), indicating tight coupling between enforcement tooling and institutional IT frameworks.

An unexpected but critical component of the breach is the metadata embedded within documents and logs. Authorship tags, file paths, and computer hostnames have linked hundreds of documents to individual users, systems, and organizations. These human fingerprints offer unprecedented visibility into the organizational structure behind the GFW’s operation. Engineers, data analysts, lab researchers, and regional technicians are all traceable by name or system alias. Many entries refer to known ISPs, national labs, or university-affiliated nodes, suggesting that the enforcement apparatus spans a wide constellation of public-private partnerships, military-academic collaborations, and centralized policy deployment.

Together, these findings constitute a unique technical cross-section of the Chinese censorship-industrial complex, revealing not just what is filtered or how, but who enforces it, who maintains the infrastructure, and how decisions flow through the layered topology of digital control.

What Comes Next

This report represents only the first installment in a three-part investigative series into the unprecedented breach of China’s censorship apparatus. While this Part 1 has centered on exposing the dataset’s contents and evaluating its technical, organizational, and strategic significance, it is only the beginning. The sheer scale and complexity of the leak, over 500GB of internal GFW infrastructure data, demands a methodical, layered approach to fully grasp its implications. The next two parts in this series will delve even deeper, uncovering the architecture of China’s censorship regime and examining the wider consequences for global digital governance.

Part 2 – The Architecture will offer a forensic reconstruction of how the Great Firewall actually works at the technical level. Leveraging the internal Visio network diagrams, log schematics, scanning schedules, app fingerprinting routines, and heuristic rule exports uncovered in the dump, we will map the core design of the censorship stack. This includes how packets are intercepted, filtered, redirected, or dropped; how apps like Psiphon and V2Ray are detected at the protocol level; and how traffic shaping is deployed based on geography, ISP, or session context. The analysis will also break down the GFW’s modular enforcement structure, highlighting regional control points, the roles of telecom and research institutions, and the likely contribution of vendors with MSS affiliations in building out control interfaces and automated classifiers.

Part 3 – Geopolitics and The Fallout will address the broader implications. This breach does more than just reveal technical controls, it changes the strategic calculus of censorship resistance. We will assess how the exposure reshapes China’s ability to sustain its domestic information control and international cyber operations, and how it informs countermeasures by VPN developers, privacy advocates, and democratic governments. Ethical and legal questions will also be raised: what does responsible engagement with such data look like? And how should open societies use this moment to harden digital rights, strengthen transparency norms, and resist the spread of authoritarian control models abroad? With this series, we aim to present not just the most complete picture yet of the GFW, but a roadmap for pushing back against the machinery of state censorship.

Cybercriminals are orchestrating a cryptocurrency “wallet drain” conspiracy that spans sketchy browser extensions, mobile profile phishing, and sham cryptocurrency trading platforms, all tied together by a single web of infrastructure. In this investigative deep dive, we expose how multiple scam websites such as medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com were hosted on the same server IP address, 8.221.100[.]222. These sites formed a coordinated infrastructure used to steal cryptocurrency from unsuspecting users. As of September 25, the A record for novacrypt[.]net stopped resolving to this IP address, which could indicate that the attackers have shifted infrastructure or that the domain has been taken down. The scams range from browser extension popups and iPhone configuration profile traps to fraudulent web trading apps, all of which are backed by clever social engineering. Below, we break down each component of this operation, provide code snippets and network maps, and outline Indicators of Compromise (IOCs) to help you recognize and avoid these threats.

MedAI Genesis – A Fake Medical DAO With a Draining Agenda

One of the more elaborate fronts in this scam network is medaigenesis[.]cc, which presents itself as a next generation healthcare initiative powered by blockchain and artificial intelligence. Styled as “MedAI Genesis,” the site promotes itself as the future of personalized health management, backed by buzzwords such as AI 5.0, on chain biometric data, and health NFTs.

“Redistribution of medical resources,” it claims. “Rise of the health currency.”

At first glance, it reads like a cryptocurrency investor’s dream married to a healthcare revolution. The platform boasts features like:

• AI-driven medical consultation,
  
• NFT-based health records,
  
• On-chain health governance voting,
  
• A utility token called MDAI.
  

But under the hood, this is a scam in a lab coat.

Instead of delivering health features, the site launches a wallet connect popup through a  browser extension. Its objective is to drain cryptocurrency holdings under the guise of activating access features. The scam blends health tech themes with cryptocurrency mechanics to create a believable front that convinces victims to interact with their wallets, triggering the theft.

How it works: The CSS from Trust Wallet’s Chrome extension (ID egjidjbpglichdcondbcbdnbeeppgdph) is a key mechanism to provide styling and fonts. The risk arises when scammers replicate this styling to create a phishing site that appears identical to a legitimate Trust Wallet connect prompt. On a fake site, clicking “Connect” does not trigger a secure wallet handshake, instead, the site can hide code that makes your wallet approve a dangerous transaction. It may look like you are just connecting, but if you click approve, the scammer could get permission to take your money.

Scam in Action: Imagine visiting a new cryptocurrency platform and seeing a familiar professional-looking “Connect Trust Wallet” dialog. Believing it is safe, you click connect only to be asked to sign a transaction that silently hands control of your wallet to the scammer. Functions like setApprovalForAll or direct transfers can then be abused to drain assets if you approve.

Notably, the extension’s ID corresponds to a Trust Wallet extension listed on the official Chrome Web Store, which raised alarms. The extension’s review page is filled with reports of stolen funds, scam, and backdoors. It appears scammers either published a fake but convincing “Trust Wallet” extension or leveraged the legitimate one. Either way, its presence in the victim’s browser is what enables the “Fake Wallet Connect” popup to appear.

This tactic is especially dangerous because the CSS makes the interface appear authentic, while the real attack would occur in the underlying JavaScript. In this case, the phishing site (for example, a staged platform like “MedAI Genesis”) appears to still be under construction. The look-alike Trust Wallet pop-up is present in the code but not fully functional, as several links return errors or placeholders, and even the Telegram channel is commented out. These indicators suggest the threat actor could be staging the site for a future campaign. In the meantime, the page is decorated with fake features such as “AI-Powered diagnostic service payments” and “Global health data NFTization,” along with unverifiable profiles and logos from real companies like Pinksale and Binance Smart Chain. These credibility tricks are designed to lower a victim’s guard once the phishing flow is fully enabled.

Cleverly, the phishing kit may even embed Trust Wallet style fonts via chrome extension:// URLs to mimic the look of the genuine extension UI. This does not grant access to the real extension but enhances the deception.

Figure: CSS from the fake Trust Wallet extension loading a Binance font – indicating the extension is active on the page

Endgame: Once a victim signs the malicious transaction, the attacker has the permissions needed to siphon cryptocurrency assets at will. This is a classic wallet drain; a convincing façade powered by copied CSS and branding, but with the theft executed entirely by malicious JavaScript hidden beneath.

Fake Trust Wallet CSS code snippet for a popup:  

Phishing via iPhone Profile:  The Novacrypt “App”

Another facet of this scam nexus targets mobile users, especially iPhone owners, by distributing a malicious Apple configuration profile (.mobileconfig) that masquerades as a new cryptocurrency trading app called Novacrypt. Instead of a real app, victims end up installing a WebClip – essentially a fake app icon that opens a phishing site. This is a stealthy method to phish cryptocurrency exchange credentials via what appears to be a standard app installation.

How it works: The scammers set up a fake “App Store” download page prompting users to install the Novacrypt app for iOS. When the user agrees, they receive a .mobileconfig file from the Novacrypt site (e.g., novacrypt.net/.../Novacrypt.mobileconfig). This configuration profile, when opened on an iPhone, prompts the user to install a new profile, which most users interpret as installing an app or enabling certain functionality.

Let’s break down key parts of the Novacrypt mobileconfig payload:

Figure: Excerpt from the Novacrypt.mobileconfig file, showing it creates a WebClip named "Novacrypt" that opens a URL to h5.novacryptmax[.]com.

• PayloadDisplayName = “Novacrypt” – The name shown to the user during install, making it appear official.
• PayloadType = com.apple.webClip.managed – This indicates the profile will install a Web Clip (shortcut) on the home screen.
• Label = “Novacrypt” – The label under the home screen icon, so it looks like a real app named Novacrypt.
• URL = https://h5.novacryptmax[.]com/#/pages/auth/sign-in – The crux of the scam: this is the URL that the WebClip opens. It’s a fake login page on a domain (novacryptmax[.]com) that appears to be related to Novacrypt but is entirely under the scammer’s control.

Additionally, the profile includes a base64-encoded icon image (to make the WebClip icon resemble a legitimate app logo), and it is digitally signed (likely with a self issued certificate). Interestingly, the profile’s signature references “Let’s Encrypt” and a domain 360[.]icu, suggesting that the threat actor used a free certificate (possibly a deceptive one named to appear trustworthy) and potentially hosted the profile on a domain like 360[.]icu. This shows the lengths to which the scammers go to make the profile appear “verified” to the user.

Step-by-step, the attack unfolds as:

1. Bait – The victim receives a link (via email, social media, etc.) to download the “Novacrypt crypto trading app.” The link directs users to a page that mimics an official app store, prompting the installation of an iOS configuration profile.
2. Install – The user installs the profile on their iPhone, ignoring iOS warnings. Because the profile is named “Novacrypt” and has a nice icon, it appears legitimate. A new “Novacrypt” icon now appears on the home screen, as if a real app had been installed. 
3. Phishing – When the victim taps the Novacrypt icon, it doesn’t launch a real app; instead, it quietly opens Safari to h5.novacryptmax[.]com/#/pages/auth/sign-in, a phishing webpage. The page likely impersonates a login screen for a cryptocurrency exchange or wallet.
4. Credentials Theft – Believing this to be part of setting up the app, the user enters their username, password, 2FA, etc. Those credentials are immediately sent to the attacker. The victim might even be redirected or shown an error after to avoid suspicion. Meanwhile, the attackers can use those stolen logins to empty the victim’s accounts or wallets on real exchanges.

H5.novacryptmax[.]com 

This scheme abuses Apple’s enterprise device management feature to add a phishing shortcut on the user’s phone. It appears to install an app, but in reality it is only a bookmark to a fraudulent site. No malware is installed on the device, the “app” is simply Safari redirected to the attacker’s page. 

The Novacrypt phish’s infrastructure reveals some interesting connections: the phishing site utilizes the domain novacryptmax[.]com (with subdomains such as h5., web., etc.), which was registered through the same registrar (Gname) as the other scam domains and hosted behind Cloudflare. The decoy download page was on novacrypt[.]net (hosted at 8.221.100[.]222), and its “App Store” button simply served the mobileconfig from that domain. There was even an Android variant attempt – the “Google Play” button on the site pointed to googleplay.nova-reviews[.]com (likely intended to drop an APK or guide Android users, though by the time of analysis, that domain wasn’t resolving).

The “ZZZTD” Web Trader - Fake Platform with Malicious Code

The third pillar of this scam nexus is a fake online cryptocurrency trading/investment platform hosted on zzztd[.]com (also on 8.221.100].]222). At first glance, zzztd[.]com appears to be a cryptocurrency or financial trading web application. However, buried in its code are suspicious scripts that suggest it may be stealing data or loading malware in the background.

On zzztd[.]com’s homepage, researchers found references to two main JavaScript files: chunk-vendors.f0dabee900057778.js and app.46e5246269e54881.js. These appear to be typical for a web app (the former likely containing third party library code, and the latter the app’s own code). The HTML uses <script defer> tags to load these, meaning they execute after the page loads:

Figure: Code snippet from zzztd[.]com loading JavaScript files for the web application. The defer attribute indicates these scripts run only after the HTML is parsed, ensuring the page renders first.

A VirusTotal scan of the app.46e5246269e54881.js file showed 0 antivirus detections, which isn’t uncommon for custom JavaScript (most AV engines don’t flag obfuscated JS files). However, the behavioral analysis on VirusTotal yielded a clue: it revealed that this script (or something it loaded) tried to contact a suspicious domain, anedhaude[.]xyz. That domain is not currently publicly active, but further investigation uncovered an Android Trojan sample (“ioeai.apk”) that also communicated with anedhaude[.]xyz. In other words, the zzztd[.]com web app shares infrastructure or code with known malware, strongly suggesting that if a user interacted with zzztd[.]com (or downloaded anything from it), they could be infected or have their data sent to the attackers’ server.

It’s possible that zzztd[.]com was set up to either phish for login credentials to cryptocurrency accounts (by mimicking a trading dashboard and tricking users into inputting private keys or exchange logins) or to deliver malware (like the mentioned Android APK) to users under the guise of a mobile trading app. The site’s code, including references to an external C2 domain (anedhaude[.]xyz), is a red flag – legitimate cryptocurrency trading platforms wouldn’t embed calls to random .xyz domains. This pattern connects zzztd[.]com back to the same threat actor’s toolkit.

• app.46e5246269e54881.js-https://www.virustotal.com/gui/file/430a73bc2a01dd1c5c84c5cc8bf0c65b163198a39910d66dc93f23fcea458fbe/behavior

• ioeai.apk-https://www.virustotal.com/gui/file/884cc0b03fbb7f8282916433987ccd8573460d8c2daa33fe1da211a13331b1e7/behavior

Connecting the Dots: One IP, Many Scams

What ties MedAI Genesis, Novacrypt, and ZZZTD together? The investigation found that all these seemingly disparate scams were hosted on a single IP address: 8.221.100[.]222. This IP address (an Alibaba Cloud server in Asia) served as a one stop hosting hub for the scammer, hosting multiple domains for various fraud schemes. At least eight domains sharing this server have been identified, including those involved in the scams above and others:

• medaigenesis[.]cc – Fake cryptocurrency/AI investment site (wallet drainer stage)
• novacrypt[.]net – Host for the fake app mobileconfig and website
• zzztd[.]com – Fake cryptocurrency trading platform with malicious JS
• n58[.]bet – Likely another scam site (one reference suggests it was a fake gaming site in Chinese)
• ewnai[.]com – A fake AI technology site 
• app.tiktoks[.]cc – A short lived domain 
• admin.zzztd[.]com, web.zzztd[.]com – Subdomains related to zzztd[.]com
• web.novacrypt[.]net – Subdomain which, interestingly, was misconfigured to display content from EWN AI (ewnai[.]com), accidentally linking the Novacrypt scam to the EWN AI scam by content reuse.

Subdomain resolving to a different IP, hosting a fake gaming site.

kook1.ewnai[.]com (103.235.174.202)

Web.novacrypt[.]net (misconfigured to display content from EWN AI (ewnai[.]com)

Most of these domains were registered through the same registrar (Gname.com Pte. Ltd.), reinforcing that they are controlled by the same actor or group. Passive DNS records indicate that this infrastructure has been in use since at least April 2025 and remained active until August 2025, suggesting an ongoing campaign.

The threat actor behind this nexus appears to be quite versatile: not only targeting cryptocurrency investors through multiple avenues (sketchy extensions, fake apps, and fake platforms), but also dabbling in other forms of fraud, such as a fake TikTok Shop scam. One of the scam sites was a gaming/gambling site in Chinese, hinting that the operators might be based in or targeting users in East Asia (or trying a variety of lures to see what sticks). The range of themes, from AI startups to cryptocurrency exchanges to e-commerce, shows a wide-reaching fraud operation managed by a single actor.

Below is a network map connecting the key domains and infrastructure:

Figure: Network map of the scam nexus, showing domains hosted on 8.221.100[.]222 (center) and their relationships. The fake Trust Wallet popup and external phishing domains (novacryptmax[.]com, etc.) are also linked to the core cluster.

Despite the variety of themes these platforms use (AI token site, trading platform, mobile app), these scams share common tactics. They all rely on social engineering to get the victim to take a harmful action willingly, such as installing an extension or profile, clicking a connect button, or typing in a password. The technical traps (malicious code injection, webclip profiles, obfuscated scripts) are combined with psychological lures (shiny websites, promises of big profits, or urgent investment opportunities). It’s a potent mix that has likely claimed many victims.

Conclusion

This cluster of scams demonstrates how threat actors combine technical methods with deception to steal cryptocurrency. By controlling multiple domains and even a browser extension, they exploit trust at several levels: browser add-ons, app installation processes, and convincing web design. The single infrastructure behind these schemes also highlights how a determined attacker can leverage one setup to run multiple scams, from cryptocurrency theft to fake e-commerce.

Staying safe requires a mix of technical defenses and skepticism: avoid installing browser extensions or mobile profiles from unverified sources, double check URLs (a legit project won’t ask you to install a profile for an “app”), and be wary of any unexpected wallet transaction requests. As the “Cryptocurrency Drain Conspiracy” shows, even a legitimate looking prompt could be a trap. Always verify through official channels, and when in doubt, don’t click “Connect” or “Install”, that split second decision can make the difference between keeping your assets secure or seeing them wiped out.

Indicators of Compromise (IOCs)

For quick reference, here is a summary of known indicators associated with this scam nexus. Security teams and vigilant users can use these to detect or block related activity:

Executive Summary

Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since at least 2019, Salt Typhoon has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications metadata, VoIP configurations, lawful intercept data, and subscriber profiles from telecom providers and adjacent critical infrastructure sectors.

Salt Typhoon operates with both direct MSS oversight and the support of pseudo-private contractor ecosystems, leveraging front companies and state-linked firms to obscure attribution. Recent legal and intelligence reporting confirms that Salt Typhoon maintains operational ties to i-SOON (Anxun Information Technology Co., Ltd.), a prominent MSS contractor known for enabling offensive cyber operations through leased infrastructure, technical support, and domain registration pipelines.

Salt Typhoon’s targeting profile spans the U.S., U.K., Taiwan, and EU, with confirmed breaches in at least a dozen U.S. telecom firms, multiple state National Guard networks, and allied communications providers. Their campaigns utilize bespoke malware, living-off-the-land binaries (LOLBINs), and stealthy router implants, and are notable for their use of publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.

Background

Salt Typhoon is a state-sponsored advanced persistent threat (APT) group attributed to the People’s Republic of China (PRC) and aligned specifically with the Ministry of State Security (MSS). First observed in 2019, the group has become increasingly active and visible through public indictments, technical advisories, and leaked contractor documents—exposing not only its campaigns but also the hybrid contractor-state model behind its operations.

Salt Typhoon is part of a larger naming taxonomy introduced by Microsoft, which classifies Chinese nation-state actors under the “Typhoon” label. It is believed to overlap with or operate in conjunction with previously known clusters such as Ghost Emperor (Kaspersky), FamousSparrow (ESET), Earth Estrie (Trend Micro), and UNC2286 (Mandiant). Some infrastructure and malware characteristics have also shown ties to UNC4841, further blurring attribution boundaries within China’s expansive APT ecosystem.

