In a shocking revelation, cybersecurity firm Sygnia has reported that a major Asian telecommunications company was compromised by a group of Chinese state-sponsored hackers. This long-term breach, carried out by a group identified as Weaver Ant, allowed the attackers to quietly operate within the network for over forty eight months, collecting sensitive information without being detected.
Although the name of the affected telecom provider has not been disclosed, the implications are significant, highlighting the evolving strategies and persistence of modern cyber espionage operations.
Weaver Ant — A Stealthy and Persistent Threat Actor
Sygnia describes Weaver Ant as a stealth-focused, highly persistent group with clear goals tied to intelligence gathering and cyber espionage. The group exploited a misconfiguration in a public-facing application, which granted them an initial foothold in the target’s infrastructure.
Once inside, the attackers deployed two separate web shells to maintain access:
- A customized, encrypted version of China Chopper, a widely used web shell by Chinese actors
- A new, undocumented in-memory tool known as INMemory
INMemory works by decoding Base64-encoded strings and executing them directly in memory. This approach leaves no trace on disk, making forensic analysis extremely difficult.
Tools and Tactics Used in the Attack
The attackers used a wide range of tools and techniques to expand their reach and avoid detection. These include:
- Recursive HTTP tunneling for lateral movement via SMB
- Encrypted web shell traffic as a control channel for post-exploitation actions
- Disabling detection systems by patching Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI)
- Executing PowerShell commands via System Management Automation without launching PowerShell.exe
- Targeted reconnaissance of Active Directory environments to locate privileged accounts and high-value systems
This combination of tactics illustrates a sophisticated understanding of enterprise networks and a methodical approach to persistent access and surveillance.
Indicators of a China Nexus
Several clues strongly point to the group being aligned with Chinese state interests. These include:
- Use of China Chopper
- Deployment of a backdoor using Microsoft Outlook, previously linked to Emissary Panda
- Use of a relay network of Zyxel routers, called the Operational Relay Box (ORB), to hide traffic
- Working hours that align with China Standard Time
- Campaign goals focused on long-term access and intelligence gathering
Sygnia emphasized that Weaver Ant’s tactics resemble those of other China-linked groups, with shared infrastructure and overlapping toolsets. In some cases, this may involve contracted cyber operatives working across multiple campaigns.
Related Espionage Accusations Between China and Taiwan
This report coincides with recent accusations from China’s Ministry of State Security (MSS), which named four Taiwanese individuals allegedly involved in cyber attacks against mainland entities.
According to the MSS, these individuals belong to Taiwan’s Information, Communications, and Electronic Force Command (ICEFCOM). The group is accused of executing cyber operations such as:
- Spear phishing campaigns
- Disinformation and propaganda through fake social media accounts
- Cyber sabotage and espionage
Chinese cybersecurity firms QiAnXin and Antiy added that these campaigns often used:
- Open-source tools like AntSword, IceScorpion, Metasploit, and Quasar RAT
- Command-and-control (C2) frameworks like Cobalt Strike and Sliver
- Vulnerabilities in outdated routers, cameras, and firewalls for initial access
However, Taiwanese authorities have denied all accusations, escalating digital tensions in the region.
A Growing Pattern in Asia Pacific Cybersecurity
The breach of the Asian telecom provider, combined with the political accusations involving Taiwan, underscores a growing trend: Asia Pacific is becoming a central battleground for nation-state cyber conflict.
Telecommunications infrastructure, in particular, has become a high-priority target. With access to these systems, attackers can monitor communications, intercept data, and track users across the region.
“Weaver Ant adapted their techniques as the network evolved, always finding new ways to maintain access,” Sygnia noted in its report. “This reflects the hallmark behavior of a highly funded, state-linked threat group with specific intelligence objectives.”
Recommendations for Telecom and Enterprise Security Teams
In light of these events, organizations — especially telecom and critical infrastructure providers — must reevaluate their security posture. Key steps include:
- Performing regular configuration audits to detect misconfigured public-facing applications
- Monitoring for web shells and in-memory payloads using behavioral detection tools
- Segmenting networks and limiting lateral movement through strict access controls
- Deploying endpoint detection and response solutions capable of catching stealthy activity
- Conducting threat hunting to identify signs of long-term compromise
These measures can help organizations respond to the new era of cyber espionage, where attacks are no longer just short-lived incidents, but multi-year campaigns aimed at systemic surveillance and influence.
FAQs
Who is Weaver Ant?
Weaver Ant is a Chinese state-sponsored threat actor known for cyber espionage. They recently infiltrated an Asian telecom provider and remained undetected for over four years.
How did they gain access?
The attackers exploited a misconfigured public-facing application and installed encrypted web shells for persistent access.
What is INMemory?
INMemory is a newly discovered web shell that executes code entirely in memory, leaving minimal forensic evidence.
What data did the attackers target?
They targeted sensitive systems, including Active Directory and email servers, seeking to identify privileged accounts and maintain long-term surveillance.
Are these attacks linked to China?
Yes, based on tool usage, working hours, and targeting patterns, Sygnia attributes the campaign to a China-nexus cyber espionage group.
What tools did they use?
Besides INMemory and China Chopper, the attackers used PowerShell automation, HTTP tunneling, AMSI evasion, and an Outlook-based backdoor.
