Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity.
The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran.
The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions.
The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.