What distinguishes Salt Typhoon from other PRC-linked actors is its direct targeting of global telecommunications infrastructure for long-term signals intelligence (SIGINT) collection. The group has demonstrated sophisticated tradecraft in:

• Exploiting network edge devices (routers, VPN gateways, firewalls),
• Maintaining long-dwell persistence via firmware/rootkit implants,
• Harvesting lawful intercept data, VoIP configurations, and subscriber metadata from telecom providers,
• And using plausibly deniable contractor infrastructure to obscure attribution.

This report consolidates known intelligence, indictments, IOCs, and operational profiles for Salt Typhoon to support attribution, detection, and threat modeling.

Salt Typhoon within the Chinese Nation-State Cyber Intelligence Structure

Salt Typhoon represents not merely a loose collection of intrusion campaigns, but a state-directed cyber espionage program embedded within the operational apparatus of the People’s Republic of China (PRC). Its activity is consistent with the model observed across other PRC “Typhoon” actors: centralized tasking from the Ministry of State Security (MSS), supplemented by the use of contractor and front-company ecosystems that provide scalable infrastructure, tooling, and deniability. The group’s consistent focus on U.S. telecommunications providers, defense-adjacent networks, and allied critical infrastructure sectors is aligned with MSS priorities of foreign intelligence collection, counterintelligence support, and preparation of the battle space.

Although the MSS remains the primary beneficiary of Salt Typhoon operations, technical overlaps with missions traditionally associated with the People’s Liberation Army Strategic Support Force (PLA SSF) suggest that elements of the PLA’s mandate, particularly communications exploitation, SIGINT, and critical infrastructure disruption planning—are also served by this program. By embedding implants in routers, VPN gateways, and telecom backbone equipment, Salt Typhoon delivers persistent access not only for espionage but also for long-term contingency operations, ensuring that PRC intelligence and military planners can monitor, disrupt, or degrade communications infrastructure if required during geopolitical crises. In this sense, Salt Typhoon should be understood as a dual-use capability: a cyberespionage engine serving day-to-day intelligence needs while simultaneously providing the technical foundation for potential wartime cyber operations.

MSS and PLA Roles

Ministry of State Security (MSS):

• The MSS is the primary civilian intelligence service responsible for foreign intelligence, counterintelligence, and cyber-enabled espionage.
  
• Salt Typhoon shows operational hallmarks of MSS regional bureaus, particularly the Chengdu presence, leveraging local contractors and front companies.
  
• Firms like Sichuan Juxinhe and Beijing Huanyu Tianqiong are assessed to be either fronts or semi-integrated subsidiaries, mirroring MSS’s historical practice of using corporate cut-outs.
  

People’s Liberation Army (PLA):

• PLA units (particularly under the Strategic Support Force) have historically targeted communications infrastructure for SIGINT and C4ISR disruption.
  
• While PLA attribution to Salt Typhoon is less direct, the targeting of backbone and edge routers suggests technical overlap with PLA’s mandate to prepare battlefields in cyberspace.
  
• Contractors such as Sichuan Zhixin Ruijie may provide dual-use capabilities for both MSS espionage and PLA operational readiness.

Chinese Corporate Hacking Support Infrastructure

The recent joint cybersecurity advisory (August 2025) shed light on three Chinese companies implicated in supporting the operations of Salt Typhoon: Sichuan Juxinhe Network Technology (四川聚信和), Beijing Huanyu Tianqiong Information Technology (北京寰宇天穹), and Sichuan Zhixin Ruijie Network Technology (四川智信锐捷). Each entity demonstrates a different operational model: front companies serving as covers for MSS-linked divisions, and contractors providing technical products and services with both defensive and offensive applications. This model aligns closely with previously documented ecosystems, such as the exposure of i-SOON (安洵科技), where corporate structures serve dual purposes as commercial entities and enablers of state espionage campaigns.

Salt Typhoon-Linked Firms

Sichuan Juxinhe Network Technology

• Likely MSS front company, minimal legitimate business presence.
  
• Unusual element: 15 software copyrights possibly registered on behalf of an MSS division.
  
• Fits classic indicators of a cut-out entity used to mask state cyber operations.

Beijing Huanyu Tianqiong Information Technology

• Founded in 2021, coinciding with early Salt Typhoon activity.
  
• Operates a Zero Trust Defense Lab, offering both legitimate security services (penetration testing, IR) and products with potential C2 and covert access functions (e.g., Shadow Network).
  
• Evidence suggests hybrid role: front company characteristics with some self-sustaining innovation, patents, and recruitment efforts.
  
• Proximity to Sichuan Zhixin Ruijie’s Chengdu office suggests co-location strategy for operational synergy.

Sichuan Zhixin Ruijie Network Technology

• Established 2018, later certified as a high-tech SME and contractor for government/military clients.
  
• Products such as router control systems and network traffic monitoring platforms possess clear offensive potential.
  
• Functions as a legitimate contractor rather than a pure front, demonstrating how PRC state cyber programs leverage existing commercial capacity for deniable operations.

Parallels and Overlaps with i-SOON

The Salt Typhoon corporate ecosystem echoes the i-SOON leaks (2024), which revealed:

• Direct contracting relationships between Chinese intelligence services (MSS, PLA) and nominally private cybersecurity companies.
  
• Use of hybrid companies mixing legitimate commercial activities with covert offensive cyber tasks.
  
• Shared personnel pools, with employees oscillating between state agencies, private firms, and academic research labs.
  

Like i-SOON, Salt Typhoon’s supporting companies illustrate how the PRC cyber apparatus blurs the lines between state, semi-private, and private entities. Both ecosystems leverage:

1. Front companies (minimal digital presence, few employees, registered IP) to obscure attribution.
   
2. Legitimate contractors (with patents, certifications, government clients) to provide scalable, high-quality tools and services.
   
3. Innovation-driven hybrids, balancing R&D, patents, and proprietary software development with covert tasking.

Front Company Infrastructure

Multiple companies have been sanctioned or named as enablers in Salt Typhoon’s tradecraft, including:

• Sichuan Juxinhe Network Technology Co., Ltd.: Tied to Yin Kecheng; facilitated domain control, server management, and malware staging.
• Shanghai Heiying Information Technology Co., Ltd.: Tied to Zhou Shuai; enabled data laundering and resale of stolen network access.

These entities provided infrastructure, logistics, and plausible deniability, allowing MSS operators to mask espionage as commercial or third-party actions.

Ties to i-SOON: China’s Hacker-for-Hire Engine

i-SOON (Anxun Information Technology Co., Ltd.) is a Chinese cyber contractor linked to both the Ministry of State Security (MSS) and Ministry of Public Security (MPS). The company gained international attention following a 2024 GitHub data leak that exposed internal documents, tools, and tasking relationships with state clients.

i-SOON operates as a pseudo-private offensive cyber firm, bridging the gap between state priorities and a scalable, deniable contractor ecosystem. Their services include:

• Custom malware and implant development
• Infrastructure registration (e.g., domains, cloud servers)
• Threat actor support tooling (e.g., internal C2 kits)
• OSINT scraping and target profiling modules

Confirmed Connections to Salt Typhoon

Significance of i-SOON Ties

• Operational Deniability: Salt Typhoon’s use of i-SOON demonstrates how the MSS leverages contractor cutouts to distance itself from direct attribution.
• Scalable Infrastructure: The company’s support enabled Salt Typhoon to deploy repeatable, automated domain registration templates, malware logistics, and support tooling.
• Repeatable Tradecraft: Patterns seen in Salt Typhoon’s infrastructure (e.g., ProtonMail Whois records, registrant personas, toolkits) align with systems leaked in the i-SOON dump—suggesting shared toolchains or operational guidance.

Strategic Implications

• Operational Flexibility: The PRC can allocate missions across fronts and contractors depending on risk tolerance and technical requirements.
  
• Attribution Challenges: By embedding cyber operations within commercial ecosystems, Beijing complicates efforts by defenders to distinguish legitimate activity from state-directed espionage.
  
• Sustainability: Firms like Huanyu Tianqiong and Zhixin Ruijie may represent a next generation of i-SOON-style contractors, where state-directed offensive tasks are embedded within otherwise legitimate market-facing companies.
  
• Geographic Concentration: The clustering of these firms in Chengdu and Beijing reflects established hubs for MSS-linked cyber operations, similar to how i-SOON operated from Hainan.

Strategic Placement

• Salt Typhoon should be understood not as a single APT but as a programmatic campaign, reflecting MSS tasking and PLA technical priorities.
  
• It operates at the intersection of espionage and contractor ecosystems, embodying China’s blended cyber force structure:
  
  • MSS → espionage, influence, covert penetration
    
  • PLA → strategic SIGINT, military preparation, infrastructure disruption
    
  • Corporate cut-outs → tools, cover, scalability
    

This layered integration allows Salt Typhoon to persist globally, masking state direction behind a facade of “legitimate” Chinese technology firms.

Known Campaigns & Motivations

Salt Typhoon has carried out a series of highly targeted cyber espionage campaigns since at least 2019, primarily focused on telecommunications infrastructure, military networks, and intelligence collection across strategic geographies. These operations are consistent with Ministry of State Security (MSS) tasking, reflecting objectives such as signals intelligence acquisition, persistent access to critical infrastructure, and preparation of the battle-space for potential geopolitical escalation.

Below is a breakdown of major campaigns attributed to Salt Typhoon:

U.S. Telecom Metadata Breach

Timeframe: Early to Late 2024
Region: United States
Victims: AT&T, Verizon, T-Mobile, Lumen, Windstream, and other major telecoms
Tactics: Exploitation of router/firewall CVEs, configuration hijacking, long-dwell persistence
Data Exfiltrated:

Subscriber metadata

Call detail records (CDRs)

VoIP infrastructure configs

Lawful intercept logs
Motivation:
To collect high-value SIGINT across U.S. telecom layers, including surveillance of communications and infrastructure maps. Likely tasking involved PRC state priorities around counterintelligence and strategic insight into U.S. domestic and foreign communications channels.

U.S. National Guard Network Intrusions

Timeframe: March–December 2024
Region: United States
Victims: State-level National Guard military networks
Tactics: Exploitation of VPN gateways and edge devices; lateral movement
Data Exfiltrated:

Network diagrams

VPN configs

Credentials

Incident response playbooks
Motivation:
Preparation of the battle space and long-term espionage within defense-adjacent infrastructure. Access to National Guard systems may serve to identify mobilization thresholds, crisis response mechanisms, or gaps in Cybersecurity posture.

British Critical Infrastructure Breach

Time-frame: 2023–2024
Region: United Kingdom
Victims: Unspecified entities within government, military, transportation, and telecom sectors
Tactics: Edge device compromise, deep persistence, VoIP and metadata collection
Data Exfiltrated:

Communications routing info

Geo-location metadata

Secure messaging infrastructure details
Motivation:
Strategic espionage against a key U.S. ally and Five Eyes member. Objectives likely included monitoring of UK national security communications, potential identification of surveillance chokepoints, and tactical SIGINT acquisition.

Router Hijacking Across the EU

Timeframe: 2022–2023
Region: Netherlands, Germany, France, and other EU states
Victims: Small-to-mid-tier internet service providers (ISPs)
Tactics: Exploitation of firmware and remote management services
Persistence:

Custom router implants

Backdoored updates
Motivation:
Infrastructure-level access in support of broader SIGINT harvesting and as potential staging points for operations elsewhere in Europe. These footholds may enable covert redirection of traffic, credential theft, or passive surveillance of encrypted communications.

i-SOON-Enabled Espionage Campaigns

Timeframe: Ongoing (2019–Present)
Region: Global – activity observed across U.S., Taiwan, EU, and Southeast Asia
Infrastructure:

Domains registered using fake U.S. identities and ProtonMail accounts

Toolkits developed or leased via i-SOON (Anxun Information Technology Co., Ltd.)
Motivation:
These campaigns reflect China’s shift toward a contractor-enabled cyber espionage model, allowing deniability while scaling operations. i-SOON support enables Salt Typhoon to outsource infrastructure management, domain procurement, and OPSEC tooling, aligning with MSS tradecraft evolution toward privatized cyber outsourcing.

Domain Infrastructure & Tradecraft

Salt Typhoon has developed and sustained a large-scale, repeatable domain registration infrastructure that has enabled the public attribution of at least 45 domains to its campaigns between 2020 and 2025. This extensive exposure represents a significant operational security failure for a Chinese state-aligned threat group, especially compared to the more opaque infrastructure practices seen in other MSS-directed operations.

The domains were consistently registered using ProtonMail email addresses and fabricated U.S. personas, often featuring plausible American names and residential addresses in cities like Los Angeles and Miami. Common registrant names included:

• Monica Burch (Los Angeles)
• Monica Gonzalez Serrano (Burgos)
• Shawn Francis (Miami)
• Tommie Arnold (Miami)
• Geralyn Pickens (linked to overlapping UNC4841 infrastructure)
• Larry Smith (Illinois) 

This infrastructure supported several key phases in Salt Typhoon’s intrusion lifecycle:

Several domains mimicked legitimate technology or telecom services, enhancing perceived authenticity. Notable examples include:

• cloudprocenter[.]com
• imap.dateupdata[.]com
• requiredvalue[.]com
• e-forwardviewupdata[.]com
• dateupdata[.]com
• availabilitydesired.us

Domain Registration, Infrastructure & Tradecraft

Salt Typhoon’s domain infrastructure exhibits a contractor-driven, modular tradecraft aligned with long-term scalability and operational deniability. Unlike traditional Chinese APTs that rely on obscure or concealed infrastructure, Salt Typhoon routinely registers English-language domains using fabricated U.S. personas, a notable operational security lapse that reflects the outsourcing of infrastructure to pseudo-private contractors, including entities like i‑SOON, Zhixin Ruijie, and Huanyu Tianqiong.

While prior assessments emphasized domains mimicking telecom portals (e.g., routerfirmwareupdate[.]net, servicecloudconnect[.]com), updated analysis of actor-controlled domains reveals a different pattern:

• Many domains employ action-oriented language (getdbecausehub[.]com, solveblemten[.]com, lookpumrron[.]com) that simulates benign SaaS or internal productivity tools.
  
• A smaller subset of nonsensical domain names (xdmgwctese[.]com) points to automated or randomized generation—possibly for backup C2s.
  
• Direct telecom brand mimicry is absent in this dataset, indicating a shift toward subtle obfuscation over spoofing.
  

Infrastructure telemetry shows:

• Consistent use of ProtonMail accounts for Whois registration, often in combination with fictitious U.S. addresses (e.g., Lena, IL or Miami, FL).
  
• Clustering around shared DNS hosts, including value-domain.com, and common TLS issuers such as GoDaddy Secure and Sectigo RSA DV CA.
  
• Timeline analysis reveals batch provisioning of domains and certificates, indicative of centralized tooling and bulk operational logistics.
  

This tradecraft suggests integration with dual-use contractor toolkits (e.g., Shadow Network/Defense), where C2 channels are disguised as routine update or sync services. It reinforces the hypothesis that Salt Typhoon operates as a state-aligned offensive platform fueled by commercial intermediaries, blurring the line between espionage infrastructure and legitimate cloud services.

This approach underscores the hybrid MSS contractor model: the Ministry of State Security directs tasking while corporate cut-outs register domains, lease infrastructure, and package turnkey C2 kits. The resulting infrastructure is repeatable and industrialized, but not airtight. Its reliance on predictable naming templates, overlapping infrastructure, and false U.S. identities creates attributional fingerprints that defenders can exploit for pivoting. 

• Top fake registrant names:
  • Shawn Francis (8 domains)
  • Monica Burch, Tommie Arnold, Larry Smith (4–5 each)
  • Others include “Geralyn Pickens” and privacy placeholders like “Domain Admin” or “REDACTED FOR PRIVACY”
• Email Domains:
  • protonmail.com used in 47% of records, indicating consistent OPSEC tooling reuse.
• Registrant Addresses:
  • Most addresses list Miami, FL or Lena, IL, using street names like “Lowland Drive” and “Trails End Road,” suggesting automation, scraped identity data or just creative writing.

Salt Typhoon’s decision to register domains using fabricated U.S.-based identities and ProtonMail accounts, rather than relying on anonymized Whois services or privacy proxies, may reflect a calculated tradecraft decision rather than simple OPSEC failure. This approach allowed the group to craft infrastructure that appeared more legitimate to automated detection systems, phishing targets, and threat intelligence filters, thereby increasing the likelihood of successful intrusion or lateral movement. The use of plausible names (e.g., “Shawn Francis,” “Monica Burch”) and real-sounding U.S. addresses likely helped the domains blend into domestic traffic patterns and evade geo-IP or heuristic-based scrutiny. Moreover, the repeated structure and reuse of ProtonMail accounts suggest a contractor-enabled, semi-automated provisioning model, likely stemming from entities like i‑SOON. This infrastructure pipeline likely prioritized speed, scalability, and low-friction staging environments over long-term stealth. While it ultimately enabled attribution and exposure, it reveals a key insight into the industrialization of Chinese cyber operations: where the demand for deniability is often subordinated to operational efficiency and technical convenience.

DNS & Name Server Infrastructure

Analysis of DNS records reveals significant clustering around shared name server infrastructure, indicating that Salt Typhoon domains are not provisioned independently but rather through centralized pipelines. Many of the identified domains resolve to the same or closely related sets of authoritative name servers, often hosted within low-density VPS environments controlled by a limited number of providers. This pattern reduces operational overhead for the attackers, allowing bulk management of dozens of domains from a single administrative point, but it also introduces a major attributional weakness. By pivoting on recurring NS records, defenders can uncover entire clusters of infrastructure tied to Salt Typhoon, even when individual domains use different registrars, registrant details, or privacy-protection services. The concentration of these resources strongly suggests the involvement of contractor-managed hosting accounts or automation scripts, reinforcing the view that Salt Typhoon relies on semi-privatized service providers to industrialize domain management at scale.

