China-Linked APT Weaver Ant's Four-Year Infiltration of Asian Telco Network

TL;DR

The China-linked APT group Weaver Ant infiltrated an Asian telecom provider’s network for over four years, employing advanced evasion techniques and web shells for persistent access and data exfiltration. The group’s activities, detailed in a report by Sygnia, align with state-sponsored cyber espionage objectives, focusing on network intelligence and credential harvesting.

China-Linked APT Weaver Ant’s Four-Year Infiltration of Asian Telco Network

Unveiling the Four-Year Infiltration

The China-linked threat actor, Weaver Ant, successfully infiltrated the network of an Asian telecom provider for over four years. This prolonged breach was uncovered during a forensic investigation by Sygnia researchers, who detected multiple alerts indicating a re-enabled threat actor account by a service account from an unidentified server. Further analysis revealed a China Chopper web shell on an internal server, which had been compromised for years. This discovery led to the identification of Weaver Ant’s activities, a group known for using web shells to maintain persistence, execute remote code, and move laterally through tunneling¹.

Advanced Evasion Techniques

Web Shells and Encryption

Sygnia experts detected multiple web shells, including a previously unknown variant dubbed “INMemory.” The China Chopper web shell, originally developed by Chinese threat actors, enables remote access and control over compromised web servers. This tool facilitates persistent access, command execution, and data exfiltration.

The encrypted variant of the China Chopper web shell employed AES encryption to evade detection by Web Application Firewalls (WAFs). Deployed on externally facing servers using ASPX and PHP, this encryption allowed the attackers to bypass automated detection mechanisms, making forensic analysis challenging².

Payload Obfuscation and Detection Evasion

The attackers used specific keywords like “password” and “key” in the payload, which WAFs typically redact in logs, obscuring the malicious content. Additionally, the transmitted payload often exceeded the character limits of logging mechanisms, resulting in truncated data that made full forensic reconstruction difficult. These strategies ensured stealthy, persistent access to compromised systems³.

INMemory Web Shell

The INMemory web shell allows attackers to execute malicious modules in memory, avoiding disk-based detection. It decodes a hardcoded GZipped Base64 string into a PE file, ‘eval.dll,’ and executes it dynamically. The web shell obfuscates code using Base64-encoded strings and validates HTTP request headers via SHA256 hash comparison. If a match is found, it encodes the payload in Base64 and UTF-8 before executing it using ‘JScriptEvaluate,’ leveraging the JScript library for dynamic execution. This technique enhances stealth by preventing forensic analysis and signature-based detection, allowing attackers to persist undetected in compromised environments⁴.

HTTP Tunneling for Lateral Movement

One notable tool used by Weaver Ant was a recursive HTTP tunnel, enabling web shell tunneling for lateral movement. This method leveraged compromised web servers as proxies to relay HTTP/S traffic, accessing internal resources without deploying additional tools. By dynamically constructing and executing cURL commands, the tunneling mechanism allowed the attacker to navigate segmented networks stealthily. Since communication occurred over expected web traffic, it blended in with legitimate activity, making detection difficult while facilitating command and control across compromised environments⁵.

Payload Deployment and Persistence

Weaver Ant deployed multiple payloads to evade detection, maintain persistence, and expand access within compromised networks. They patched the Event Tracing for Windows (ETW) to suppress event logs and bypassed the Antimalware Scan Interface (AMSI) by modifying ‘amsi.dll’, allowing malicious PowerShell execution. They also ran PowerShell commands via ‘System.Management.Automation.dll’ without using PowerShell.exe, avoiding detection. For lateral movement, they leveraged SMB with NTLM hashes, deploying additional web shells and extracting credentials from IIS configuration files⁶.

Reconnaissance and Enumeration

As part of its reconnaissance efforts, Weaver Ant executed various ‘Invoke-SharpView’ commands against multiple Domain Controllers within the same Active Directory (AD) Forest. These commands included:

• ‘Get-DomainUserEvent’
• ‘Get-DomainSubnet’
• ‘Get-DomainUser’
• ‘Get-NetSession’

The primary objective was to enumerate the compromised Active Directory environment to identify high-privilege accounts and critical servers and add them to their target bank⁷.

Nation-State Espionage Objectives

Sygnia researchers believe Weaver Ant is a nation-state actor specializing in long-term network access for cyber espionage. The group focuses on network intelligence, credential harvesting, and persistent access to telecom infrastructure, aligning with state-sponsored espionage objectives. Sygnia attributes its activities to China based on the use of Zyxel routers operated by Southeast Asian telecommunication providers, backdoors linked to Chinese groups, and operations during GMT +8 business hours⁸.

Follow for More Updates

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

SecurityAffairs – hacking, China

For more details, visit the full article: source

Conclusion

The four-year infiltration of an Asian telecom provider’s network by the China-linked APT group Weaver Ant highlights the advanced tactics and persistent nature of state-sponsored cyber espionage. The group’s use of web shells, encryption, and evasion techniques underscores the need for robust cybersecurity measures to detect and mitigate such threats. As cyber espionage continues to evolve, staying informed about the latest tactics and tools used by threat actors is crucial for defending against future attacks.

References

1. Sygnia (2025). “Weaver Ant Tracking a China-Nexus Cyber Espionage Operation”. Sygnia. Retrieved 2025-03-24. ↩︎

2. Security Affairs (2025). “Chinese APT Flax Typhoon Targets Taiwan”. Security Affairs. Retrieved 2025-03-24. ↩︎

3. Sygnia (2025). “Weaver Ant Tracking a China-Nexus Cyber Espionage Operation”. Sygnia. Retrieved 2025-03-24. ↩︎

4. Sygnia (2025). “Weaver Ant Tracking a China-Nexus Cyber Espionage Operation”. Sygnia. Retrieved 2025-03-24. ↩︎

5. Sygnia (2025). “Weaver Ant Tracking a China-Nexus Cyber Espionage Operation”. Sygnia. Retrieved 2025-03-24. ↩︎

6. Sygnia (2025). “Weaver Ant Tracking a China-Nexus Cyber Espionage Operation”. Sygnia. Retrieved 2025-03-24. ↩︎

7. Sygnia (2025). “Weaver Ant Tracking a China-Nexus Cyber Espionage Operation”. Sygnia. Retrieved 2025-03-24. ↩︎

8. Sygnia (2025). “Weaver Ant Tracking a China-Nexus Cyber Espionage Operation”. Sygnia. Retrieved 2025-03-24. ↩︎