- A China-based threat actor dubbed “Weaver Ant” maintained unauthorized access to an Asian telecom company’s network for over four years, according to Cybersecurity firm Sygnia.
- The attackers utilized web shell scripts, including a variant of China Chopper, to create hidden communication channels and maintain persistent access while evading detection mechanisms.
- This report aligns with recent assessments from CrowdStrike and Mandiant noting increased cyber espionage activities from China-nexus groups targeting strategic industries.
Cybersecurity researchers have discovered a sophisticated China-based Hacking operation that infiltrated and remained hidden within an Asian telecommunications provider’s systems for more than four years. The threat actor, identified as “Weaver Ant,” focused on gathering sensitive information while utilizing specialized web shell scripts to maintain covert access channels to compromised servers.
According to a report published Monday by cybersecurity firm Sygnia, the China-nexus threat actor maintained a persistent presence in the unnamed telecom company despite multiple attempts to remove them from the network.
The investigation revealed that Weaver Ant operated primarily during regular working hours in the GMT +8 time zone, avoiding weekends and holidays—a pattern consistent with state-sponsored operations. These Hackers focused on specific industries and geographic regions aligned with China’s strategic interests.
Sygnia’s security team discovered the intrusion after receiving alerts about suspicious activities from a previously disabled profile. This profile was located on a server that had not been previously identified as compromised and had been reactivated through a service account—an automated, privileged profile designed to perform background system tasks.
The attackers deployed malicious web shell scripts onto target servers, establishing command-and-control capabilities that allowed remote server management through text-based interfaces. These web shells created discrete communication tunnels between the threat actors and the compromised systems.
Two primary web shells were identified during the investigation. The first was a variant of China Chopper, which Mandiant had previously dubbed “a slick little web shell that does not get enough exposure and credit for its stealth.” The second, named “INMemory” by Sygnia, had no previous public references and enabled in-memory execution of malicious modules, making it particularly difficult to detect.
“The text-based payload is so simple and short that an attacker could type it by hand right on the target server—no file transfer needed,” explained the Google subsidiary Mandiant in its analysis of China Chopper.
The investigation uncovered dozens of similar web shells throughout the network, indicating an extensive and sophisticated operation focused on maintaining persistent access. The attackers used these tools not only to control compromised systems but also to move laterally across the network through what Sygnia described as an “intricate tunneling process.”
Weaver Ant employed clever evasion techniques, such as strategically placing keywords like “password,” “key,” and “pass” in their communications. These keywords triggered automatic redaction functions in the network’s firewall, making the stolen data difficult to monitor or analyze. The character limit on the affected network’s firewall solution further complicated Sygnia’s efforts to determine exactly what information had been compromised.
This report follows recent assessments by cyber defense firms CrowdStrike and Mandiant, both highlighting increased activity from China-nexus groups leveraging Artificial Intelligence and targeting outdated network infrastructure to gain unauthorized access to sensitive information.
The report notes that Weaver Ant specifically targeted compromised Zyxel CPE routers, which are commonly used by Southeast Asian telecommunications providers and manufactured in Taiwan. The group also utilized backdoors previously associated with Chinese advanced persistent threat (APT) actors identified by Cybereason and TrendMicro.
Despite Sygnia’s intervention and multiple eradication attempts, the threat actor has proven highly resilient. “The monitoring efforts proved effective—Weaver Ant were detected attempting to regain access to the victim’s network,” the report states. “Sygnia has been closely tracking and investigating their renewed activity.”
Sygnia plans to release a follow-up report detailing the Hacker group’s upgraded tactics and tools as they continue to monitor this persistent threat.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Custodia Bank and Vantage Test Ethereum Deposit Token in Regulatory First
- Court Orders Disposal of 150 Seized Crypto Mining Machines in Sarawak
- Bitcoin falls 13% under Trump despite industry support and official embrace
- Berachain’s Proof of Liquidity Goes Live, BERA Token Surges 14%
- Bitcoin Surges 10% as Trump May Retreat from Global Trade Tariffs