• Name Server Hosts (Top):
  • irdns.mars.orderbox-dns.com (8 domains)
  • ns4.1domainregistry.com and value-domain.com (5–6 each)
  • MonoVM-branded servers like earth.monovm.com, mars.monovm.com also appear
• Name Server IP Clusters:
  • 162.251.82.125, 162.251.82.252, and 162.251.82.253 support up to 7 domains each
  • IPs belong to OrderBox / PublicDomainRegistry infrastructure, suggesting templated registrar setup

SSL Certificates Use

Salt Typhoon prefers commercial domain-validated (DV) certificates issued by authorities such as GoDaddy and Sectigo, deliberately avoiding free certificate providers like Let’s Encrypt. This choice reflects an intent to make their infrastructure appear more legitimate to both automated security systems and human analysts, since certificates from well-known commercial issuers are less likely to trigger suspicion than those from free, disposable services. The use of DV certificates also allows operators to rapidly provision SSL/TLS coverage across large batches of domains with minimal validation requirements, streamlining the deployment of C2 and staging servers. While this practice raises the cost and complexity slightly compared to using free providers, it demonstrates Salt Typhoon’s emphasis on credibility and persistence over short-term economy, fitting with their long-dwell operations against telecom and defense-adjacent networks. For defenders, the clustering of GoDaddy- and Sectigo-issued certificates across multiple Salt Typhoon domains provides an additional pivot point, exposing infrastructure reuse and linking seemingly unrelated assets back to the same operational ecosystem.

• Top SSL Issuers:
  • GoDaddy Secure Certificate Authority – G2 (18 certs)
  • Sectigo RSA DV Secure Server CA (4 certs)
• Common CNs:
  • *.myorderbox.com appeared across 4 domains, indicating use of wildcard certs from shared panels
• Durations:
  • Certificates typically last 366 days, aligning with default DV settings
• Timeline:
  • Issuance ranges from late 2024 to present, directly aligning with publicly known Salt Typhoon campaign windows

Tradecraft Insights & Behavioral Patterns

Insights into Salt Typhoon’s tradecraft and behavioral patterns highlight a disciplined but contractor-driven approach that balances operational sophistication with repeatable, industrialized methods. The group consistently targets telecom and defense-adjacent infrastructure, using edge devices as durable entry points to achieve long-term persistence and intelligence collection. Their domain and infrastructure choices reveal reliance on bulk registration pipelines, shared DNS backends, and commercial DV certificates, suggesting a semi-outsourced model where private firms handle provisioning at scale. On the operational side, Salt Typhoon implants exhibit regular beaconing intervals, encrypted communications disguised as service updates, and selective exfiltration of metadata such as call records, VoIP configs, and lawful intercept logs. Despite attempts at obfuscation, their preference for predictable domain theming, clustering around specific registrars, and infrastructure overlaps across campaigns creates investigative seams that defenders can exploit, underscoring the tension between scalability and stealth in their tradecraft.

Strategic Implications

Salt Typhoon’s infrastructure carries clear strategic implications for both attribution and defense. Its scalability, enabled by outsourced provisioning through pseudo-private contractors, shows that future campaigns can be rapidly spun up with minimal overhead. At the same time, the template-driven nature of its setup, relying on recurring domain themes, registrar preferences, and automation pipelines, introduces predictable patterns that defenders can baseline and monitor. Most importantly, persistent OPSEC lapses such as the reuse of identical fake personas, recycled name server and certificate infrastructure, and reliance on a small pool of providers (notably PDR, MonoVM, and GMO) create durable fingerprints. This combination of scale and sloppiness means Salt Typhoon campaigns can be tracked over time using passive DNS clustering, SSL certificate pivots, registrar telemetry, and persona overlap, offering defenders viable opportunities to anticipate and disrupt the group’s infrastructure before it matures into active operations.

Salt Typhoon’s infrastructure is:

• Scalable: suggesting outsourced provisioning,
• Template-driven: exposing predictable setup patterns,
• Attributable: due to OPSEC oversights and reuse of NS/CN/IPs.

These characteristics make it possible to track future campaigns using:

• Passive DNS clusters
• Reused fake personas or address strings
• SSL cert patterns
• Registrar telemetry from known providers (PDR, MonoVM, GMO)

Targeting Profiles

Named Individuals & Indictments

Public attribution of Salt Typhoon’s operations has revealed the involvement of named Chinese nationals tied to cyberespionage infrastructure, contractor networks, and front companies aligned with the Ministry of State Security (MSS). These individuals have been subject to U.S. indictments, sanctions, and international arrest warrants, providing rare legal and intelligence visibility into the human operators behind Salt Typhoon’s campaigns.

Yin Kecheng

• Status: Indicted (DOJ), Sanctioned (OFAC), FBI wanted; $2 million reward issued for information leading to arrest.
• Role: Key infrastructure operator and hacker for Salt Typhoon; believed to have led or coordinated exfiltration and long-term C2 operations.
• Affiliations: Tied to Sichuan Juxinhe Network Technology Co., Ltd., a front company sanctioned by the U.S. for enabling espionage against U.S. telecom providers.
• Links to i-SOON: Embedded in broader contractor ecosystem supporting MSS-directed cyber ops (Source: DOJ, NextGov, FBI).

Role: MSS-affiliated infrastructure operator and intrusion specialist
Affiliation: Sichuan Juxinhe Network Technology Co., Ltd.
Targeting Characteristics:

‍

Motivation Profile:
Yin’s role suggests a SIGINT-centric mission, focused on covert, technical persistence inside telecommunications networks to enable real-time surveillance and metadata harvesting on behalf of the MSS.

Zhou Shuai (aka “Coldface”)

• Status: Indicted (DOJ), Sanctioned (OFAC), FBI wanted; $2 million reward offered.
• Role: Broker and strategic operator involved in Salt Typhoon’s data resale and operational planning.
• Affiliations:
  • Former employee of Shanghai Heiying Information Technology Co., Ltd., a data brokerage firm sanctioned for selling compromised infrastructure access.
  • Worked within the Strategic Consulting Division of i-SOON, an MSS-linked contractor with deep involvement in cyberespionage tooling and infrastructure provisioning.
• Activities: Played a role in coordinating front-company logistics, C2 setup, and interfacing with MSS tasking structures (Source: DOJ, FBI, IC3).

Role: Strategic broker, contractor liaison, infrastructure manager
Affiliation: Shanghai Heiying Information Tech, i-SOON Strategic Consulting Division
Targeting Characteristics:

‍

Operational Synergy Between Yin & Zhou

‍

Implications for Attribution & Defense

The identification of Yin Kecheng and Zhou Shuai as central figures within Salt Typhoon's operational structure illustrates the group’s hybridized threat architecture, wherein distinct roles are distributed between technical operators and strategic brokers. This configuration is emblematic of a broader trend in Chinese cyber espionage: the convergence of state objectives with contractor-enabled execution.

• Yin Kecheng, operating within the i‑SOON-aligned ecosystem and affiliated with Sichuan Juxinhe Network Technology Co., Ltd., is positioned as a core technical enabler—responsible for domain infrastructure, implant deployment, and network exploitation. His work supports the persistent collection of high-value SIGINT from U.S. and allied telecommunications systems.
  
• In contrast, Zhou Shuai (alias Coldface), as an indicted operator and data broker behind Shanghai Heiying Information Technology, represents the strategic/logistical tier of the adversary model. His activities center on the resale, exfiltration coordination, and monetization of stolen data, often functioning as a bridge between operational teams and institutional customers (e.g., MSS units or secondary clients).
  

Together, these roles reinforce three defining characteristics of Salt Typhoon:

1. A Layered Adversary Model: Salt Typhoon is structured to separate tasking, execution, and monetization across organizational layers, mirroring corporate operational design. Strategists like Zhou interface with planners and consumers of intelligence, while technicians like Yin handle access and persistence operations.
   
2. Geopolitically Aligned SIGINT Targeting: The campaigns attributed to Salt Typhoon are consistent with Chinese state intelligence priorities: telecommunications metadata, National Guard network maps, lawful intercept systems, and VoIP infrastructure—each of which supports surveillance, counterintelligence, and wartime preparation objectives.
   
3. Deniable Outsourcing through i‑SOON and Pseudo-Private Fronts: The use of companies such as i‑SOON, Juxinhe, and Heiying exemplifies the PRC’s plausible deniability strategy, delegating technical tradecraft to commercial entities while maintaining indirect command-and-control via the Ministry of State Security. This contractor-enabled cyber espionage model provides scalability, compartmentalization, and diplomatic insulation.
   

In total, the Yin Zhou configuration is a case study in modern Chinese cyber operational design: contractor-driven, state-aligned, and strategically layered, with each actor occupying a clearly defined but mutually reinforcing position within the broader offensive ecosystem.

Final Assessment

Salt Typhoon stands as a premier exemplar of Ministry of State Security (MSS)-directed cyber espionage, executed through a contractor-enabled operational model that blends state tasking with private-sector tradecraft. This group embodies the evolving doctrine of the Chinese cyber apparatus: plausibly deniable intrusion capability at scale, leveraging a network of technology firms, freelance operators, and corporate front entities.

Salt Typhoon’s operational architecture is significantly shaped by its integration with firms like i‑SOON (Anxun Information Technology Co., Ltd.), as well as affiliated contractors such as Sichuan Juxinhe and Shanghai Heiying. These organizations provide both the logistical substrate, domain registrations, infrastructure management, and toolkits, and the personnel support needed to execute MSS priorities without direct attribution. This contractor hybridization illustrates the maturation of China’s cyber outsourcing economy, where state objectives are achieved via technically sophisticated but commercially masked operations.

From a detection and tracking perspective, Salt Typhoon represents one of the most publicly exposed and traceable “Typhoon” groups to date. Their repeated use of:

• ProtonMail email accounts,
  
• fabricated U.S.-based personas, and
  
• consistent  domain naming and hosting practices
  

has enabled defenders to build infrastructure-based detections, correlate activity across campaigns, and map the actor’s footprint across global telco and government targets.

Despite these OPSEC lapses, Salt Typhoon has demonstrated high capability in: long-dwell access; lawful intercept system compromise; and configuration hijacking across telecom, defense, and critical infrastructure layers.

The group’s campaigns, tools, and contractor dependencies reflect a broader shift within Chinese offensive cyber strategy, away from monolithic APT groups and toward fragmented, contractor-leveraged, industrial-scale operations. This model poses significant challenges for attribution, legal countermeasures, and international response.

In sum, Salt Typhoon is not merely another state-backed APT. It is a prototype of China’s next-generation cyber espionage model, where covert access is privatized, capabilities are modular, and deniability is built into every layer of the intrusion lifecycle.

APPENDIX A:

DOSSIERS

Dossier: Named Individuals of Salt Typhoon

Dossier: Yin Kecheng (尹克成)

• Name: Yin Kecheng
  
• Alias: YKCAI (Federal Bureau of Investigation)
  
• Nationality: Chinese (Federal Bureau of Investigation)
  
• Date of Birth (used in filings): December 8, 1986 (Federal Bureau of Investigation)
  

Last Known Location

• Last Known Residence: Shanghai, China (Federal Bureau of Investigation)
  

Legal Status & Sanctions

• OFAC Designation: Yin Kecheng is sanctioned by the U.S. Treasury (OFAC) for his involvement in the Salt Typhoon cyber espionage campaign, including a network breach at the U.S. Department of the Treasury. (U.S. Department of the Treasury)
  
• Indictments: Charged via DOJ press releases — the March 5, 2025, Justice Department action links him to unauthorized access, data exfiltration, wire fraud, identity theft, and conspiracy with i‑SOON‑aligned actors. (Department of Justice)
  
• Reward: U.S. authorities (State Department / Transnational Organized Crime Rewards program) have offered up to $2,000,000 for information leading to his arrest or conviction. (Federal Bureau of Investigation)
  

Role and Alleged Actions

• MSS‑aligned actor: He is affiliated with (or working for) China’s Ministry of State Security (MSS) as a cyber actor. (U.S. Department of the Treasury)
  
• Infrastructure operator: Alleged to have operated or given direction over intrusions into U.S. telecom and internet service provider networks, via Sichuan Juxinhe Network Technology Co. Ltd., among others. (U.S. Department of the Treasury)
  
• Malware usage: In DOJ / FBI statements, accused of using tools such as PlugX to maintain persistence, reconnaissance, and data exfiltration from multiple victim networks. (Federal Bureau of Investigation)

Personal Details:

While Yin Kecheng has no widely publicized hacker handle like “White” or “0ktapus” actors, the following alias is mentioned in DOJ materials:

• YKCAI — Possibly short for “Yin Kecheng China AI” or a custom alias derived from initials.
  

Additional OSINT from leaks (like the i‑SOON GitHub archive) may associate email aliases, QQ numbers, or internal employee codes (e.g., ykc_ops@163[.]com, yk@isoon[.]cn) — but these have not been publicly confirmed.

Involvement in the Chinese Hacking Ecosystem

Yin Kecheng is reportedly part of:

• The contractor-enabled MSS ecosystem, specifically through Sichuan Juxinhe Network Technology Co., Ltd.
  
• This company appears to be a shell for MSS cyber ops, functioning like i‑SOON in providing leased infrastructure, phishing support, domain pipelines, etc.
  

Reports also indicate:

• Overlap with APT27 (Emissary Panda) and UNC4841 infrastructure.
  
• He is implicated in breaches of critical infrastructure, particularly telecom and data center targets in the U.S., Taiwan, and the EU.
  
• Part of a broader strategy to outsource technical operators under cover of “private” Chinese companies (like Huanyu Tianqiong and Zhixin Ruijie).
  

Position Within the Diaspora

• Not a forum-branded figure (e.g. not known to frequent Ghost Market, HackForum equivalents)
  
• Instead, fits the quasi-civilian, contractor-for-the-state model — part of China’s hacker-for-hire wave following 2018+
  
• Possibly involved in internal MSS training pipelines (speculation based on role and patterns seen in other MSS-aligned operators)
  
• May be a technical leader rather than an OPSEC/espionage strategist

Zhou Shuai ("Coldface")

Chinese Name & Translation

• Romanization: Zhou Shuai
  
• Simplified Chinese: 周帅 (Zhōu Shuài)
  
  • 周 (Zhōu) — a common Chinese surname
    
  • 帅 (Shuài) — means “handsome”, “commander”, or “to lead”
    

Identity & Biographical Data

Known Roles, Activities & Connections

• Data Broker & Infrastructure Operator: According to U.S. Treasury/OFAC, Zhou Shuai runs or is majority‑owner of Shanghai Heiying Information Technology Company, Limited, and is involved in brokering stolen data and network access. (U.S. Department of the Treasury)
  
• Contractor Ecosystem: He is tied to China’s “hacker‑for‑hire” ecosystem—specifically the private sector firms used by the MSS and MPS to carry out intrusions and data theft. He’s alleged to have operated both under tasking and on his own initiative. (Department of Justice)
  
• Target Types & Data: Victims include technology firms, cleared defense contractors, think tanks, government entities, foreign ministries, etc. Stolen data includes personally identifying info, telecommunications/border‑crossing data, personnel info of religious/media sectors, etc. (U.S. Department of the Treasury)
  
• Legal Charges & Sanctions: Charged by DOJ in March 2025 alongside Yin Kecheng for wire fraud, unauthorized access, identity theft, conspiracy, etc. Also sanctioned by OFAC. (U.S. Department of the Treasury)
  

Hacker Aliases & Diaspora

• Aliases:
  
  • Coldface 冷脸 (Lěng liǎn), 冷面 (Lěng miàn), 冷哥 (Lěng gē)
    
  • Coldface Chow (variant)
    
• Connection to APT Groups / Contractor Overlaps:
  
  • Zhou is named in the DOJ indictment tied to APT27 operations and alongside Yin Kecheng in large‑scale global intrusion campaigns. (Department of Justice)
    
  • He is listed in sanction documents as part of the i‑SOON contracting / hacker‑for‑hire supply chain. (Department of Justice)
    
• Activity Span: Public reports indicate activity from ~2018 through 2025. Data shows that some of his operations include brokering exfiltrated data, managing or enabling infrastructure, participating in profit‑oriented intrusions. (U.S. Department of the Treasury)
  

Front Companies & Institutional Support

• Sichuan Juxinhe Network Technology Co., Ltd.
  • Front company tied to Yin Kecheng; involved in Salt Typhoon’s infrastructure ops like domain registration and staging.
    (U.S. Department of the Treasury, Reuters)
• Shanghai Heiying Information Technology Co., Ltd.
  • Owned and operated by Zhou Shuai; used to broker stolen data and support contractor-enabled tradecraft.
    (U.S. Department of the Treasury)
• i-SOON (Anxun Information Technology Co., Ltd.)
  • Recruiter and operational facilitator blending covert state tasking (MSS/MPS) with outsourced hacker-for-hire ecosystems.
  • Employed both Yin and Zhou (or their firms) for domain, server, and tooling infrastructure provisioning.
    (Federal Bureau of Investigation, Department of Justice)

Summary Table of Salt Typhoon known actors

‍

APPENDIX B:

Salt Typhoon (IOCs) and TTP’s

Indicators of Compromise (IOCs)

Salt Typhoon operations leave behind both infrastructure and behavioral indicators:

• Infrastructure Domains: Numerous domains registered with fraudulent U.S. personas; some linked to contractor ecosystems such as i-SOON.
  
• Malware Implants: Bespoke router firmware/rootkits deployed on Cisco, Ivanti, and Palo Alto devices to enable long-dwell persistence.
  
• Certificates: Use of self-signed TLS certificates on C2 servers to blend into encrypted traffic.
  
• Network Artifacts:
  
  • Modified router configs with unauthorized SSH authorized_keys entries.
    
  • Indicators of lawful intercept logs exfiltrated from telecom systems.
    
• Observed CVEs exploited:
  
  • Cisco IOS XE Web UI (CVE-2023-20198)
    
  • Ivanti Connect Secure Authentication Bypass (CVE-2023-35082)
    
  • Palo Alto PAN-OS GlobalProtect flaws (CVE-2024-3400 series).
    

Indicator of Compromise (IOCs) – Salt Typhoon Telco Campaigns

Name Server Hosts/IPs:

• irdns.mars.orderbox-dns.com
• ns4.1domainregistry.com
• ns1.value-domain.com
• earth.monovm.com, mars.monovm.com

IP Cluster:

• 162.251.82.125, 162.251.82.252, 172.64.53.3

SSL Certificate Indicators:

• Common Names (CN):
  • *.myorderbox.com
  • www.solveblemten.com
• Issuers:
  • GoDaddy Secure CA – G2
  • Sectigo RSA DV CA

Malware/Toolkit Hashes (from public reporting)*:

(Note: full hashes not released publicly for Demodex/SigRouter due to classified status. Sample placeholders below.)

