- Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity.
- The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran.
- The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions.
- The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
4821 links
