China Chopper

Malware updated a month ago (2024-10-17T13:04:38.835Z)

Download STIX

Preview STIX

China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was found embedded in various web shells on SharePoint servers. The malware's functionality allows attackers remote access and control over the infected servers, enabling them to disrupt operations, steal personal information, or hold data for ransom. Researchers at Kaspersky discovered a new variant of the China Chopper web shell in June 2024. This onslaught was detected on a public web server hosting Umbraco, an open-source content management system. The discovery prompted further investigation into Tropic Trooper due to recurring detections of the China Chopper web shell. The new variant resembled the known functionalities associated with China Chopper, indicating an evolution of this popular web shell used by attackers. The use of China Chopper has been linked to several Chinese Advanced Persistent Threat (APT) groups, including ToddyCat, which was reported by Kaspersky in 2022 to have utilized two sophisticated new malware tools dubbed Samurai and Ninja to distribute China Chopper. These attacks primarily targeted victims in Asia and Europe. Furthermore, the Unit 42 researchers noted that the attacks generally paralleled Chinese office hours and employed tools typically used by Chinese APT groups, including Gh0st RAT, PlugX, Htran, and China Chopper. Despite these links, direct governmental involvement remains unconfirmed.

Description last updated: 2024-10-17T12:15:16.054Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BlackMould is a possible alias for China Chopper. BlackMould is a type of malware, specifically a native web shell, that has been observed in use by GALLIUM, a China-aligned intrusion group. This malicious software is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without t	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Web Shell

Windows

Apt

Malware

Exploit

Webshell

Vpn

Payload

Microsoft

China

Chinese

Exploits

Iis

Remote Code ...

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PingPull Malware is associated with China Chopper. PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data h	Unspecified	3
The ASPXSpy Malware is associated with China Chopper. ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable	Unspecified	3
The PlugX Malware is associated with China Chopper. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The HAFNIUM Threat Actor is associated with China Chopper. Hafnium, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat. The group is known for exploiting vulnerabilities in software such as Microsoft Exchange Server and Zoho products. In 2021, Hafnium was actively exploiting a bug in the Microso	Unspecified	2
The Flax Typhoon Threat Actor is associated with China Chopper. Flax Typhoon is a threat actor reportedly linked to China that has been actively targeting Taiwan, as well as other regions globally. This group, also known by aliases such as RedJuliett and Ethereal Panda, has been implicated in cyberespionage activities against critical infrastructure entities, go	Unspecified	2
The GALLIUM Threat Actor is associated with China Chopper. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tar	Unspecified	2
The Regeorg Threat Actor is associated with China Chopper. Regeorg is a threat actor known for its malicious activities, primarily involving the use of ReGeorg or Neo-reGeorg to set up a proxy and tunnel network traffic following the compromise of a victim website. This group also employs ProxyChains to run Nmap within the compromised network. In one instan	Unspecified	2

Source Document References

Information about the China Chopper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	Chinese 'Tropic Trooper' APT Targets Mideast Governments
Securelist	3 months ago	New malicious web shell from the Tropic Trooper group is found in the Middle East
BankInfoSecurity	6 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
DARKReading	6 months ago	China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Checkpoint	7 months ago	29th April – Threat Intelligence Report - Check Point Research
DARKReading	7 months ago	ToddyCat APT Is Stealing Data on 'Industrial Scale'
CERT-EU	10 months ago	Cyber Security Week In Review: January 12, 2024
CERT-EU	10 months ago	SecurityScorecard Threat Research : Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days – Global Security Mag Online
MITRE	a year ago	Analyzing Attacker Behavior Post-Exploitation of MS Exchange \| Rapid7 Blog
CERT-EU	a year ago	Cyber Security Week in Review: September 29, 2023
CERT-EU	a year ago	China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies
CERT-EU	a year ago	Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
CERT-EU	a year ago	New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
Securityaffairs	a year ago	Is Gelsemium APT behind an attack in Southeast Asian Govt?
Unit42	a year ago	Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
Unit42	a year ago	Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	Flax Typhoon Adopts Living-of-the-Land Binaries
CERT-EU	a year ago	Taiwanese infosec crew challenges Microsoft’s China findings
BankInfoSecurity	a year ago	Chinese State Hackers 'Flax Typhoon' Targeting Taiwan