• Demodex (custom rootkit):
  • SHA256 (sample): 6a2f9a...e3b1b7a
• SigRouter:
  • SHA256 (sample): d23cb5...af3f8b2
• China Chopper Web Shell:
  • MD5: e99a18c428cb38d5f260853678922e03

Other:

• Email Infrastructure:
  • ProtonMail accounts (used in Whois): e.g., ethdbnsnmskndjad55@protonmail.com
• Whois Fake Registrants:
  • “Shawn Francis”, “Monica Burch”, “Tommie Arnold”

Domains Created:

aria-hidden.com  

asparticrooftop.com  

availabilitydesired.us  

caret-right.com  

chekoodver.com  

clubworkmistake.com  

col-lg.com  

dateupdata.com  

e-forwardviewupdata.com  

fessionalwork.com  

fitbookcatwer.com  

fjtest-block.com  

gandhibludtric.com  

gesturefavour.com  

getdbecausehub.com  

hateupopred.com  

incisivelyfut.com  

lookpumrron.com  

materialplies.com  

onlineeylity.com  

redbludfootvr.com  

requiredvalue.com  

ressicepro.com  

shalaordereport.com  

siderheycook.com  

sinceretehope.com  

solveblemten.com  

togetheroffway.com  

toodblackrun.com  

troublendsef.com  

verfiedoccurr.com  

waystrkeprosh.com  

xdmgwctese.com  

Personae Used

‍

Protonmail Use:

‍

ATT&CK Mapping:

MITRE ATT&CK Mapping – Salt Typhoon (Telco Operations)

‍

Tactics, Techniques, and Procedures (TTPs)

Initial Access

• Exploitation of router, firewall, and VPN gateway vulnerabilities to penetrate telecom and military networks.
  
• Targeting network edge devices as initial footholds — chosen for both persistence and data collection value.
  

Persistence

• Deployment of firmware/rootkit implants on routers and firewalls to maintain covert, long-term access.
  
• Modification of SSH authorized_keys for persistence across reboots (MITRE ATT&CK T1098.004).
  

Privilege Escalation & Defense Evasion

• Abuse of SeDebugPrivilege, token adjustments, and LOLBINs to escalate rights and avoid detection.
  
• Use of encoded PowerShell commands and service manipulation to obscure activity.
  
• Config hijacking and log manipulation on telecom infrastructure devices.
  

Credential Access

• Dumping credentials via comsvcs.dll with rundll32.
  
• Keying into router/vpn credential stores for lateral expansion.
  

Discovery

• Network mapping using tasklist, wevtutil, and queries of machine GUIDs and crypto keys.
  

Lateral Movement

• Leveraging trusted ISP-to-ISP connections to pivot into partner environments.
  
• VPN exploitation to move laterally across National Guard and defense-adjacent networks.
  

Collection & Exfiltration

• Harvesting:
  
  • Subscriber metadata & CDRs (Call Detail Records)
    
  • VoIP configurations
    
  • Lawful intercept logs
    
  • Incident response playbooks (from military networks).
    
• Data staged within compromised routers before exfiltration to external C2.
  

Command & Control (C2)

• Use of beacon-based implants masquerading as legitimate Zero Trust or router monitoring tools (e.g., Shadow Network/Defense from Huanyu Tianqiong).
  
• TLS-encrypted channels with minimal jitter to blend into telecom backbone traffic.
  

Strategic Patterns

• Focus: Telecommunications and military/defense-adjacent networks for SIGINT.
  
• Contractor Integration: Heavy reliance on MSS-linked companies (Juxinhe, Zhixin Ruijie, Huanyu Tianqiong) and overlaps with i-SOON infrastructure.
  
• Long-Dwell Operations: Persistence for months/years in backbone routers, enabling surveillance at scale.
  
• Geographic Reach: Over 600 organizations breached worldwide, including 200 in the U.S. and operations across 80+ countries.

APPENDIX C: Corporate Connections

Contents:
Part I: Technical Analysis
Part II: Goals Analysis
Part III: Threat Intelligence Report

Executive Summary

A rare and revealing breach attributed to a North Korean-affiliated actor, known only as “Kim” as named by the hackers who dumped the data, has delivered a new insight into Kimsuky (APT43) tactics, techniques, and infrastructure. This actor's operational profile showcases credential-focused intrusions targeting South Korean and Taiwanese networks, with a blending of Chinese-language tooling, infrastructure, and possible logistical support. The “Kim” dump, which includes bash histories, phishing domains, OCR workflows, compiled stagers, and rootkit evidence, reflects a hybrid operation situated between DPRK attribution and Chinese resource utilization.

This report is broken down into three parts: 

• Technical Analysis of the dump materials
• Motivation and Goals of the APT actor (group)
• A CTI report compartment for analysts

While this leak only gives a partial idea of what the Kimusky/PRC activities have been, the material provides insight into the expansion of activities, nature of the actor(s), and goals they have in their penetration of the South Korean governmental systems that would benefit not only DPRK, but also PRC.

Without a doubt, there will be more coming out from this dump in the future, particularly if the burned assets have not been taken offline and access is still available, or if others have cloned those assets for further analysis. We may revisit this in the future if additional novel information comes to light.

Part I: Technical Analysis

The Leak at a Glance

The leaked dataset attributed to the “Kim” operator offers a uniquely operational perspective into North Korean-aligned cyber operations. Among the contents were terminal history files revealing active malware development efforts using NASM (Netwide Assembler), a choice consistent with low-level shellcode engineering typically reserved for custom loaders and injection tools. These logs were not static forensic artifacts but active command-line histories showing iterative compilation and cleanup processes, suggesting a hands-on attacker directly involved in tool assembly.

In parallel, the operator ran OCR (Optical Character Recognition) commands against sensitive Korean PDF documents related to public key infrastructure (PKI) standards and VPN deployments. These actions likely aimed to extract structured language or configurations for use in spoofing, credential forgery, or internal tool emulation.

Privileged Access Management (PAM) logs also surfaced in the dump, detailing a timeline of password changes and administrative account use. Many were tagged with the Korean string 변경완료 (“change complete”), and the logs included repeated references to elevated accounts such as oracle, svradmin, and app_adm01, indicating sustained access to critical systems.

The phishing infrastructure was extensive. Domain telemetry pointed to a network of malicious sites designed to mimic legitimate Korean government portals. Sites like nid-security[.]com were crafted to fool users into handing over credentials via advanced AiTM (Adversary-in-the-Middle) techniques.

Finally, network artifacts within the dump showed targeted reconnaissance of Taiwanese government and academic institutions. Specific IP addresses and .tw domain access, along with attempts to crawl .git repositories, reveal a deliberate focus on high-value administrative and developer targets.

Perhaps most concerning was the inclusion of a Linux rootkit using syscall hooking (khook) and stealth persistence via directories like /usr/lib64/tracker-fs. This highlights a capability for deep system compromise and covert command-and-control operations, far beyond phishing and data theft.

Artifacts recovered from the dump include:

• Terminal history files demonstrating malware compilation using NASM
  
• OCR commands parsing Korean PDF documents related to PKI and VPN infrastructure
  
• PAM logs reflecting password changes and credential lifecycle events
  
• Phishing infrastructure mimicking Korean government sites
  
• IP addresses indicating reconnaissance of Taiwanese government and research institutions
  
• Linux rootkit code using syscall hooking and covert channel deployment
  

Credential Theft Focus

The dump strongly emphasizes credential harvesting as a central operational goal. Key files such as 136백운규001_env.key (The presence of 136백운규001_env.key is a smoking gun indicator of stolen South Korean Government PKI material, as its structure (numeric ID + Korean name + .key) aligns uniquely with SK GPKI issuance practices and provides clear evidence of compromised, identity-tied state cryptographic keys.) This was discovered alongside plaintext passwords, that indicate clear evidence of active compromise of South Korea’s GPKI (Government Public Key Infrastructure). Possession of such certificates would allow for highly effective identity spoofing across government systems.

PAM logs further confirmed this focus, showing a pattern of administrative account rotation and password resets, all timestamped and labeled with success indicators (변경완료: Change Complete). The accounts affected were not low-privilege; instead, usernames like oracle, svradmin, and app_adm01, often used by IT staff and infrastructure services, suggested access to core backend environments.

These findings point to a strategy centered on capturing and maintaining access to privileged credentials and digital certificates, effectively allowing the attacker to act as an insider within trusted systems.

• Leaked .key files (e.g., 136백운규001_env.key) with plaintext passwords confirm access to GPKI systems
  
• PAM logs show administrative password rotations tagged with 변경완료 (change complete)
  
• Admin-level accounts such as oracle, svradmin, and app_adm01 repeatedly appear in compromised logs
  

Phishing Infrastructure

The operator’s phishing infrastructure was both expansive and regionally tailored. Domains such as nid-security[.]com and webcloud-notice[.]com mimicked Korean identity and document delivery services, likely designed to intercept user logins or deploy malicious payloads. More sophisticated spoofing was seen in sites that emulated official government agencies like dcc.mil[.]kr, spo.go[.]kr, and mofa.go[.]kr.

Burner email usage added another layer of operational tradecraft. The address jeder97271[@]wuzak[.]com is likely linked to phishing kits that operated through TLS proxies, capturing credentials in real time as victims interacted with spoofed login forms.

These tactics align with previously known Kimsuky behaviors but also demonstrate an evolution in technical implementation, particularly the use of AiTM interception rather than relying solely on credential-harvesting documents.

• Domains include: nid-security[.]com, html-load[.]com, webcloud-notice[.]com, koala-app[.]com, and wuzak[.]com
  
• Mimicked portals: dcc.mil[.]kr, spo.go[.]kr, mofa.go[.]kr
  
• Burner email evidence: jeder97271[@]wuzak[.]com
  
• Phishing kits leveraged TLS proxies for AiTM credential capture
  

Malware Development Activity

Kim’s malware development environment showcased a highly manual, tailored approach. Shellcode was compiled using NASM, specifically with flags like -f win32, revealing a focus on targeting Windows environments. Commands such as make and rm were used to automate and sanitize builds, while hashed API call resolution (VirtualAlloc, HttpSendRequestA, etc.) was implemented to evade antivirus heuristics.

The dump also revealed reliance on GitHub repositories known for offensive tooling. TitanLdr, minbeacon, Blacklotus, and CobaltStrike-Auto-Keystore were all cloned or referenced in command logs. This hybrid use of public frameworks for private malware assembly is consistent with modern APT workflows.

A notable technical indicator was the use of the proxyres library to extract Windows proxy settings, particularly via functions like proxy_config_win_get_auto_config_url. This suggests an interest in hijacking or bypassing network-level security controls within enterprise environments.

• Manual shellcode compilation via nasm -f win32 source/asm/x86/start.asm
  
• Use of make, rm, and hash obfuscation of Win32 API calls (e.g., VirtualAlloc, HttpSendRequestA)
  
• GitHub tools in use: TitanLdr, minbeacon, Blacklotus, CobaltStrike-Auto-Keystore
  
• Proxy configuration probing through proxyres library (proxy_config_win_get_auto_config_url)

Rootkit Toolkit and Implant Structure

The Kim dump offers deep insight into a stealthy and modular Linux rootkit attributed to the operator’s post-compromise persistence tactics. The core implant, identified as vmmisc.ko (alternatively VMmisc.ko in some shells), was designed for kernel-mode deployment across multiple x86_64 Linux distributions and utilizes classic syscall hooking and covert channeling to maintain long-term undetected access.

Google Translation of Koh doc: Rootkit Endpoint Reuse Authentication Tool

“This tool uses kernel-level rootkit hiding technology, providing a high degree of stealth and penetration connection capability. It can hide while running on common Linux systems, and at the kernel layer supports connection forwarding, allowing reuse of external ports to connect to controlled hosts. Its communication behavior is hidden within normal traffic.

The tool uses binary merging technology: at compile time, the application layer program is encrypted and fused into a .ko driver file. When installed, only the .ko file exists. When the .ko driver starts, it will automatically decompress and release the hidden application-layer program.

Tools like chkrootkit, rkhunter, and management utilities (such as ps, netstat, etc.) are bypassed through technical evasion and hiding, making them unable to detect hidden networks, ports, processes, or file information.

To ensure software stability, all functions have also passed stress testing.

Supported systems: Linux Kernel 2.6.x / 3.x / 4.x, both x32 and x64 systems”.

Implant Features and Behavior

This rootkit exhibits several advanced features:

• Syscall Hooking: Hooks critical kernel functions (e.g., getdents, read, write) to hide files, directories, and processes by name or PID.
• SOCKS5 Proxy: Integrated remote networking capability using dynamic port forwarding and chained routing.
• PTY Backdoor Shell: Spawns pseudoterminals that operate as interactive reverse shells with password protection.
• Encrypted Sessions: Session commands must match a pre-set passphrase (e.g., testtest) to activate rootkit control mode.

Once installed (typically using insmod vmmisc.ko), the rootkit listens silently and allows manipulation via an associated client binary found in the dump. The client supports an extensive set of interactive commands, including:

+p              # list hidden processes

+f              # list hidden files

callrk          # load client ↔ kernel handshake

exitrk          # gracefully unload implant

shell           # spawn reverse shell

socks5          # initiate proxy channel

upload / download # file transfer interface

These capabilities align closely with known DPRK malware behaviors, particularly from the Kimsuky and Lazarus groups, who have historically leveraged rootkits for lateral movement, stealth, persistence, and exfiltration staging.

Observed Deployment

Terminal history (.bash_history) shows the implant was staged and tested from the following paths:

.cache/vmware/drag_and_drop/VMmisc.ko

/usr/lib64/tracker-fs/vmmisc.ko

Execution logs show the use of commands such as:

insmod /usr/lib64/tracker-fs/vmmisc.ko

./client 192.168.0[.]39 testtest

These paths were not random—they mimic legitimate system service locations to avoid detection by file integrity monitoring (FIM) tools.

This structure highlights the modular, command-activated nature of the implant and its ability to serve multiple post-exploitation roles while maintaining stealth through kernel-layer masking.

Strategic Implications

The presence of such an advanced toolkit in the “Kim” dump strongly suggests the actor had persistent access to Linux server environments, likely via credential compromise. The use of kernel-mode implants also indicates long-term intent and trust-based privilege escalation. The implant's pathing, language patterns, and tactics (e.g., use of /tracker-fs/, use of test passwords) match TTPs previously observed in operations attributed to Kimsuky, enhancing confidence in North Korean origin.

OCR-Based Recon

A defining component of Kim’s tradecraft was the use of OCR to analyze Korean-language security documentation. The attacker issued commands such as ocrmypdf -l kor+eng "file.pdf" to parse documents like 별지2)행정전자서명_기술요건_141125.pdf (“Appendix 2: Administrative Electronic Signature_Technical Requirements_141125.pdf”) and SecuwaySSL U_카달로그.pdf (“SecuwaySSL U_Catalog.pdf”). These files contain technical language around digital signatures, SSL implementations, and identity verification standards used in South Korea’s PKI infrastructure.

This OCR-based collection approach indicates more than passive intelligence gathering - it reflects a deliberate effort to model and potentially clone government-grade authentication systems. The use of bilingual OCR (Korean + English) further confirms the operator’s intention to extract usable configuration data across documentation types.

• OCR commands used to extract Korean PKI policy language from PDFs such as (별지2)행정전자서명_기술요건_141125.pdf and SecuwaySSL U_카달로그.pdf
  • 별지2)행정전자서명_기술요건_141125.pdf → (Appendix 2: Administrative Electronic Signature_Technical Requirements_141125.pdf
  • SecuwaySSL U_카달로그.pdf → SecuwaySSL U_Catalog.pdf
    
• Command examples: ocrmypdf -l kor+eng "file.pdf"
  

SSH and Log-Based Evidence

The forensic evidence contained within the logs, specifically SSH authentication records and PAM outputs, provides clear technical confirmation of the operator’s tactics and target focus.

Several IP addresses stood out as sources of brute-force login attempts. These include 23.95.213[.]210 (a known VPS provider used in past credential-stuffing campaigns), 218.92.0[.]210 (allocated to a Chinese ISP), and 122.114.233[.]77 (Henan Mobile, China). These IPs were recorded during multiple failed login events, strongly suggesting automated password attacks against exposed SSH services. Their geographic distribution and known history in malicious infrastructure usage point to an external staging environment, possibly used for pivoting into Korean and Taiwanese systems.

Beyond brute force, the logs also contain evidence of authentication infrastructure reconnaissance. Multiple PAM and OCSP (Online Certificate Status Protocol) errors referenced South Korea’s national PKI authority, including domains like gva.gpki.go[.]kr and ivs.gpki.go[.]kr. These errors appear during scripted or automated access attempts, indicating a potential strategy of credential replay or certificate misuse against GPKI endpoints, an approach that aligns with Kim’s broader PKI-targeting operations.

Perhaps the most revealing detail was the presence of successful superuser logins labeled with the Korean term 최고 관리자 (“Super Administrator”). This suggests the actor was not just harvesting credentials but successfully leveraging them for privileged access, possibly through cracked accounts, reused credentials, or insider-sourced passwords. The presence of such accounts in conjunction with password rotation entries marked as 변경완료 (“change complete”) further implies active control over PAM-protected systems during the operational window captured in the dump.

Together, these logs demonstrate a methodical campaign combining external brute-force access, PKI service probing, and administrative credential takeover, a sequence tailored for persistent infiltration and lateral movement within sensitive government and enterprise networks.

• Brute-force IPs: 23.95.213[.]210, 218.92.0[.]210, 122.114.233[.]77

• PAM/OCSP errors targeting gva.gpki.go[.]kr, ivs.gpki.go[.]kr
  
• Superuser login events under 최고 관리자 (Super Administrator)

Part II: Goals Analysis

Targeting South Korea: Identity, Infrastructure, and Credential Theft

The “Kim” operator’s campaign against South Korea was deliberate and strategic, aiming to infiltrate the nation’s digital trust infrastructure at multiple levels. A central focus was the Government Public Key Infrastructure (GPKI), where the attacker exfiltrated certificate files, including .key and .crt formats, some with plaintext passwords, and attempted repeated authentication against domains like gva.gpki.go[.]kr and ivs.gpki.go[.]kr. OCR tools were used to parse Korean technical documents detailing PKI and VPN architectures, demonstrating a sophisticated effort to understand and potentially subvert national identity frameworks. These efforts were not limited to reconnaissance; administrative password changes were logged, and phishing kits targeted military and diplomatic webmail, including clones of mofa.go[.]kr and credential harvesting through adversary-in-the-middle (AiTM) proxy setups.

Beyond authentication systems, Kim targeted privileged accounts (oracle, unwadm, svradmin) and rotated credentials to maintain persistent administrative access, as evidenced by PAM and SSH logs showing elevated user activity under the title 최고 관리자 (“Super Administrator”). The actor also showed interest in bypassing VPN controls, parsing SecuwaySSL configurations for exploitation potential, and deployed custom Linux rootkits using syscall hooking to establish covert persistence on compromised machines. Taken together, the dump reveals a threat actor deeply invested in credential dominance, policy reconnaissance, and system-level infiltration, placing South Korea’s public sector identity systems, administrative infrastructure, and secure communications at the core of its long-term espionage objectives.

