{
  "name": "Chinese Hackers Toolkit Uncovered And Activity History Uncovered",
  "slug": "chinese-hackers-toolkit-uncovered-and-activity-history-uncovered",
  "description": "A Chinese hacking group called 'You Dun' was discovered through an exposed open directory, revealing their comprehensive attack infrastructure. The group utilized sophisticated reconnaissance tools and exploited Zhiyuan OA software via SQL injection attacks, targeting South Korean pharmaceutical organizations. They employed advanced privilege escalation tools and operated a C2 infrastructure using Cobalt Strike and Viper framework. The hackers also created a custom ransomware variant based on LockBit 3.0. Their activities extended across multiple Asian countries, focusing on government, education, health, and logistics sectors. The group used proxy servers to conceal their location and employed various hacking tools, including WebLogicScan, Vulmap, Xray, and dirsearch.",
  "published": "2024-10-28T14:48:38+00:00",
  "created_at": "2024-10-28T14:48:38+00:00",
  "modified_at": "2024-10-29T12:27:14+00:00",
  "created_at_opencti": "2024-10-28T14:48:38+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-10-28",
    "CVE-2021-25003",
    "c2 infrastructure",
    "chinese hackers",
    "cobalt strike",
    "lockbit 3.0",
    "privilege-escalation",
    "ransomware",
    "reconnaissance tools",
    "sql injection",
    "viper framework"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "43.228.89.247"
      },
      {
        "id": "",
        "name": "43.228.89.246"
      },
      {
        "id": "",
        "name": "43.228.89.245"
      },
      {
        "id": "",
        "name": "163.53.216.157"
      },
      {
        "id": "",
        "name": "116.212.120.32"
      },
      {
        "id": "",
        "name": "115.126.107.244"
      },
      {
        "id": "",
        "name": "103.228.108.247"
      }
    ],
    "malware": [
      {
        "id": "044bbd31-9420-48a5-b640-ef4b1b1d81f4",
        "name": "Xray",
        "slug": "xray"
      },
      {
        "id": "0bdd11a4-49fb-4a1b-8f70-599bcd123199",
        "name": "WebLogicApp",
        "slug": "weblogicapp"
      },
      {
        "id": "31acdc12-10e2-43ee-8594-a4cbe0a69fdc",
        "name": "Vulmap",
        "slug": "vulmap"
      }
    ],
    "intrusion_sets": [
      {
        "id": "85eacc59-466c-40b6-bfda-3c14b4fb81f3",
        "name": "You Dun",
        "slug": "you-dun"
      }
    ],
    "attack_patterns": [
      {
        "id": "6a146066-5a78-493c-a26a-133b62c1149e",
        "name": "T1588.002"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "d570881a-1f73-41ca-ad6c-fc29256c76f9",
        "name": "T1595"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2021-25003"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Iran, Islamic Republic of"
      },
      {
        "id": "",
        "name": "Taiwan"
      },
      {
        "id": "",
        "name": "China"
      },
      {
        "id": "",
        "name": "Thailand"
      },
      {
        "id": "",
        "name": "Healthcare"
      },
      {
        "id": "",
        "name": "Transportation"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://cybersecuritynews.com/chinese-hackers-toolkit-uncovered/",
    "https://otx.alienvault.com/pulse/671fb2564a37133fb0a88d97"
  ]
}