Sygnia uncovered a prolonged cyber-espionage campaign targeting a major Asian telecom provider, orchestrated by a China-nexus APT group dubbed Weaver Ant. The group maintained stealthy, long-term access to the network for over four years using advanced techniques centered around web shells—notably an AES-encrypted China Chopper and a novel INMemory web shell. These tools enabled remote code execution and lateral movement while evading detection through techniques like payload encryption, obfuscation, and in-memory module execution. Additionally, Weaver Ant used web shell tunneling—leveraging publicly exposed web servers to route HTTP traffic internally—allowing access to systems that weren’t directly internet-facing.
Beyond initial access, Weaver Ant demonstrated exceptional sophistication in persistence, evasion, and lateral movement. They used recursive HTTP tunnels, ETW patching, AMSI bypass, and PowerShell execution without PowerShell.exe. For reconnaissance and data exfiltration, they utilized tools like Invoke-SharpView, Invoke-SMBClient, and custom PowerShell ZIP functions, often storing results in C:\ProgramData. They also exfiltrated credentials from config files and pivoted between telecom providers using compromised routers in Southeast Asia.