Taiwan Reconnaissance

Among the most notable aspects of the “Kim” leak is the operator’s deliberate focus on Taiwanese infrastructure. The attacker accessed a number of domains with clear affiliations to the island’s public and private sectors, including tw.systexcloud[.]com (linked to enterprise cloud solutions), mlogin.mdfapps[.]com (a mobile authentication or enterprise login portal), and the .git/ directory of caa.org[.]tw, which belongs to the Chinese Institute of Aeronautics, a government-adjacent research entity.

This last domain is especially telling. Accessing .git/ paths directly implies an attempt to enumerate internal source code repositories, a tactic often used to discover hardcoded secrets, API keys, deployment scripts, or developer credentials inadvertently exposed via misconfigured web servers. This behavior points to  more technical depth than simple phishing; it indicates supply chain reconnaissance and long-term infiltration planning.

The associated IP addresses further reinforce this conclusion. All three, 163.29.3[.]119, 118.163.30[.]45, and 59.125.159[.]81, are registered to academic, government, or research backbone providers in Taiwan. These are not random scans; they reflect targeted probing of strategic digital assets.

Summary of Whois & Ownership Insights

• 118.163.30[.]45
  • Appears as part of the IP range used for the domain dtc-tpe.com[.]tw, linked to Taiwan’s HINET provider (118.163.30[.]46 )Site Indices page of HINET provider.
• 163.29.3[.]119
  • Falls within the 163.29.3[.]0/24 subnet identified with Taiwanese government or institutional use, notably in Taipei. This corresponds to B‑class subnets assigned to public/government entities IP地址 (繁體中文).
• 59.125.159[.]81
  
  • Belongs to the broader 59.125.159[.]0–59.125.159[.]254 block, commonly used by Taiwanese ISP operators such as Chunghwa Telecom in Taipei

Taken together, this Taiwan-focused activity reveals an expanded operational mandate. Whether the attacker is purely DPRK-aligned or operating within a DPRK–PRC fusion cell, the intent is clear: compromise administrative and developer infrastructure in Taiwan, likely in preparation for broader credential theft, espionage, or disruption campaigns.

• Targeted domains: tw.systexcloud[.]com, caa.org[.]tw/.git/, mlogin.mdfapps[.]com
  
• IPs linked to Taiwanese academic/government assets: 163.29.3[.]119, 118.163.30[.]45, 59.125.159[.]81
  
• Git crawling suggests interest in developer secrets or exposed tokens
  

Hybrid Attribution Model

The “Kim” operator embodies the growing complexity of modern nation-state attribution, where cyber activities often blur traditional boundaries and merge capabilities across geopolitical spheres. This case reveals strong indicators of both North Korean origin and Chinese operational entanglement, presenting a textbook example of a hybrid APT model.

On one hand, the technical and linguistic evidence strongly supports a DPRK-native operator. Terminal environments, OCR parsing routines, and system artifacts consistently leverage Korean language and character sets. The operator’s activities reflect a deep understanding of Korean PKI systems, with targeted extraction of GPKI .key files and automation to parse sensitive Korean government PDF documentation. These are hallmarks of Kimsuky/APT43 operations, known for credential-focused espionage against South Korean institutions and diplomatic targets. The intent to infiltrate identity infrastructure is consistent with North Korea’s historical targeting priorities. Notably, the system time zone on Kim's host machine was set to UTC+9 (Pyongyang Standard Time), reinforcing the theory that the actor maintains direct ties to the DPRK’s internal environment, even if operating remotely.

However, this actor’s digital footprint extends well into Chinese infrastructure. Browser and download logs reveal frequent interaction with platforms like gitee[.]com, baidu[.]com, and zhihu[.]com, highly popular within the PRC but unusual for DPRK operators who typically minimize exposure to foreign services. Moreover, session logs include simplified Chinese content and PRC browsing behaviors, suggesting that the actor may be physically operating within China or through Chinese-language systems. This aligns with longstanding intelligence on North Korean cyber operators stationed in Chinese border cities such as Shenyang and Dandong, where DPRK nationals often conduct cyber operations with tacit approval or logistical consent from Chinese authorities. These locations provide higher-speed internet, relaxed oversight, and convenient geopolitical proximity.

The targeting of Taiwanese infrastructure further complicates attribution. Kimsuky has not historically prioritized Taiwan, yet in this case, the actor demonstrated direct reconnaissance of Taiwanese government and developer networks. While this overlaps with Chinese APT priorities, recent evidence from the “Kim” dump, including analysis of phishing kits and credential theft workflows, suggests this activity was likely performed by a DPRK actor exploring broader regional interests, possibly in alignment with Chinese strategic goals. Researchers have noted that Kimsuky operators have recently asked questions in phishing lures related to potential Chinese-Taiwanese conflicts, implying interest beyond the Korean peninsula.

Some tooling overlaps with PRC-linked APTs, particularly GitHub-based stagers and proxy-resolving modules, but these are not uncommon in the open-source malware ecosystem and may reflect opportunistic reuse rather than deliberate mimicry.

IMINT Analysis: Visual Tradecraft and Cultural Camouflage

A review of image artifacts linked to the "Kim" actor reveals a deliberate and calculated use of Chinese social and technological visual content as part of their operational persona. These images, extracted from browser history and uploads attributed to the actor, demonstrate both strategic alignment with DPRK priorities and active cultural camouflage within the PRC digital ecosystem.

The visual set includes promotional graphics for Honor smartphones, SoC chipset evolution charts, Weibo posts featuring vehicle registration certificates, meme-based sarcasm, and lifestyle imagery typical of Chinese internet users. Notably, the content is exclusively rendered in simplified Chinese, reinforcing prior assessments that the operator either resides within mainland China or maintains a working digital identity embedded in Chinese platforms. Devices and services referenced, such as Xiaomi phones, Zhihu, Weibo, and Baidu, suggest intimate familiarity with PRC user environments.

Operationally, this behavior achieves two goals. First, it enables the actor to blend in seamlessly with native PRC user activity, which complicates attribution and helps bypass platform moderation or behavioral anomaly detection. Second, the content itself may serve as bait or credibility scaffolding (e.g. A framework to give the illusion of trust to allow for easier compromise ) in phishing and social engineering campaigns, especially those targeting developers or technical users on Chinese-language platforms.

Some images, such as the detailed chipset timelines and VPN or device certification posts, suggest a continued interest in supply chain reconnaissance and endpoint profiling—both tradecraft hallmarks of Kimsuky and similar APT units. Simultaneously, meme humor, sarcastic overlays, and visual metaphors (e.g., the “Kaiju’s tail is showing” idiom) indicate the actor’s fluency in PRC netizen culture and possible mockery of operational security breaches—whether their own or others’.

Taken together, this IMINT corpus supports the broader attribution model: a DPRK-origin operator embedded, physically or virtually, within the PRC, leveraging local infrastructure and social platforms to facilitate long-term campaigns against South Korea, Taiwan, and other regional targets while maintaining cultural and technical deniability.

Attribution Scenarios:

• Option A: DPRK Operator Embedded in PRC
  
  • Use of Korean language, OCR targeting of Korean documents, and focus on GPKI systems strongly suggest North Korean origin.
    
  • Use of PRC infrastructure (e.g., Baidu, Gitee) and simplified Chinese content implies the operator is physically located in China or benefits from access to Chinese internet infrastructure.
    
• Option B: PRC Operator Emulating DPRK
  
  • Taiwan-focused reconnaissance aligns with PRC cyber priorities.
    
  • Use of open-source tooling and phishing methods shared with PRC APTs could indicate tactical emulation.

The preponderance of evidence supports the hypothesis that “Kim” is a North Korean cyber operator embedded in China or collaborating with PRC infrastructure providers. This operational model allows the DPRK to amplify its reach, mask attribution, and adopt regional targeting strategies beyond South Korea, particularly toward Taiwan. As this hybrid model matures, it reflects the strategic adaptation of DPRK-aligned threat actors who exploit the permissive digital environment of Chinese networks to evade detection and expand their operational playbook.

Targeting Profiles

The “Kim” leak provides one of the clearest windows to date into the role-specific targeting preferences of the operator, revealing a deliberate focus on system administrators, credential issuers, and backend developers, particularly in South Korea and Taiwan.

In South Korea, the operator’s interest centers around PKI administrators and infrastructure engineers. The recovered OCR commands were used to extract technical details from PDF documents outlining Korea’s digital signature protocols, such as identity verification, certificate validation, and encrypted communications, components that form the backbone of Korea’s secure authentication systems. The goal appears to be not only credential theft but full understanding and potential replication of government-trusted PKI procedures. This level of targeting suggests a strategic intent to penetrate deeply trusted systems, potentially for use in later spoofing or identity masquerading operations.

In Taiwan, the operator shifted focus to developer infrastructure and cloud access portals. Specific domains accessed, like caa.org[.]tw/.git/, indicate attempts to enumerate internal repositories, most likely to discover hardcoded secrets, authentication tokens, or deployment keys. This is a classic supply chain targeting method, aiming to access downstream systems via compromised developer credentials or misconfigured services.

Additional activity pointed to interaction with cloud service login panels such as tw.systexcloud[.]com and mlogin.mdfapps[.]com. These suggest an attempt to breach centralized authentication systems or identity providers, granting the actor broader access into enterprise or government networks with a single credential set.

Taken together, these targeting profiles reflect a clear emphasis on identity providers, backend engineers, and those with access to system-level secrets. This reinforces the broader theme of the dump: persistent, credential-first intrusion strategies, augmented by reconnaissance of authentication standards, key management policies, and endpoint development infrastructure.

South Korean:

• PKI admins, infrastructure engineers
  
• OCR focus on Korean identity standards
  

Taiwanese:

• Developer endpoints and internal .git/ repos
  
• Access to cloud panels and login gateways
  

Final Assessment

The “Kim” leak represents one of the most comprehensive and technically intimate disclosures ever associated with Kimsuky (APT43) or its adjacent operators. It not only reaffirms known tactics, credential theft, phishing, and PKI compromise, but exposes the inner workings of the operator’s environment, tradecraft, and operational intent in ways rarely observed outside of active forensic investigations.

At the core of the leak is a technically competent actor, well-versed in low-level shellcode development, Linux-based persistence mechanisms, and certificate infrastructure abuse. Their use of NASM, API hashing, and rootkit deployment points to custom malware authorship. Furthermore, the presence of parsed government-issued Korean PDFs, combined with OCR automation, shows not just opportunistic data collection but a concerted effort to model, mimic, or break state-level identity systems, particularly South Korea's GPKI.

The operator’s cultural and linguistic fluency in Korean, and their targeting of administrative and privileged systems across South Korean institutions, support a high-confidence attribution to a DPRK-native threat actor. However, the extensive use of Chinese platforms like gitee[.]com, Baidu, and Zhihu, and Chinese infrastructure for both malware hosting and browsing activity reveals a geographical pivot or collaboration: a hybrid APT footprint rooted in DPRK tradecraft but operating from or with Chinese support.

Most notably, this leak uncovers a geographical expansion of operational interest; the actor is no longer solely focused on the Korean peninsula. The targeting of Taiwanese developer portals, government research IPs, and .git/ repositories shows a broadened agenda that likely maps to both espionage and supply chain infiltration priorities. This places Taiwan, like South Korea, at the forefront of North Korean cyber interest, whether for intelligence gathering, credential hijacking, or as staging points for more complex campaigns.

The threat uncovered here is not merely malware or phishing; it is an infrastructure-centric, credential-first APT campaign that blends highly manual operations (e.g., hand-compiled shellcode, direct OCR of sensitive PDFs) with modern deception tactics such as AiTM phishing and TLS proxy abuse.

Organizations in Taiwan and South Korea, particularly those managing identity, certificate, and cloud access infrastructure, should consider themselves under persistent, credential-focused surveillance. Defensive strategies must prioritize detection of behavioral anomalies (e.g., use of OCR tools, GPKI access attempts), outbound communications with spoofed Korean domains, and the appearance of low-level toolchains like NASM or proxyres-based scanning utilities within developer or admin environments.

In short: the “Kim” actor embodies the evolution of nation-state cyber threats—a fusion of old-school persistence, credential abuse, and modern multi-jurisdictional staging. The threat is long-term, embedded, and adaptive.

Part III: Threat Intelligence Report

TLP WHITE:

Targeting Summary

The analysis of the “Kim” operator dump reveals a highly focused credential-theft and infrastructure-access campaign targeting high-value assets in both South Korea and Taiwan. Victims were selected based on their proximity to trusted authentication systems, administrative control panels, and development environments.

‍

Indicators of Compromise (IOCs)

Domains

• Phishing: nid-security[.]com, html-load[.]com, wuzak[.]com, koala-app[.]com, webcloud-notice[.]com
• Spoofed portals: dcc.mil[.]kr, spo.go[.]kr, mofa.go[.]kr
• Pastebin raw links: Used for payload staging and malware delivery

IP Addresses

• External Targets (Taiwan):
  • 163.29.3[.]119     National Center for High-performance Computing
  • 118.163.30[.]45   Taiwanese government subnet
  • 59.125.159[.]81   Chunghwa Telecom
• Brute Forcing / Infrastructure Origins:
  • 23.95.213[.]210   VPS provider with malicious history
  • 218.92.0[.]210     China Unicom
  • 122.114.233[.]77  Henan Mobile, PRC

Internal Host IPs (Operator Environment)

• 192.168.130[.]117
• 192.168.150[.]117
• 192.168.0[.]39

Operator Environment: Internal Host IP Narrative

The presence of internal IP addresses such as 192.168.130[.]117, 192.168.150[.]117, and 192.168.0[.]39 within the dump offers valuable insight into the attacker’s local infrastructure, an often-overlooked element in threat intelligence analysis. These addresses fall within private, non-routable RFC1918 address space, commonly assigned by consumer off-the-shelf (COTS) routers and small office/home office (SOHO) network gear.

The use of the 192.168.0[.]0/16 subnet, particularly 192.168.0.x and 192.168.150.x, strongly suggests that the actor was operating from a residential or low-profile environment, not a formal nation-state facility or hardened infrastructure. This supports existing assessments that North Korean operators, particularly those affiliated with Kimsuky, often work remotely from locations in third countries such as China or Southeast Asia, where they can maintain inconspicuous, low-cost setups while accessing global infrastructure.

Moreover, the distinction between multiple internal subnets (130.x, 150.x, and 0.x) may indicate segmentation of test environments or multiple virtual machines running within a single NATed network. This aligns with the forensic evidence of iterative development and testing workflows seen in the .bash_history files, where malware stagers, rootkits, and API obfuscation utilities were compiled, cleaned, and rerun repeatedly.

Together, these IPs reveal an operator likely working from a clandestine, residential base of operations, with modest hardware and commercial-grade routers. This operational setup is consistent with known DPRK remote IT workers and cyber operators who avoid attribution by blending into civilian infrastructure. It also suggests the attacker may be physically located outside of North Korea, possibly embedded in a friendly or complicit environment, strengthening the case for China-based activity by DPRK nationals.

MITRE ATT&CK Mapping

‍

Tooling and Capabilities

The actor’s toolkit spans multiple disciplines, blending malware development, system reconnaissance, phishing, and proxy evasion:

• NASM-based shellcode loaders: Compiled manually for Windows execution.
• Win32 API hashing: Obfuscated imports via hashstring.py to evade detection.
• GitHub/Gitee abuse: Tooling hosted or cloned from public developer platforms.
• OCR exploitation: Used ocrmypdf to parse Korean PDF specs related to digital certificates and VPN appliances.
• Rootkit deployment: Hidden persistence paths including /usr/lib64/tracker-fs and /proc/acpi/pcicard.
• Proxy config extraction: Investigated PAC URLs using proxyres-based recon.

Attribution Confidence Assessment

Assessment: The actor appears to be a DPRK-based APT operator working from within or in partnership with Chinese infrastructure, representing a hybrid attribution model.

Defensive Recommendations

APPENDIX A

Overlap or Confusion with Chinese Threat Actors

There is notable evidence of operational blur between Kimsuky and Chinese APTs in the context of Taiwan. The 2025 “Kim” data breach revealed an attacker targeting Taiwan whose tools and phishing kits matched Kimsuky’s, yet whose personal indicators (language, browsing habits) suggested a Chinese national. Researchers concluded this actor was likely a Chinese hacker either mimicking Kimsuky tactics or collaborating with them.. In fact, the leaked files on DDoS Secrets hint that Kimsuky has “openly cooperated with other Chinese APTs and shared their tools and techniques”. This overlap can cause attribution confusion - a Taiwan-focused operation might initially be blamed on China but could involve Kimsuky elements, or vice versa. So far, consensus is that North Korean and Chinese cyber operations remain separate, but cases like “Kim” show how a DPRK-aligned actor can operate against Taiwan using TTPs common to Chinese groups, muddying the waters of attribution.

File List from dump:

Master Evidence Inventory:

Deceptive websites are mimicking popular Android application install pages on the Google Play Store to lure victims into downloading AndroidOS SpyNote malware, a potent Android RAT used for surveillance, data exfiltration, and remote control. This report highlights the resurfacing of SpyNote activity by the same actor in the previous DTI report in April and provides additional information around the recent activity and changes in tactics since the prior report. Notably, the actor made minor changes in IP resolutions and added additional anti-analysis in the APK dropper in an attempt to protect the SpyNote payload from detection.

Details

SpyNote is a highly intrusive Android Remote Access Trojan (RAT) with extensive capabilities for surveillance, data exfiltration, and device manipulation. It can remotely control a device’s camera and microphone, manage phone calls, and execute commands. Of particular concern is its keylogging functionality, which targets application credentials and abuses Android’s Accessibility Services to steal two-factor authentication (2FA) codes. Beyond data theft, SpyNote can also perform on-device actions like displaying overlay attacks for clickjacking. If granted administrator privileges, it gains the power to remotely wipe data, lock the device, or install additional malicious applications, making it a formidable threat for espionage and cybercrime.

The pages shown below are static clones, using HTML and CSS copied from the actual Google Play Store to appear legitimate. Their primary purpose is to trick users into downloading and installing an Android application package (.apk file). The “Install” button triggers a JavaScript function to download an .apk file directly from the malicious website.

Delivery Domain Registration and Website Patterns

Registrar

• NameSilo, LLC
• XinNet Technology Corporation

IP ISP:

• Lightnode Limited
• Vultr Holdings LLC

SSL Issuer:

• R10
• R11

Nameserver

• dnsowl[.]com
• xincache[.]com

Server Type:

• nginx

Prominent IP Resolved:

• 154.90.58[.]26
• 199.247.6[.]61

Frequent HTML Code Inclusions

• https[:]//unpkg[.]com/current-device@0.10.2/umd/current-device.min.js
• “sBw2N8uateIzRr93vmFze5MF_35vMk5F1wG04L5JcJE”
• “PJKdyVFC5jlu_l8Wo_hirJkhs1cmitmn44fgpOc3zFc”

Malware Delivery Website Review

The download() function is the core of the page’s malicious functionality.

