Sunday, March 30, 2025
HomeBackdoorOperation Wocao - China’s Hidden Hackers Group Using Custom Hacking Tools to...

Operation Wocao – China’s Hidden Hackers Group Using Custom Hacking Tools to Attack More Than 10 High Profile Countries

Published on

SIEM as a Service

Follow Us on Google News

Operation Wocao – New hidden Chinese threat groups are known as APT20 targeting various private, and government networks using custom hacking tools and various tactics and techniques.

Threat groups likely support the Chinese government to gather sensitive data from other governments for espionage purposes.

Researchers observed that the threat groups targeted at least 10 high profile countries government networks, managed service provides, Energy, Health Care and High-Tech.

Attackers mostly using a legitimate channel such as to infiltrate the targeted network, and also they are capable of abusing the 2FA soft tokens and plant the backdoor.

They intrude into the network via compromised employee’s credentials with admin privilege access which they have directly retrieved from the password managers.

Also the group skilled enough to carefully destroy the file system based forensic traces of their activities and make it harder for investigators to determine the incident.

Process of Attack, the main goal of the actors is to exfiltrate the sensitive data maintaining the persistence of access and jumping to additional targets.

APT20 using a variety of following hacking tools for their malicious operation in Operation Wocao.

  • File upload webshell
  • File upload and command execution web shell
  • Socket tunnel
  • Reconnaissance script
  • XServer
  • Agent
  • Directory list tool
  • Process launcher
  • CheckAdmin
  • OS scanner
  • Keylogger

Operation Wocao – Process of Stealing Data

Threat actors initially intrude into victims’ networks by exploiting the vulnerable web server by utilizing the web shell that placed by other threat actors for reconnaissance purposes.

Later they are the implant their own webshell to the targeted web server to maintain the access even if the credentials for VPN accounts were to be reset.

In further movement, an attacker using a well-documented method such as dumping credentials from memory and accessing password managers on compromised systems to move into the network.

Attackers specifically targeting the people based on their role and associated privilege levels within the organization, which helps them to obtain access to highly privileged accounts such as an enterprise-level administrator.

According to Fox-it report “Once such privileges have been obtained, the actor directly shifts their means of persistence. Instead of having to rely on their persistent malicious backdoors as command and control channel – a channel that’s essentially not supposed to be there and subject to discovery by the victim – the actor uses the stolen credentials to connect to the victim’s network using the corporate VPN solution.”

The attacker also abusing the 2FA using novel techniques,s and they break the 2FA protection using simple credential theft.

“Once the attackers completely gain network access, uses a mix of (custom developed) backdoors and open source tools to connect to and through compromised systems.”

Before that attackers sometimes utilize a custom reconnaissance script. This script collects, among other things, installed software, running processes and open connections.

Finally, attackers identifying and collecting information and data on the system and compress all the files using WinRAR and download the files using the backdoor functionality.

In the end, they completely remove all created executables and files and then close the implanted backdoor.

You can read the complete whitepaper here.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Gamaredon Hackers Weaponize LNK Files to Deliver Remcos Backdoor

Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group,...

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial...

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging...

Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

“Crocodilus” A New Malware Targeting Android Devices for Full Takeover

Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial...

Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages...

New Python-Based Discord RAT Targets Users to Steal Login Credentials

A recently identified Remote Access Trojan (RAT) has raised alarms within the cybersecurity community...