Home Articles Is China Chopper Still Active After a Decade

Is China Chopper Still Active After a Decade


First discovered nine years ago, China Chopper tool has been used by various hacker groups. Read on to know if this hacking tool is still used by the malicious hackers…

First discovered nine years ago, China Chopper tool has been used by various hacker groups associated with Chinese state-backed hacks. According to new research from Cisco’s Security and Intelligence Research Group, Talos, this hacking tool known as Chopper tool has made a comeback. This hacking tool was used in the massive ‘Operation Soft Cell’ attack campaign against telecommunication providers.

New Findings
China Chopper tool continues to remain strong even after 9 years.

Several new instances of attack campaigns that make use of China Chopper have come to light in the past two years. It has been found that various threat actor groups are using the web shell to launch different cyberespionage campaigns. This includes the ‘Operation Soft Cell’ attack campaign which was carried out against telecommunication providers. Researchers note that the use of China Chopper in the massive ‘Operation Soft Cell’ campaign indicates that the tool is quite active and popular among cybercriminals even after nine years of its discovery.

About China Chopper
China Chopper is actually a web shell that allows malicious actors to remotely control a target system. A web shell is a script that allows attackers to remotely access servers running web applications. This specific security exploit is known for often being impervious to detection.

According to researchers from Cisco Talos, it uses a “client-side application that contains all the logic required to control the target.”. The tool has been used by some state-sponsored actors such as Leviathan and Threat Group-3390.

“China Chopper is a slick little web shell that does not get enough exposure and credit for its stealth,” FireEye researchers wrote in 2013 in their blog on the matter.

Espionage Incidents
Despite the web shell’s stealth, China Chopper’s use has been exposed multiple times over the past several years and there have been various espionage campaigns linked to it. Cisco Talos researchers identified a couple of espionage campaigns linked to China Chopper. The first instance involved the attack against an Asian government organization. Here, the China Chopper was used in the internal network, installed on a few web servers used to store potentially confidential documents. The purpose of the attack was to obtain documents and database copies.

For the second campaign, the attackers had tried to deploy ransomware like Sodinokibi and GandCrab on vulnerable servers using China Chopper. In addition to ransomware, the tool was used by another threat actor group to execute a Monero miner. Several web-hosting providers were also compromised through the tool to install additional malware, conduct reconnaissance and pivot to other systems.

A Brief Conclusion
Although China Chopper is an old tool, it still finds a significant place in the attack tools used by threat actors. Researchers claim that the usage of the tool is likely to increase in the future.


Please enter your comment!
Please enter your name here

8 + 2 =