This post is also available in:
עברית (Hebrew)
A long-running cyber espionage campaign targeting a major Asian telecom provider has been uncovered, revealing the sophisticated use of web shells to steal sensitive data over several years. According to a detailed investigation by Israeli cybersecurity firm Sygnia, the threat actor, identified as Weaver Ant, employed a series of covert techniques to infiltrate the network and maintain access without detection.
The attack was carried out using minimal, highly effective web shells—malicious scripts inserted into compromised web servers that enabled the attacker to maintain a persistent presence within the network. Notably, two primary tools were employed: the encrypted China Chopper web shell and a custom-designed variant named “INMemory.” The latter is particularly alarming as it operates entirely in memory, without a trace on the disk, making detection by traditional security systems extremely difficult.
The China Chopper shell, originally developed by Chinese cyber groups, is notorious for its ability to manage files, execute commands, and exfiltrate data. In this case, the shell’s functionality was extended with subtle evasive techniques, such as using seemingly benign keywords like “password” and “key” to disguise malicious commands. Together, these tools allowed the attackers to not only execute remote code but also move laterally within the network, bypassing traditional perimeter defenses.
The stealthy nature of this operation is further exemplified by the attackers’ ability to go undetected for years, conducting their activities with minimal traces. The investigation revealed that the cybercriminals had managed to sustain access for over four years, indicating a high level of persistence and sophistication.
While Sygnia’s report stops short of naming the affected telecom provider, it is clear that the use of web shells is a growing trend among state-sponsored Chinese threat actors, and similar tactics have been seen in other major incidents.
As this attack demonstrates, the evolving tactics of cyber adversaries make it crucial for organizations to adopt robust, proactive defense strategies to detect and mitigate such advanced threats.
