China Chopper

Malware updated 15 hours ago (2024-10-17T13:04:38.835Z)

Download STIX

Preview STIX

China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was found embedded in various web shells on SharePoint servers. The malware's functionality allows attackers remote access and control over the infected servers, enabling them to disrupt operations, steal personal information, or hold data for ransom. Researchers at Kaspersky discovered a new variant of the China Chopper web shell in June 2024. This onslaught was detected on a public web server hosting Umbraco, an open-source content management system. The discovery prompted further investigation into Tropic Trooper due to recurring detections of the China Chopper web shell. The new variant resembled the known functionalities associated with China Chopper, indicating an evolution of this popular web shell used by attackers. The use of China Chopper has been linked to several Chinese Advanced Persistent Threat (APT) groups, including ToddyCat, which was reported by Kaspersky in 2022 to have utilized two sophisticated new malware tools dubbed Samurai and Ninja to distribute China Chopper. These attacks primarily targeted victims in Asia and Europe. Furthermore, the Unit 42 researchers noted that the attacks generally paralleled Chinese office hours and employed tools typically used by Chinese APT groups, including Gh0st RAT, PlugX, Htran, and China Chopper. Despite these links, direct governmental involvement remains unconfirmed.

Description last updated: 2024-10-17T12:15:16.054Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BlackMould is a possible alias for China Chopper. BlackMould is a type of malware, specifically a native web shell, that has been observed in use by GALLIUM, a China-aligned intrusion group. This malicious software is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without t	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Web Shell

Windows

Apt

Malware

Exploit

Webshell

Vpn

Payload

Microsoft

China

Chinese

Exploits

Iis

Remote Code ...

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The PingPull Malware is associated with China Chopper. PingPull is a malicious software (malware) developed by the Chinese nation-state group known as Alloy Taurus, also referred to as Gallium. The malware is designed to exploit and damage computer systems, with capabilities such as stealing personal information, disrupting operations, or holding data h	Unspecified	3
The ASPXSpy Malware is associated with China Chopper. ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable	Unspecified	3
The PlugX Malware is associated with China Chopper. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The HAFNIUM Threat Actor is associated with China Chopper. Hafnium, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat. The group is known for exploiting vulnerabilities in software such as Microsoft Exchange Server and Zoho products. In 2021, Hafnium was actively exploiting a bug in the Microso	Unspecified	2
The Flax Typhoon Threat Actor is associated with China Chopper. Flax Typhoon, also known as RedJuliett and Ethereal Panda, is a threat actor linked to China that has been actively targeting entities in Taiwan and around the South China Sea. The group's activities have primarily focused on organizations associated with IT, military, and government interests. Over	Unspecified	2
The GALLIUM Threat Actor is associated with China Chopper. Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas	Unspecified	2
The Regeorg Threat Actor is associated with China Chopper. Regeorg is a threat actor known for its malicious activities in the cyber landscape. Notably, operators of LuckyMouse initiated an attack by dropping the Nbtscan tool in C:\programdata\, followed by installing a variant of the ReGeorg webshell and issuing a GET request using curl. They then tried to	Unspecified	2

Source Document References

Information about the China Chopper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	Chinese 'Tropic Trooper' APT Targets Mideast Governments
Securelist	a month ago	New malicious web shell from the Tropic Trooper group is found in the Middle East
BankInfoSecurity	5 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
DARKReading	5 months ago	China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Checkpoint	6 months ago	29th April – Threat Intelligence Report - Check Point Research
DARKReading	6 months ago	ToddyCat APT Is Stealing Data on 'Industrial Scale'
CERT-EU	9 months ago	Cyber Security Week In Review: January 12, 2024
CERT-EU	9 months ago	SecurityScorecard Threat Research : Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days – Global Security Mag Online
MITRE	10 months ago	Analyzing Attacker Behavior Post-Exploitation of MS Exchange \| Rapid7 Blog
CERT-EU	a year ago	Cyber Security Week in Review: September 29, 2023
CERT-EU	a year ago	China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies
CERT-EU	a year ago	Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
CERT-EU	a year ago	New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
Securityaffairs	a year ago	Is Gelsemium APT behind an attack in Southeast Asian Govt?
Unit42	a year ago	Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
Unit42	a year ago	Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	Flax Typhoon Adopts Living-of-the-Land Binaries
CERT-EU	a year ago	Taiwanese infosec crew challenges Microsoft’s China findings
BankInfoSecurity	a year ago	Chinese State Hackers 'Flax Typhoon' Targeting Taiwan