It creates a hidden iframe and sets its source to a JavaScript URI that triggers a navigation to Chrome.apk. This is a common technique to initiate a file download from the browser without the user leaving the current page.

Malware Execution

1. Initial Dropper Decrypts Payload: The first APK reads encrypted assets, generates a key from its manifest, and decrypts the second-stage SpyNote payload.

The malware employs a dynamic payload technique to conceal its primary functions, loading them from a separate file only after the application is installed and running. This is achieved using a code injection method known as DEX Element Injection. The malware uses reflection to access and modify the app’s core ClassLoader at runtime, inserting its own malicious code elements at the very beginning of the code lookup path. This forces the Android system to prioritize and execute the malicious code over the app’s legitimate code, enabling it to bypass static security analysis and hijack application functions to intercept data.

The AndroidManifest file is protected and contains details needed to retrieve the AES decryption key from the Chrome.apk. In this case, the package name “rogcysibz.wbnyvkrn.sstjjs” is needed to retrieve the 16-byte AES key “62646632363164386461323836333631”.

Chrome.apk (Dropper)
48aa5f908fa612dcb38acf4005de72b9379f50c7e1bc43a4e64ce274bb7566e8

Classes.dex (SpyNote)
86e8d3716318e9bb63b86aebe185db5db6718cb3ddea7fbafefa8ebfb674b9e8

Decrypted 000 + 001 (SpyNote * its assets/base dex File containing its C2 configurations)
b81febd19a457e6814d7e28d68742ae25fc4cf6472289a481e262048e9d8eee4
703d62470d31866ccecb66f0083084c478e9e92916041216ec8d839afed0d0d6

Within the assets/base/ folder there are two files: 000 and 001. The dropper essentially works by joining the 000 and 001 files (combined_assets). It then decrypts the combined assets with the AES key before gzip decompresses it. The resulting file is the SpyNote APK, which it loads in. This happens once the user installs the dropper, runs it, and taps a prompt in the app’s load screen. The decrypted file is another APK that the dropper loads which contains the main SpyNote functionality and configuration details for the command-and-control server (C2).

2. SpyNote Payload Loads C2 Logic: The main SpyNote APK dynamically loads another DEX file from its own `assets/base` folder. This DEX file contains the actual C2 connection logic.

3. C2 Logic Establishes Connection: The dynamically loaded DEX file contains the code to build the WebSocket URL for the C2 server.

In previously reported configurations, the C2s were hardcoded directly in the functions for sending traffic. In recent samples, they use control flow obfuscation and identifier obfuscation through random variations of o, O, and 0 for all names in an attempt to make it difficult to understand the program’s logic through static analysis.

Sample identifier obfuscation in a loaded DEX file:

4. C2 Domain Selection Logic: A utility method selects a domain from a predefined list, making the malware more resilient.

5. Hardcoded C2 Domain List: The final destination is a simple class that acts as a container for the hardcoded C2 domains.

Threat Actor Analysis

The threat actor distributing SpyNote malware exhibits persistence and limited technical adaptability. They consistently use deceptive Google Play Store clones to lure victims, a social engineering tactic that remains central to their operations. Despite previous exposure, their infrastructure remains confined to two primary IP addresses, showing a restricted capacity for diversification, though they do rotate specific IP resolutions. The anti-analysis techniques used in their APK droppers are relatively simple, employing basic obfuscation and dynamic payload decryption to protect the SpyNote payload.

The APK filenames suggest the spoofed brands or applications fall into these categories:

• Social & Dating Apps: iHappy, CamSoda, Kismia, yome, TmmTmm
• Gaming Apps: 8 Ball Pool, Block Blast
• General Utility/Productivity Apps: Chrome, meus arquivos 2025, Beauty, Faísca Inicial, Compras Online, LoveVideo, GlamLive, Holding Hands

This actor is suspected of broadly targeting consumers with lures mimicking popular applications, including those related to fashion, social networking, and general utilities, as well as ubiquitous apps like Chrome and Zoom. This wide net, coupled with the surveillance and data exfiltration capabilities of SpyNote, strongly suggests a financially motivated objective. While the delivery code contains Chinese language comments, the specific attribution for this persistent and opportunistic threat actor remains unknown.

Conclusion

This report details a persistent SpyNote malware campaign by an actor relying on deceptive Google Play Store clones for delivery. Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis. The actor’s limited infrastructure adaptability and broad consumer targeting for financial gain highlight their opportunistic yet effective approach. This persistent activity underscores the ongoing threat of mobile RATs and the need for continuous vigilance against social engineering tactics, even from actors with limited technical sophistication.

Security Recommendations

To better protect consumers from threats like SpyNote, key players in the security ecosystem can enhance their defenses:

Browser Developers: Consider strengthening built-in malicious site warnings to automatically flag and block access to deceptive download pages such as fake Google Play Store sites. This helps users avoid suspicious sites entirely.

Android Antivirus Providers and Mobile OS Developers: Focus on advancing automated analysis of app downloads to quickly detect and prevent the installation of harmful software, even when it tries to hide. This provides a crucial layer of defense directly on the device.

Mobile VPN Providers: Explore integrating network-level security features that automatically filter out or alert to connections to known malicious servers. This adds another protective barrier, stopping threats before they can reach the user’s device.

IOCs

Malware Delivery

‍

Droppers

‍

‍SpyNote

‍

Command & Control

‍

Shodan Hunting Queries

Tip: Look for fake Google Play Store sites or suspicious iframe JavaScript sources for file downloads.

‍

SpyNote Mobile ATT&CK Matrix

Reference: https://attack.mitre.org/matrices/mobile/

‍

Introduction

Over the last five years, the Democratic People’s Republic of Korea (DPRK) has transitioned from smash-and-grab cryptocurrency raids to a more covert, scalable model of economic warfare: the global deployment of disguised IT workers.

Orchestrated by elite units under the Reconnaissance General Bureau (RGB), these operatives acquire remote employment with U.S. and international tech firms using forged or stolen identities. Once embedded, they receive crypto-based salaries and redirect those earnings into the DPRK’s economy via a network of laundering nodes, front companies, and domain infrastructure.

This report maps the entire ecosystem: key actors, GitHub aliases, laundering flows, shell companies, fake domains, platform infiltration, wallet infrastructure, and global enablers. We also examine the national security implications of the scheme, as well as how lax corporate hiring standards allowed North Korean operatives not just to get paid, but to access critical infrastructure, intellectual property, and production code.

Key Actors and Their Roles

Central Command: Song Kum Hyok & the Andariel Subgroup

At the operational core of North Korea’s disguised IT labor campaign stands Song Kum Hyok, a senior officer within the Andariel subgroup, one of the Reconnaissance General Bureau’s (RGB) elite cyber units. The RGB, North Korea’s main foreign intelligence service, directs both offensive cyber operations and covert economic warfare efforts, and Song’s role straddles both.

Hyok has long been involved in digital identity manipulation, remote access infrastructure, and dark market employment pipelines. Intelligence archives suggest that before assuming his current role, he was linked to multiple Andariel operations involving ransomware staging servers and social engineering against South Korean financial firms.

In the IT worker scheme, Song Kum Hyok is the strategic coordinator of identity theft and resume forgery, enabling North Korean engineers to present themselves as legitimate U.S. based freelancers. North Korea’s decentralized cyber-labor offensive hinges on stolen and curated identities—complete with names like Joshua Palmer, Sandy Nguyen, and GitHub handles such as devmad119 and sujitb2114. These identities often include verified Know Your Customer (KYC) data: Social Security numbers, clean background checks, and even Green Card scans, sourced from data breaches or underground markets.

Operatives use these identity packages to craft professional-grade resumes and LinkedIn profiles, frequently enhanced with AI-generated content and real or fabricated employment histories. They apply to remote jobs on freelancing platforms such as Upwork, Ureed, or the now-defunct Nabbesh, exploiting weak or automated verification and HR onboarding systems in U.S. companies.

Once hired, they gain access to internal tools and sensitive systems: GitHub repositories, Slack channels, financial dashboards, CI/CD pipelines, and privileged cloud infrastructure. From this vantage point, they can siphon intellectual property, embed backdoors, and surveill company operations—all while appearing to be legitimate remote hires. This seamless path, from stolen identity to embedded insider—is the operational backbone of Pyongyang’s covert cyber-espionage labor force.

Once North Korean operatives are embedded in foreign companies, their wages, often paid in cryptocurrencies as well as financial transfers through banks are routed through a meticulously layered laundering process. The first stop is typically a GitHub-linked wallet address associated with the operative’s fake identity (e.g., aliases like “devmad119” or “Joshua Palmer”). From there, the funds may flow into front companies such as Hopana-Tech LLC which act as legitimate salary processors. To further obscure the money trail, salaries are split across multiple wallets using automated smart contracts, a tactic designed to fragment and anonymize the source of funds. Finally, the dispersed assets are aggregated and cashed out via over-the-counter (OTC) crypto brokers based in Russia, the UAE, and China, jurisdictions known for permissive financial enforcement. This end-to-end pipeline creates a resilient and stealthy mechanism for the DPRK to funnel hard currency back into its economy while bypassing international sanctions.

Hyok’s innovation lies in combining AI-generated job profiles with pre-cleared identity data and military operational discipline. Under his supervision, the scheme has moved from ad hoc fraud to a scalable, persistent economic attack model yielding millions of dollars annually for North Korea’s weapons programs while hiding in plain sight inside the legitimate global economy.

U.S. Frontman: Kejia Wang

From a quiet address in Edison, New Jersey, Kejia Wang, also known as Tony Wang, ran one of the most critical nodes in North Korea’s international cyber-laundering apparatus. His residence at 65 Idlewild Road wasn’t just a suburban home; it was the physical anchor for a web of front companies, remote device hubs, and disguised income laundering pipelines that allowed DPRK IT workers to embed themselves inside U.S. companies.

Wang operated under the radar, founding multiple businesses that appeared legitimate on paper but functioned primarily as pass-through entities for laundering salaries earned under false identities. These businesses included tech fronts, aviation firms, and even a massage parlor, each playing a role in the deception.

The most visible of these fronts was the Highland Park 215 Spa, located just a few miles from Wang’s listed residence. Officially a wellness spa, it appears to have functioned as a cash-out hub for crypto proceeds tied to North Korean developers. Its web presence was thin and reviews inconsistent, offering more red flags than relaxation.

Wang’s activities extended far beyond shell paperwork. He physically received laptops sent by U.S. companies hiring remote workers and connected them to internet-facing KVM switches. These switches allowed DPRK operatives, posing under names like “Joshua Palmer” or GitHub aliases like “devmad119”, to work as though they were based in the U.S. He also installed unauthorized software, managed credentials, and monitored access on behalf of the regime.

To keep the deception watertight, Wang opened corporate bank accounts, created digital presences for the fake companies, and maintained financial rails through platforms like Wise, Zelle, and Payoneer. His shell entities even issued IRS tax forms using stolen identity data, giving employers the impression that their freelance hires were tax-compliant U.S. residents.

Wang coordinated with a global network of co-conspirators, including Zhenxing Wang and Jing Bin Huang in China, Mengting Liu in Taiwan, and crypto brokers in the UAE and Russia. These connections formed the infrastructure that allowed funds from unsuspecting U.S. firms, including those in the defense sector, to end up in wallets controlled by the North Korean regime.

Court filings in DOJ case 25-cr-10274 paint a damning picture: Kejia Wang was not only aware that the workers were North Korean nationals, but also actively facilitated the laundering of more than $5 million in wages tied to fraud, of which at least $3 million resulted in direct corporate losses.

From his role as a logistics manager to a shell company architect, Wang helped build a shadow economy inside the legitimate global tech labor force, an economy designed to fund weapons development, evade sanctions, and penetrate sensitive digital infrastructure with ease.

Laptop Farms and Stolen Identities: Christina Chapman

Laptop farms function as remote access deception hubs, allowing foreign operatives to convincingly impersonate U.S.based employees. In this scheme, the perpetrators acquire and configure laptops sent by U.S. companies to individuals they believe are legitimate remote hires. These devices are logged into and maintained from U.S. soil, typically through physical setups in homes or small offices, so that all network traffic and telemetry appear domestic. The key to this illusion is identity theft. Recently, the DOJ indicted Christina Chapman, a facilitator in Arizona, who ran “Laptop Farms”. Once the hiring process was complete, victim companies would ship work laptops and grant access to sensitive systems, unaware that the real end users were North Korean nationals abroad. Chapman’s role was not only to receive and activate these laptops but to maintain them for continuous remote access, ensuring that DPRK operatives could stay invisible behind American identities.

Platform Penetration & Global Expansion

As enforcement tightened on global freelancing hubs such as Upwork, Fiverr, and Freelancer.com, North Korean IT operatives expanded their focus to less-regulated, regionally focused gig platforms, particularly in the Middle East and North Africa (MENA). While major global platforms like Upwork and Freelancer still see DPRK IT worker recruitment, intelligence gathered throughout 2024 and 2025 indicates a broader strategy to infiltrate various online platforms. These platforms became attractive to DPRK-aligned actors due to their comparatively lenient onboarding processes, minimal identity verification, and weak vetting practices, which allow the actors to bypass employment verification controls.  

This expansion coincided with observed DPRK tactics documented by Microsoft Threat Intelligence and Google Cloud’s Mandiant division , which reported the use of KVM switch setups , stolen identity kits , and remote desktop software to simulate domestic employment in a given jurisdiction—even when the worker operated from DPRK or China. Newer tactics include the use of synthetic voices for video interviews , AI-generated profile images , and automated deployment of identity documents that pass lightweight vetting procedures common to less-regulated platforms.  

Payment pipelines also evolved. Payments are often facilitated through virtual currency, as well as services like TransferWise and Payoneer, implying a preference for systems with limited oversight. In 2025, DPRK operatives received payment through disbursement services into crypto wallets or offshore accounts, routing earnings through UAE-based infrastructure. However, the provided research does not directly corroborate specific incidents such as a “Ureed-based hire posing as a Syrian frontend engineer working for a UAE fintech company” or mobile application code delivered via “Nabbesh” by a user claiming to be Palestinian with telemetry traced to Vladivostok, Russia. However, the use of telemetry to detect Russian-linked infrastructure associated with DPRK activity is confirmed.  

This redirection to under-monitored platforms reflects the regime’s operational flexibility. Instead of abandoning freelance infiltration altogether, Pyongyang expanded its reach into low-friction digital labor markets with lower regulatory visibility. This expansion not only preserved a steady stream of foreign currency for the regime , but it also increased DPRK’s reach into sectors and geographies beyond traditional U.S.-centric targets. It is not simply opportunistic—it is part of a deliberate, adaptive campaign of economic espionage masked as remote software development.  

Shell Company Infrastructure

The DPRK IT labor operation was propped up by a web of shell companies that each played a distinct, carefully engineered role in laundering salaries, spoofing employment legitimacy, and obfuscating the true identities of North Korean operatives. At the core of this infrastructure was Kejia Wang, a New Jersey-based facilitator who established multiple legal entities across the U.S. to mask the flow of illicit wages. Hopana-Tech LLC served as a primary payroll conduit, accepting salary payments from victim companies under the guise of a legitimate staffing agency. Tony WKJ LLC was used to receive and deploy laptops to DPRK operatives, while also functioning as a salary masking layer. Independent Lab LLC provided the technical underpinnings, including blockchain API relays and crypto wallet infrastructure to route funds out of the U.S. financial system. Highland Park 215 Spa LLC, ostensibly operating under the cover of a massage parlor in New Jersey, likely acted as a cash-out point for laundering physical funds.

Wang also operated Northstar Leadership Inc., which produced fabricated resumes and managed identity paperwork, essential for onboarding DPRK operatives to hiring platforms. Through Capella Aviation LLC, Wang and co-registrant Liwen Huang routed wire transfers through Hong Kong and mainland China, creating a cross-border financial bridge. On the Russian front, Gayk Asatryan used Asatryan LLC and Fortuna LLC to legally host 80 DPRK workers, legitimizing their presence under 10-year employment contracts signed with North Korean trading firms.

These entities were not isolated -they were interconnected through shared addresses such as 65 Idlewild Road, overlapping registration details, and reused bank accounts and crypto wallets. Together, they formed a sophisticated scaffolding that gave the illusion of legitimate employment and enterprise, while operating as the foundation for one of the most complex sanctions-evasion schemes tied to DPRK’s Reconnaissance General Bureau.

DPRK Currency Transfers Via Banking

Kejia Wang, operating from New Jersey, functioned as the financial cornerstone of the DPRK’s U.S.-based laundering scheme. Through front companies like Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, he established business and money transfer accounts used to receive salary payments from U.S. companies unwittingly employing North Korean IT workers under false identities.

At Hopana Tech, Wang opened a U.S. bank account that took in over $464,000 from victim firms between January 2022 and April 2024. These funds were rerouted to overseas co-conspirators such as Jing Bin Huang and a network of Chinese shell entities (e.g., Shenyang Xiwang, Deep Tech, Aolien) via Bank of China and Standard Chartered (HK).

Simultaneously, Tony WKJ LLC received more than $1.6 million through a U.S. money transfer service (MTS-2), which Wang distributed to accounts linked to Enchia Liu, Food Yard Trading (Dubai), and Shenyang Sun-Lotus Tech. He personally siphoned $218,000 into his own U.S. checking account and another $412,000 to his personal MTS account. Between 2022 and 2023, he also received $237,000 in salary deposits into that same personal account, then forwarded $208,000 across 43 transfers to co-conspirators Huang and Tong Yuze.

Wang further disguised laptop handling and device access fees as routine payments labeled “CA laptops” and “NY laptops,” totaling over $55,000 sent to two U.S.-based facilitators.

Lastly, using MTS-3, Wang falsely registered Tony WKJ as a “VC-backed software firm” and received $352,949 from victim companies. When flagged by MTS staff, Wang lied about a DPRK worker under the alias “Wandee C.,” claiming he was a subcontracted developer.

In total, these financial maneuvers moved millions through U.S. infrastructure to overseas nodes, enabling DPRK operatives to mask their identities and launder salaries under the guise of legitimate tech consulting.

Crypto Payment Flows & Wallet Infrastructure

The laundering of salaries earned by North Korean IT operatives followed a structured, multi-phase pipeline designed to minimize traceability and regulatory exposure. In Phase 1: Salary Receipt, payments from unsuspecting U.S. and international companies were sent either to front companies, such as Hopana-Tech LLC and Independent Lab LLC, or directly to wallet addresses listed on the operatives’ GitHub profiles. These companies believed they were paying legitimate U.S.-based contractors, unaware that the workers were remote operatives in North Korea using stolen or forged identities.

