Listen to this Post
A recent report from cybersecurity firm Sygnia has revealed an extensive and highly covert cyber espionage operation attributed to Chinese state-sponsored hackers. The hackers, known as “Weaver Ant,” allegedly infiltrated a major telecommunications company in Asia, maintaining a persistent presence inside its systems for over four years. This report provides a chilling glimpse into the tactics, tools, and persistence of cyber espionage campaigns carried out by nation-state actors.
the Cyberattack
The telecom provider targeted in this breach has not been named, but Sygnia’s findings point to a prolonged attack that relied on stealthy methods to access sensitive telecommunications infrastructure. The cyberattack, tracked under the moniker “Weaver Ant,” is described as highly persistent and sophisticated, exploiting both known and unknown vulnerabilities.
The attackers are said to have initiated their intrusion by exploiting a publicly accessible application, which allowed them to deploy two web shells. These tools—one being a variant of China Chopper (a known tool used by Chinese hacker groups) and the other a new, undocumented tool called INMemory—enabled the hackers to maintain long-term access. INMemory, in particular, is designed to operate entirely within system memory, leaving no traces on disk, which made it harder to detect.
Once inside, the attackers leveraged a variety of methods to expand their reach within the network. This included using encrypted traffic and tunneling techniques to facilitate lateral movement across systems, as well as deploying recursive HTTP tunnel tools to bypass traditional detection mechanisms. The intrusion also involved the use of system-level exploits to evade security measures such as Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI), which helped the attackers avoid detection.
The attackers conducted detailed reconnaissance within the network, identifying high-privilege accounts and critical servers within the compromised Active Directory environment. These tactics, combined with the usage of tools like Outlook-based backdoors, suggest the operation was highly orchestrated and aimed at achieving long-term, undetected access to the telecom provider’s sensitive data.
Sygnia’s report ties the attack to Chinese cyber espionage groups due to various indicators, including the presence of the China Chopper web shell and the use of infrastructure like Operational Relay Boxes (ORB), which are typically associated with Chinese actors. Additionally, the group’s working hours and method of operation align with the modus operandi of other state-sponsored Chinese hacking campaigns.
What Undercode Says:
This attack reveals a disturbing trend in the world of cyber espionage, particularly with state-backed actors using advanced tools and highly persistent methods to infiltrate critical infrastructure. The tactics displayed by Weaver Ant are indicative of a well-funded, professional threat actor capable of maintaining long-term access without detection. This is not the first time that Chinese hacker groups have been linked to telecom sector intrusions, and the ability of these actors to continuously evolve their methods makes them a persistent and growing threat to global cybersecurity.
The fact that these hackers were able to adapt their techniques over time to evade detection highlights a key challenge for defenders. The reliance on sophisticated tools like the INMemory web shell and recursive HTTP tunnels demonstrates that these attackers are not just exploiting basic vulnerabilities but also using highly innovative approaches to remain undetected. The deployment of these tools, including encrypted traffic to obscure their movements, suggests an in-depth knowledge of how to manipulate network protocols to hide malicious activity.
From an analytical perspective, the continuous adaptation and evolution of tactics by state-sponsored groups like Weaver Ant underscore the increasing sophistication of cyber warfare. These hackers are not simply looking to breach a system and cause immediate disruption—they are focused on espionage, long-term infiltration, and stealth. This is a serious concern for both government and private sector entities, particularly in sectors where information about infrastructure and technology could be strategically valuable.
What is also clear from this operation is the high level of coordination within these state-sponsored cyber espionage campaigns. The shared use of tools, infrastructure, and sometimes even manpower between different Chinese hacker groups emphasizes the resources at their disposal. It is likely that this particular attack on the telecom provider was part of a broader strategy to gain access to critical telecommunications networks that could be leveraged for national intelligence gathering.
Fact Checker Results
- The breach was attributed to Chinese state-sponsored hackers based on common tactics, tools, and techniques identified in the attack.
- The use of China Chopper and other tools historically associated with Chinese hacker groups further supports the attribution.
- The telecom provider remains unnamed, but the detailed tactics and persistent nature of the attack are consistent with previous cyber espionage operations linked to China.
References:
Reported By: https://thehackernews.com/2025/03/chinese-hackers-breach-asian-telecom.html
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





