Tuesday, April 29, 2025
HomeBackdoorOperation Wocao - China’s Hidden Hackers Group Using Custom Hacking Tools to...

Operation Wocao – China’s Hidden Hackers Group Using Custom Hacking Tools to Attack More Than 10 High Profile Countries

Published on

SIEM as a Service

Follow Us on Google News

Operation Wocao – New hidden Chinese threat groups are known as APT20 targeting various private, and government networks using custom hacking tools and various tactics and techniques.

Threat groups likely support the Chinese government to gather sensitive data from other governments for espionage purposes.

Researchers observed that the threat groups targeted at least 10 high profile countries government networks, managed service provides, Energy, Health Care and High-Tech.

- Advertisement - Google News

Attackers mostly using a legitimate channel such as to infiltrate the targeted network, and also they are capable of abusing the 2FA soft tokens and plant the backdoor.

They intrude into the network via compromised employee’s credentials with admin privilege access which they have directly retrieved from the password managers.

Also the group skilled enough to carefully destroy the file system based forensic traces of their activities and make it harder for investigators to determine the incident.

Process of Attack, the main goal of the actors is to exfiltrate the sensitive data maintaining the persistence of access and jumping to additional targets.

APT20 using a variety of following hacking tools for their malicious operation in Operation Wocao.

  • File upload webshell
  • File upload and command execution web shell
  • Socket tunnel
  • Reconnaissance script
  • XServer
  • Agent
  • Directory list tool
  • Process launcher
  • CheckAdmin
  • OS scanner
  • Keylogger

Operation Wocao – Process of Stealing Data

Threat actors initially intrude into victims’ networks by exploiting the vulnerable web server by utilizing the web shell that placed by other threat actors for reconnaissance purposes.

Later they are the implant their own webshell to the targeted web server to maintain the access even if the credentials for VPN accounts were to be reset.

In further movement, an attacker using a well-documented method such as dumping credentials from memory and accessing password managers on compromised systems to move into the network.

Attackers specifically targeting the people based on their role and associated privilege levels within the organization, which helps them to obtain access to highly privileged accounts such as an enterprise-level administrator.

According to Fox-it report “Once such privileges have been obtained, the actor directly shifts their means of persistence. Instead of having to rely on their persistent malicious backdoors as command and control channel – a channel that’s essentially not supposed to be there and subject to discovery by the victim – the actor uses the stolen credentials to connect to the victim’s network using the corporate VPN solution.”

The attacker also abusing the 2FA using novel techniques,s and they break the 2FA protection using simple credential theft.

“Once the attackers completely gain network access, uses a mix of (custom developed) backdoors and open source tools to connect to and through compromised systems.”

Before that attackers sometimes utilize a custom reconnaissance script. This script collects, among other things, installed software, running processes and open connections.

Finally, attackers identifying and collecting information and data on the system and compress all the files using WinRAR and download the files using the backdoor functionality.

In the end, they completely remove all created executables and files and then close the implanted backdoor.

You can read the complete whitepaper here.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Blinded from Above: How Relentless Cyber-Attacks Are Knocking Satellites Out of Sight

According to the Center for Strategic & International Studies' (CSIS) 2025 Space Threat Assessment,...

Google Chrome Vulnerability Allows Attackers to Bypass Sandbox Restrictions – Technical Details Revealed

A severe vulnerability, identified as CVE-2025-2783, has been discovered in Google Chrome, specifically targeting...

Threat Actors Accelerate Transition from Reconnaissance to Compromise – New Report Finds

Cybercriminals are leveraging automation across the entire attack chain, drastically reducing the time from...

ResolverRAT Targets Healthcare and Pharmaceutical Sectors Through Sophisticated Phishing Attacks

A previously undocumented remote access trojan (RAT) named ResolverRAT has surfaced, specifically targeting healthcare...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Blinded from Above: How Relentless Cyber-Attacks Are Knocking Satellites Out of Sight

According to the Center for Strategic & International Studies' (CSIS) 2025 Space Threat Assessment,...

Google Chrome Vulnerability Allows Attackers to Bypass Sandbox Restrictions – Technical Details Revealed

A severe vulnerability, identified as CVE-2025-2783, has been discovered in Google Chrome, specifically targeting...

Threat Actors Accelerate Transition from Reconnaissance to Compromise – New Report Finds

Cybercriminals are leveraging automation across the entire attack chain, drastically reducing the time from...