Phase 2: Obfuscation began as soon as payments arrived. Smart contracts were employed to automatically split the incoming funds across clusters of Ethereum or TRON wallets. This fragmentation technique, similar to those used in ransomware operations, obscured the origin of the funds and made tracking the complete financial trail more difficult. Each tranche was redirected through different wallets, reducing the ability of investigators to correlate input/output flows with a single identity or origin point.

In Phase 3: Conversion, the obfuscated crypto was aggregated and funneled through over-the-counter (OTC) brokers based in Russia, the United Arab Emirates, and Hong Kong. These brokers specialize in converting large sums of stablecoins into fiat or alternative cryptocurrencies while avoiding compliance triggers. Eventually, the cleaned funds were consolidated into wallets under DPRK control, some of which have since been blocklisted by platforms like Tether for links to illicit activity and sanctions violations. This seamless pipeline allowed the DPRK to convert stolen or fraudulently earned wages into usable capital for the regime’s strategic programs, including its weapons development efforts.

DPRK IT Worker Cluster Wallet & Identity Mapping

Eight fake identities represent a sophisticated and evolving strategy by the DPRK’s IT worker apparatus to not only infiltrate the U.S. based companies but to systematically exfiltrate salary payments into laundering pipelines that support North Korea’s sanctioned economy. Each alias, crafted with care and strategic foresight, was tied to a complex infrastructure of forged documents, crypto wallets, and online developer personas, all designed to evade detection by employers, banks, and regulators.

These aliases were not random. Many were modeled on plausible names common in the U.S., Canada, or Southeast Asia, making them more likely to pass identity verification or “soft KYC” checks on freelancing platforms and internal HR systems. They were often accompanied by polished Linkedin profiles, active GitHub repositories, and consistent communication habits, all of which contributed to the illusion of a legitimate remote developer.

Behind the scenes, each identity was directly linked to salary laundering flows. For instance, Andy Bell, Benjamin Nguyen, and Sandy Nguyen used ETH-based wallet addresses, including vanity ENS domains like bbshark[.]eth and gsofter[.]eth, to receive payments from U.S. firms under the guise of contract work. These addresses were often listed on their GitHub accounts as “payment preferred to…” links, allowing unsuspecting employers or payroll processors to initiate transfers.

In many cases, funds were first routed to these GitHub-linked wallets, then automatically or manually split using smart contracts across secondary addresses. From there, the payments were funneled to consolidation wallets controlled by DPRK facilitators or OTC brokers in Russia, China, or the UAE. For example, funds from wallets tied to Josh Thomas and Muhammad Abdullah were traced via ZachXBT and TRM Labs to known laundering hubs tied to sanctioned North Korean operators. (*ZachXBT is a self-taught, pseudonymous blockchain investigator who has gained global recognition for tracking fraudulent crypto transactions, hacks, rug pulls, and state-linked laundering schemes.)

The fake geographic locations assigned to these aliases were deliberately chosen to align with employment demand and reduce suspicion, such as Texas, California, Toronto, and Michigan, regions known for tech industry presence. These locations also matched VPN exit nodes and remote access IP ranges used to simulate U.S.-based developer activity during work hours.

In total, these eight identities were tied to at least 12 different U.S. and international projects. They helped siphon hundreds of thousands in salaries, while embedding DPRK-linked code contributors into the core of web3 startups, fintech platforms, and even infrastructure projects. Their exposure now offers critical insight into the DPRK’s strategy: weaponizing remote work, exploiting global labor gaps, and turning open-source ecosystems into vectors of economic subversion.

Associated Consolidation Wallets

ZachXBT reports that all above identities and payment addresses lead to two known consolidation wallets:

• 0x58225fed0714e5b9b235642eba7dae3714090a2d
  
• 0xa7f9555c34626eb81b64774356a40ca1a6a794ca
  

These wallets serve as hubs in laundering pathways, taking in payments from U.S. firms and redistributing to DPRK-controlled endpoints via OTC brokers and blacklisted channels. These are frequently referenced in TRM Labs and Treasury forfeiture filings.

Global Network of Enablers

The DPRK’s IT worker laundering network was supported by a multinational cast of facilitators operating across five regions, each providing critical functions that enabled the scheme to scale globally. In the United States, Kejia Wang and Zhenxing “Danny” Wang served as the domestic linchpins, establishing shell companies like Hopana-Tech LLC and Independent Lab LLC, receiving company-issued laptops, and enabling remote access for DPRK operatives via KVM switches. In China, actors such as Jing Bin Huang, Tong Yuze, and Zhenbang Zhou were responsible for setting up domain infrastructure, fabricating identity records, and acting as intermediaries in the salary flow chain. Operating from the United Arab Emirates, Yongzhe Xu and Ziyou Yuan handled the setup of financial accounts and cryptocurrency wallets that served as routing points for laundered funds. Meanwhile, in Taiwan, Mengting Liu and Enchia Liu were tasked with salary account management and crypto-to-cash withdrawal, helping to finalize the money laundering cycle. In Russia, Gayk Asatryan took on a more formal role, entering into 10-year labor agreements with DPRK trading entities and providing legal cover through his companies Asatryan LLC and Fortuna LLC for the long-term hosting of North Korean IT workers. Together, these individuals formed the logistical and financial scaffolding behind one of the DPRK’s most successful sanctions evasion operations to date.

Domains Used to Mask DPRK Labor Pipelines

While the physical infrastructure of DPRK’s cyber-labor operation is anchored in shell companies and banking channels, its digital front is built on a deceptively simple architecture: domain registrations and simple, one-layer-deep web sites. Four key domains, hopanatech[.]com, tonywangtech.com, wkjllc[.]com, and inditechlab[.]com, emerged as critical components of the laundering and deception ecosystem.

All four were registered through NameCheap, a domain registrar frequently exploited by threat actors for its lenient Know-Your-Customer (KYC) policies. These domains aligned closely with the shell companies documented in the July 2025 indictment of Kejia Wang (aka Tony Wang).

• hopanatech[.]com: Used as a façade for the employer-of-record shell “Hopana Tech LLC.” This site served as a point of contact and “employment verification” front, meant to convince firms that IT workers were U.S.-based.
• tonywangtech[.]com and wkjllc.com: Variations on the Tony WKJ LLC shell, these domains were used to generate email aliases and submit resumes under false identities. They helped DPRK contractors pass due diligence by appearing affiliated with a legitimate tech firm.
• inditechlab[.]com: Tied to Independent Lab LLC, a shell involved in crypto infrastructure. The domain may have also hosted webhooks and API interfaces used in TRON-based laundering flows.

Despite their differing branding, these domains shared clear indicators of clustering:

• Similar registrar info and name servers
• Absence of advanced metadata like Google Analytics or embedded tracking (indicating high OPSEC awareness)
• WHOIS privacy enabled
• Associated email accounts and DNS infrastructure linked to Wang or his co-conspirators

These domains were not just placeholders. They were operationally active, used in job applications, HR communications, resume verification, and even crypto billing. In short, they functioned as front-facing digital camouflage for a covert state-aligned economic espionage program.

Strategic and Financial Impact

By the first half of 2025, North Korea’s covert IT labor scheme had evolved into a robust revenue-generating apparatus capable of siphoning millions from the global economy with alarming precision. An estimated $17 million in salary payments was funneled through shell companies and direct crypto wallets tied to DPRK operatives posing as freelance developers. It is also cited that the total for the scheme globally netted between $250 to $600 million altogether. These payments came from hundreds of U.S. companies, including fintech startups, SaaS vendors, blockchain firms, and even defense contractors, who unknowingly onboarded North Korean nationals through falsified resumes and forged identity documents. In June 2025, U.S. authorities seized $7.7 million in cryptocurrency assets connected to the scheme, targeting wallets tied to aliases like “devmad119” and “Joshua Palmer.” Yet this represents just a fraction of the broader threat: over $1.6 billion in global cryptocurrency losses were attributed to DPRK-linked actors in the same time period, with 70% directly traced to operations blending employment fraud, social engineering, and codebase compromise. Far beyond financial theft, this scheme granted North Korean operatives persistent system access, enabling the injection of malicious logic, exfiltration of proprietary code, and creation of long-term backdoors across critical sectors.

Insider Threats: Espionage by Employment

North Korean IT operatives, posing as legitimate remote developers, evolved from mere economic infiltrators to full-fledged insider threats. Once embedded within U.S. and foreign tech firms, these operatives obtained privileged access to critical assets, including GitHub repositories, CI/CD pipelines (like Jenkins and GitLab), and cloud configuration files across AWS, Azure, and GCP. With this level of access, they would be able to insert stealthy “sleeper” functions, delayed or dormant code designed to activate later, as well as data exfiltration logic disguised within standard requests, such as base64-encoded POST or GET calls.

To date, no official disclosures from the government or private sector have confirmed that such actions have occurred. However, given that these nation-state adversaries were embedded as insider threats, it is reasonable to assess that once they gained access to sensitive networks and digital assets, they likely exploited opportunities that extended beyond financial fraud. The potential for strategic espionage, leveraging their privileged access for intelligence collection or cyber sabotage, must be considered a probable scenario.

Threat Assessment

The infiltration of DPRK IT workers into Western firms represents one of the most sophisticated and insidious insider threat campaigns in recent memory. Unlike external cyberattacks that can be blocked at the perimeter, these operatives gained trusted persistent access inside corporate networks by posing as vetted remote employees. Once hired, often via stolen, background-verified U.S. identities, they were embedded into critical roles such as backend development, cloud configuration, CI/CD pipeline maintenance, and DevOps infrastructure. This level of access granted them entry into source code repositories, production environments, encryption logic, and proprietary APIs, allowing for potential IP theft, backdoor insertion, credential harvesting, and pre-positioning for future attacks.

This threat was magnified by a widespread failure among companies to implement robust asset management, access logging, and behavioral anomaly detection. In many cases, organizations lacked visibility into who exactly was accessing which systems, when, and from where. The use of remote KVM switches, proxy VPNs, and U.S.-based cloud endpoints enabled DPRK operatives to blend in with legitimate employee traffic, bypassing geo-fencing or basic endpoint monitoring. Some firms failed to enforce multi-factor authentication, revoke GitHub deploy keys upon contractor termination, or monitor suspicious API activity from “internal” users. Additionally, lax onboarding processes and over-reliance on third-party background check platforms meant many identities went unverified or unchecked.

To counter these threats, companies must enforce zero-trust security models, where access is continuously evaluated based on device health, location, and behavioral norms. Automated asset inventories, real-time session monitoring, and privileged access management (PAM) should be standard practice. Every contractor should have narrowly scoped, time-limited access tied to individual credentials, with full audit trails and immediate revocation mechanisms. Organizations must also reevaluate how they vet remote talent, introducing biometric verification, live interviews, and cross-checks with employment databases to prevent identity fraud. Failure to do so risks granting hostile nation-state actors like the DPRK the keys to their most valuable digital assets, without ever breaching a firewall.

Conclusion

The breaking up of the DPRK IT workers exploit is a wake up call for corporations around the world. The aphorism of “The insider threat is the biggest threat” in the infosec space rings true here with a clarion call. So far, the information that has come out (and continues to be researched) seems to indicate that the U.S. was not the only target of the DPRK activities. That said, it is important that corporations and organizations understand the aphorism above, and do all they can to ensure such insider attacks are much harder to carry out.

It is also important that, within the new paradigm of AI, interviews, vetting, and generally, everything carried out during the interview and vetting process, be backstopped to ensure authentic individuals are being hired, and not assets of a foreign power, or for that matter, other criminal actors. This new landscape will only get more complex, and as we move forward into this brave new world, expect there to be other exploits like these that could render your operations into extreme response circumstances.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

‍

This report details an ongoing campaign by an actor operating primarily during Chinese time zone working hours, targeting Chinese-speaking individuals and entities within and outside China. Since approximately June 2023, the actor has created more than 2,800 domains for malware delivery. The actor's methods and malware, largely unchanged since June 2023, primarily deliver Windows-specific malware through fake application download sites and fake update prompts in various spoofed login pages, marketing apps, business sales apps, and cryptocurrency related apps. 

Following previous reports, the actor made notable operational changes including the addition of 

• Anti-automation and browser emulation code
• Reduction in site tracker services
• Increased server distribution for sparser domain resolutions per IP address
• More discreet registration details

As of June 2025, 266 of the over 850 identified domains since December 2024 were actively distributing malware.

For comprehensive details, refer to the two prior reports linked below:

Part 1: https://dti.domaintools.com/chinese-malware-delivery-websites/ 

Part 2: https://dti.domaintools.com/chinese-malware-delivery-domains-part-ii-data-collection/ 

A Sampling of Their Malware Delivery Websites

‍

Fake Gmail Login

The `googeyxvot[.]top` domain uses anti-automation and browser emulation checks, and any input on its fake login page triggers a deceptive browser incompatibility error, prompting a malicious update download. Multiple JavaScript files are employed to obfuscate the download URL.

A malicious .zip file from `googeyxvot[.]top` delivers an .msi installer. This installer contains multiple .jpg named files and two executables, `svchost.13.exe` and `flashcenter_pl_xr_rb_165892.19.exe`. `svchost.13.exe` acts as a downloader, fetching a file from `https://ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt`. The downloaded file uses a shellcode decoder loop, decrypts its content with XOR key "0x25", and executes an embedded PE file.

‍

Fake Alipay Checkout

The domain displays a fake popup stating it cannot operate currently due to the use of abnormal operation mode. The buttons Get Help Now and Cancel are displayed, which prompt a download of a malicious file. 

yeepays[.]xyz

An imported JavaScript file defines the download path

“yeepays[.]xyz/assets/js/external_load.js”

The filename is defined in another imported JavaScript file

“yeepays[.]xyz/assets/download/filename.js”

The download URL for the malicious file then becomes: 

‍

Fake Cryptocurrency Sites

coinbaw[.]vip

Clicking most of the interactive buttons redirects to a fake sign-in page for a fake crypto exchange named “CoinBaw”, which likely attempts to spoof as CoinBase.

Registration Details

Mapping over 2,800 of the actor’s registered domains since June 2024, we observed similar trends in timing.

Domain Registrations Create Date

Domain Resolutions First Seen

Comparing the registration creation times for domains and their respective first seen resolutions from DNS lookups we can approximate possible human working times from infrastructure acquisition and operationalization commonalities. Though both of which can be largely automated and consequently the timing of either event can be largely unreliable, they may offer some valuable insights particularly with regard to potential prevalence in targeted regions.

We observed a common distribution of both domain acquisition and potential operationalization across times. Operationalization in this context is essentially the distinction between the registration of the domains and associated infrastructure and then making use of it in some operational way. In this case, to deliver malware via spoofed application download pages. The majority of both are seen to occur during normal Chinese working hours. Notably, the volume of first seen resolutions of those domains also appear during normal Chinese working hours.

Changes In Operations

The actor has implemented several changes in their operational tactics. This includes the addition of rudimentary anti-automation and browser emulation code, designed to hinder site scanners from effectively retrieving website content. Furthermore, there has been a reduction in the use of site tracker services such as Baidu, Gtag, and Facebook. The actor has also increased the number of servers used to spread domain resolution more widely, and adopted more discreet registration details to obscure uniquely identifiable information.

Conclusion

The "SilverFox" actor continues to demonstrate a high degree of persistence and scale in their malware delivery operations, primarily targeting Chinese-speaking individuals and entities globally with Windows-specific malware. Their campaign, ongoing since at least June 2023, leverages over 2,800 created domains, with 266 remaining active since December 2024, highlighting their sustained infrastructure and reliability improvements. The consistent operational timing across all hours with high influxes during Chinese working hours in addition to other factors suggests a combination of automated and likely human-driven approach to their activities.

While the actor's ultimate motivations remain somewhat uncertain, their tactics strongly suggest financially motivated and opportunistic objectives. We suspect their primary goals include credential and financial theft, and potentially access brokering. Furthermore, the observed targeting of individuals engaged in sales and marketing, particularly those outside China but involved in business prospects within the region and possessing Chinese language skills, points to a potential secondary motivation to exploit specific professional networks for further gains.

Modern browsers like Chrome and Edge provide a critical, multi-layered defense against malware from fake download sites. They use integrated security systems—Google Safe Browsing and Microsoft Defender SmartScreen—to proactively block malicious websites before they can be accessed. At the point of download, these browsers analyze files for risk by checking their reputation and digital signatures, and provide clear, direct warnings to prevent users from accidentally running dangerous software. 

While current detection rates of SilverFox payloads show limitations, it's crucial to recognize that browser security is a constantly evolving battleground. Browser developers are continually refining their defenses, integrating more advanced AI and machine learning models to identify and block novel threats in real-time. This ongoing technological advancement, however, highlights a fundamental truth: the most sophisticated digital warnings are ultimately supplementary to an aware user.

To counter the persistent threat posed by SilverFox, organizations and individuals should prioritize the following security measures:

• Elevate User Awareness: Conduct phishing simulations and training, and emphasize secure software acquisition from official sources.
• Strengthen Email and Web Gateway Security: Implement ATP, integrate threat intelligence feeds for URL filtering and domain reputation, and employ DNS filtering.
• Enhance Endpoint Security and Response: Deploy NGAV/EDR across Windows endpoints and ensure automated patch management.
• Implement Network Monitoring and Segmentation: Analyze network traffic for indicators of compromise and segment networks to limit lateral movement.
• Prioritize Identity and Access Management: Enforce Multi-Factor Authentication (MFA) for all user accounts.

IOCs

Domains, file URls, and hashes can be found on our Github.

A Profile of Iran’s Covert Cyber Strike Unit and Its Psychological Warfare Extension

Executive Summary

Intelligence Group 13, embedded within the Shahid Kaveh Cyber Group, represents one of the most operationally aggressive and ideologically fortified units within the Islamic Revolutionary Guard Corps (IRGC) cyber arsenal. Positioned at the confluence of tactical cyber-espionage, industrial sabotage, and psychological warfare, the group is uniquely equipped to respond to geopolitical escalations,particularly in light of the recent U.S. airstrikes targeting Iranian nuclear facilities, which have significantly heightened the risk of asymmetric retaliation.

As Iran faces intensified pressure and public calls for reprisal, it is assessed that it is increasingly likely that IRGC cyber divisions will be leveraged for retaliatory digital operations. Intelligence Group 13, already known for its history of intrusions into critical infrastructure, including U.S. water systems and Israeli control networks, now finds itself in a strategic posture to deliver retributive action through cyberspace. Whether through direct disruption, pre-positioned malware activation, or narrative defacement and psychological intimidation, the group's capabilities make it a prime tool for hybrid response, combining deniable technical aggression with symbolic messaging designed to project defiance and psychological impact.

Functioning under the umbrella of the IRGC’s broader cyber command, which includes the Electronic Warfare and Cyber Defense Organization (EWCD), the Intelligence Organization (IO), and Quds Force forces like Unit 300, Intelligence Group 13 is not an isolated cell but part of a highly coordinated ecosystem. Its online presence is reinforced by propaganda fronts such as CyberAveng3rs, a media arm that issues threats, amplifies operational claims, and disseminates defacement content through platforms like Telegram and Instagram. Together, these assets form a multi-domain influence architecture that allows Iran to execute cyber retaliation while shaping the narrative battlefield.

This report maps the hierarchy of Intelligence Group 13 within the IRGC, profiles its leadership, outlines its tradecraft and ideological underpinnings, and assesses the increased likelihood of its deployment in near-term retaliatory cyber operations.

Intelligence Team (Group) 13 تیم اطلاعاتی ۱۳

The group, (pronounced: Team-e Ettela'ati-ye Sizdah), takes its name from Mohammad Kaveh, an IRGC commander who was martyred during the Iran-Iraq War in 1986 at the age of 25. He led elite IRGC operations in Kurdistan and Western Iran and was viewed as a revolutionary model for sacrifice, bravery, and obedience. In keeping with the IRGC’s broader ideological tradition, the title “Shahid” (شهید), meaning martyr, is commonly affixed to the names of operational units, serving both as an homage to fallen commanders and a deliberate invocation of religious-nationalist symbolism. This naming convention reinforces the ideological continuity between the IRGC’s early revolutionary battles and its modern digital warfare initiatives. By invoking martyrdom, such units portray their operations not merely as tactical missions but as sacred continuations of a historical and spiritual struggle. The Shahid Kaveh Group draws directly from this legacy to infuse its cyber operations with ideological legitimacy and emotional resonance. The archived site kaveh313[.]lxb[.]ir hosted tributes, biographical stories, and hagiographic imagery that inform the spiritual framework for the group’s name and mission, blending religious devotion, revolutionary ethos, and digital militarism into a unified operational identity.

IRGC Cyber Command Hierarchy

The Islamic Revolutionary Guard Corps (IRGC) oversees a complex and multi-tiered cyber command architecture designed to fulfill distinct yet interconnected missions across domestic security, intelligence collection, and global offensive operations. This structure is deliberately compartmentalized, allowing the IRGC to conduct covert campaigns while maintaining plausible deniability through the use of proxy units, contractors, and front companies. At the core of this system is the Shahid Kaveh Group, an elite offensive cyber unit that operates with both ideological fervor and technical precision. Intelligence Group 13, its most active tactical team, is fully embedded within this command, drawing operational directives from a triad of IRGC oversight bodies:

• The Electronic Warfare and Cyber Defense Organization (EWCD), which coordinates cyber defense and internal sabotage capabilities,
  
• The Intelligence Organization (IO), responsible for domestic surveillance and strategic targeting intelligence, and
  
• The Quds Force (QF), which projects IRGC influence and cyber aggression abroad, particularly through specialized units like Unit 300 and Unit 600.
  

Together, these divisions provide the Shahid Kaveh Group,and by extension Intelligence Group 13, with the operational cover, intelligence feeds, and strategic alignment necessary to wage hybrid cyber warfare across physical and psychological domains.

Command Structure – Known Figures

The leadership behind Intelligence Group 13 reflects a blend of strategic IRGC command, operational direction, and industrial integration. At the top sits Hamidreza Lashgarian, a senior IRGC cyber official with confirmed affiliations to both the Electronic Warfare and Cyber Defense Organization (EWCD) and Quds Force Unit 300. Lashgarian is widely regarded as the supervisory figure behind the Shahid Kaveh Group, providing overarching guidance on both ideological framing and operational tempo. Beneath him, Reza Salarvand serves as the direct commander of Intelligence Group 13, identified in dissident leaks as the group’s tactical leader and field-level coordinator. Salarvand’s role includes managing target selection, overseeing cyber intrusion campaigns, and aligning Team 13’s actions with IRGC strategic objectives. Supporting these military units is Mohammad Bagher Shirinkar, a key figure embedded in EWCD-linked contractor firms. Shirinkar plays a critical role in bridging the IRGC’s internal operations with its broader technical ecosystem, facilitating tool development, subcontractor oversight, and deniable operational capabilities through civilian-facing fronts.

IRGC High-Level Hierarchy

Placement of Intelligence Group 13 Within IRGC Cyber Org

Intelligence Group 13 functions as the operational spearhead of the Shahid Kaveh Group, a hybrid entity positioned at the intersection of the IRGC’s cyber warfare and Quds Force portfolios. This structural alignment gives Team 13 a unique dual mandate: to execute precision cyber intrusions with military-grade sophistication while simultaneously engaging in psychological and ideological warfare. As a tactical APT (Advanced Persistent Threat) cell, the unit specializes in cyber reconnaissance, disruptive sabotage of critical infrastructure, and the deployment of malware designed to pre-position effects across adversarial networks. Its proximity to both IRGC Electronic Warfare and Cyber Defense (EWCD) and external-facing Quds Force units enables Intelligence Group 13 to operate with both deep access and strategic reach, making it a central instrument of Iran’s asymmetric cyber doctrine.

Internal Chain of Command

Technical Mission and Tactics

The strategic mandate of Intelligence Group 13 centers on disrupting critical infrastructure and shaping adversarial perceptions through covert digital operations. The unit has demonstrated a specific focus on targeting industrial control systems (ICS), including Unitronics PLCs, Israeli electrical grids, U.S. water treatment facilities, and fuel distribution systems, all selected for their high-impact potential and symbolic value. Their campaigns often involve pre-positioning malware, embedding implants within target environments well in advance of activation to enable dormant or timed sabotage. Complementing these efforts is an aggressive intelligence collection posture, relying on phishing, credential theft, and OSINT harvesting to support intrusion planning and post-access operations. Crucially, Team 13 integrates psychological warfare into its strategy, disseminating screenshots, leaks, and taunting messages through propaganda arms like CyberAveng3rs to generate fear, confusion, and reputational damage in tandem with technical effects.

Disinformation & Propaganda: The Role of CyberAveng3rs Patriotic Hacker Wing

CyberAveng3rs serves as the psychological warfare and influence operations extension of Intelligence Group 13, functioning not as an independent actor but as a deliberately constructed propaganda arm embedded within Iran’s cyber doctrine. Rather than remaining in the shadows like traditional APTs, Team 13 leverages CyberAveng3rs to publicize and amplify the psychological impact of its technical operations,turning covert intrusions into open spectacles of defiance. Through Telegram channels, Instagram accounts,and diaspora-linked echo networks, CyberAveng3rs publishes defacement screenshots, malware control panel captures, and operational taunts directed at Western and Israeli infrastructure targets. These narratives are often laced with religious-nationalist motifs, martyr quotes, and anti-Zionist rhetoric, reinforcing the IRGC’s ideological messaging. CyberAveng3rs is not merely reactive; it issues pre-attack warnings, brags post-operation, and threatens future campaigns, making it a key instrument for intimidation, distraction, and symbolic escalation. By fusing information operations with hacking campaigns, it enhances the IRGC’s ability to wage cognitive warfare alongside technical compromise.

Operator: Mr. Soul (Mr_Soulcy)

• Known handles:
  
  • Instagram: Cyberaveng3rs
    
  • Telegram: @CyberAveng3rs
    
  • X @cyberaveng3rs
    
• Notable content:
  
  • Claimed the Aliquippa water system attack (PA, USA)
    
  • Leaked Unitronics control panel screenshots
    
  • Issued threats of “Operation IV” aimed at Israeli cybersecurity units
    
  • Branded style includes martyr quotes, Islamic slogans, and ICS interfaces
    

Contractor and Front Company Ecosystem

The IRGC’s cyber operations rely heavily on a dense and evolving ecosystem of affiliated companies, some covertly managed through military intermediaries, others openly registered as “cyber defense,” “AI research,” or “IT solutions” firms. This web serves multiple strategic purposes. First, it allows the IRGC to outsource technical labor and scale operations without overexposing its formal personnel. Second, it provides plausible deniability, as these front firms can operate under civilian-facing banners while conducting state-directed offensive cyber activities. Third, it enables a rotating model of corporate obfuscation, where companies like Emen Net Pasargad are dissolved or sanctioned only to reappear under new names like Ayandeh Sazan Sepehr Aria, often with overlapping staff and clients. These firms are frequently staffed by IRGC veterans or relatives of high-ranking cyber officials, further blurring the lines between state, contractor, and covert operator.

This model closely parallels revelations from the i-SOON (安洵) data leak, which exposed how China’s Ministry of Public Security (MPS) and provincial security bureaus have long contracted out cyber operations to nominally private firms. Like the IRGC’s cyber complex, Chinese firms such as i-SOON and Chengdu 404 maintain the veneer of legitimate enterprise while developing spyware, managing fake persona farms, and carrying out state-sponsored intrusions. In both Iran and China, this hybrid public-private structure allows state entities to mask state cyber activity behind corporate fronts, maintain flexibility, and engage in offensive campaigns without bearing the full diplomatic cost.

Moreover, just as Iran’s firms like Cyberban Institute and Kavosh Center double as ideological and technical platforms, Chinese contractors often support both domestic surveillance and global espionage, engaging in infrastructure targeting, data exfiltration, and information control under the guise of national innovation. This convergence of state-backed ideology, cyber warfare, and privatized labor reveals a shared authoritarian blueprint: One in which cyber capabilities are cultivated through semi-privatized ecosystems designed to insulate command structures while enabling scalable, deniable aggression in the global digital theater.

Expanded Corporate Ecosystem Supporting IRGC Cyber Ops

The IRGC’s cyber capabilities rely not solely on military or intelligence personnel but on an expansive and deliberately obscured ecosystem of contracting companies, technical institutes, and shell entities that function as both operational extensions and recruitment/talent pipelines. These firms play a crucial role in sustaining the IRGC’s cyber warfare doctrine, developing malware, testing exploits, maintaining infrastructure, and providing a legal or commercial façade for offensive operations.

What makes these companies particularly effective, and elusive, is the way they straddle the boundary between legitimacy and subversion. Many of them present as cybersecurity vendors, AI startups, or educational technology labs, marketing themselves to civilian, academic, and even international clients. Behind the scenes, however, they serve as contractors for the IRGC’s Electronic Warfare and Cyber Defense Organization (EWCD), Intelligence Organization (IO), and Quds Force, executing tasks that range from infrastructure reconnaissance and SIGINT analysis to psychological warfare and influence ops.

This system is both resilient and adaptive. Companies are frequently rebranded, dissolved, or split into subsidiaries following public exposure or sanctions. For instance, Net Peygard Samavat, once exposed for its involvement in Iranian state cyber operations, later became Emen Net Pasargad, which itself was reconstituted as Ayandeh Sazan Sepehr Aria. Despite their changing names and corporate registrations, these entities retain the same personnel, mission scope, and government sponsors, effectively outlasting sanction regimes and Western takedown efforts.

Moreover, the personnel who operate these firms often rotate between IRGC intelligence positions, academic research roles, and private-sector leadership, creating a feedback loop where state doctrine, technical innovation, and civilian infrastructure become interwoven. This also creates a recruitment channel: Young developers and engineers are often brought into these companies under the banner of patriotic service or career opportunity, then quietly integrated into national-level cyber missions.

In effect, these firms function as force multipliers for Iran’s cyber program. They provide scalability, deniability, and a legal buffer between the Iranian state and its digital aggression. As international scrutiny tightens, the IRGC is likely to continue leaning on these corporate proxies to advance technical capability while avoiding direct attribution,mirroring similar models seen in China (e.g., i-SOON) and Russia (e.g., contractors like NTC Vulkan).

Below is a detailed examination of these key companies and their connections.

Core Contractor Entities and Their Functions

• Emen Net Pasargad (ایمن‌نت پاسارگاد) – Once a flagship contractor for disinformation and foreign interference (e.g., impersonating the Proud Boys during the 2020 U.S. election). Dissolved in 2023. Sanctions Source
  
• Ayandeh Sazan Sepehr Aria (آریا سپهر سازان آینده) – A successor to Emen Net, continuing operations in information operations and malware development. Founded by Mohammad Bagher Shirinkar. Recorded Future
  
• Mahak Rayan Afraz (محک رایان افراز) – Specialized in AI and surveillance tooling, including:
  
  • Hazm – Persian NLP engine
    
  • Gol Rokh – Facial recognition platform
    
  • Disbanded in mid-2023 amid U.S. pressure. Treasury
    
• DSPRI (موسسه سنجش داده پیشرفته) – Linked to IRGC Quds Force Unit 300, DSPRI handles signal interception and encrypted traffic decryption, including battlefield deployments in Syria, Lebanon, and Iraq. Recorded Future, p. 14
  
• Sabrin Kish (شرکت صابرین کیش) – Developed sniffers and ICS tools sold to IRGC clients; also engaged in foreign contracts (e.g., deal with Iraq’s NSA head Faleh al-Fayyadh). Maintains financial and corporate overlap with IRGC Cooperative Foundation. Wikipedia
  
• Soroush Saman Co. (شرکت توسعه الکترونیکی و مخابراتی سروش سامان) – Supplied surveillance and tracking systems to Hezbollah, and built AI-based phone surveillance for Unit 300. [IntelliTimes coverage via Lab Dookhtegan]
  
• Afkar Systems (افکار سیستم) – Tied to Nemesis Kitten APT, allegedly led by Ahmad Khatibi Aghda. Operated through Center 2060 and Cyber Base 2000, both under EWCD’s umbrella. CISA Advisory
  
• Parnian Telecommunication (شرکت الکترونیکی و مخابراتی پرنیان) – Facilitates cyber workforce recruitment for IRGC and MRA-linked projects. Job ads call for infosec and penetration testing expertise. Recorded Future, p. 19
  
• Kavosh Center (مرکز کاوش) – Offensive R&D hub tied to the Shahid Kaveh Group. Led by IRGC affiliate “Shayan” (Malek Mohammadi Nejad). Possibly involved in TTP development and APT tool testing. Recorded Future
  
• Cyberban Institute (موسسه سایبربان) – Run by Mehdi Lashgarian, nephew of IRGC cyber leader Hamidreza Lashgarian. This front publishes ideological content, disinfo narratives, and tech analysis favorable to IRGC doctrine. Recorded Future, p. 22
  

Observations on Structure and Strategy

The structure and behavior of IRGC-affiliated cyber firms reveal a deliberate and adaptive operational model. Many of these companies engage in strategic rebranding, dissolving or renaming themselves after being sanctioned or exposed, Net Peygard reemerged as Emen Net, which later became Ayandeh Sazan, while Dehkadeh Telecom transitioned into Mahak Rayan Afraz, with a new identity likely forthcoming. These transitions help avoid regulatory scrutiny while maintaining operational continuity. Furthermore, interlocking leadership is a hallmark of the ecosystem: Figures such as Mohammad Bagher Shirinkar, Hamidreza Lashgarian, and Esmail Rahimi appear across multiple entities, indicating a centralized and tightly coordinated management structure. The ecosystem also supports technology transfer abroad, with tools and capabilities exported to IRGC-aligned actors in Iraq, Syria, and Lebanon, particularly via Quds Force Unit 300. Notably, these firms are often the technical and logistical backends for known APT groups. For example, Afkar Systems underpins Nemesis Kitten, Mahak Rayan Afraz has links to Tortoiseshell (TA456), and clusters tied to the Shahid Kaveh Group appear to support Pioneer Kitten operations.

Operational Forecast and Strategic Implications

Intelligence Group 13 functions as the operational core of the IRGC’s cyber disruption strategy, a convergence point where technical sabotage, psychological warfare, and revolutionary ideology are seamlessly integrated. Operating under the umbrella of the Shahid Kaveh Group, Team 13 is not an independent or freelance actor but a disciplined tactical cell embedded in a broader, multi-layered command system overseen by IRGC EWCD, IO, and Quds Force divisions. Its mission is augmented through propaganda arms such as CyberAveng3rs, which act not only as amplifiers of defacement and intrusion campaigns but also as strategic influence assets projecting IRGC narratives into public and geopolitical consciousness.

The group’s tradecraft spans traditional APT techniques, such as credential harvesting, critical infrastructure penetration (e.g., Unitronics PLCs, fuel pump logic, and water treatment systems), and covert malware deployment (e.g., IOControl, Project Binder). Yet what sets Team 13 apart is its parallel investment in symbolic messaging, issuing threats via Telegram, leaking screenshots via Instagram handles like @mr.sul.ir, and invoking martyrdom and Islamic resistance to create a psychological echo chamber around each technical act.

This entire operation is scaffolded by a front company and contractor ecosystem designed to provide deniability, talent, infrastructure, and logistical support. These include Afkar Systems (linked to Nemesis Kitten), Mahak Rayan Afraz (associated with TA456), and Kavosh Center (supporting Pioneer Kitten), among others. These firms are part of a strategy of institutional layering and rebranding, allowing the IRGC to rotate through corporate identities while sustaining long-term capabilities. Rebranding paths such as Net Peygard → Emen Net → Ayandeh Sazan show how the IRGC evades sanctions without losing operational momentum.

Key Takeaways:

• Intelligence Group 13 is a deeply embedded extension of the IRGC’s strategic cyber doctrine,not an isolated threat actor.
  
• Psychological operations are prioritized on par with malware deployment, reflecting a dual mission of technical and perceptual warfare.
  
• The martyrdom framework (e.g., naming conventions like “Shahid Kaveh”) plays a pivotal role in unifying cyber actions with ideological legitimacy.
  
• The use of contractor ecosystems and front companies provides flexibility, plausible deniability, and continuity across sanctions and takedowns.
  

Risk Assessment:

Future campaigns by Intelligence Group 13 and its affiliates are likely to blend cyber-kinetic threats with narrative manipulation, targeting not just critical infrastructure but public perception and institutional trust. This includes:

• Threatening or disrupting civilian infrastructure in the U.S., Israel, and Gulf States
  
• Deploying psychological campaigns through channels like CyberAveng3rs, timed with physical intrusions
  
• Leveraging rebranded contractors to deliver tooling and intelligence capabilities both domestically and to proxy forces abroad (e.g., Hezbollah, PMF in Iraq)
  

Defending against this threat requires not only technical hardening but cognitive resilience, recognizing that the IRGC’s cyber ambitions are as much about controlling the story as they are about breaching the network.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.