Cyber espionage campaigns targeting telecom networks are becoming alarmingly routine. The latest revelation comes from cybersecurity firm Sygnia, which uncovered an advanced persistent threat (APT) group known as Weaver Ant APT — a China-linked hacking group caught in the midst of a sophisticated, multiyear operation against a major Asian telecommunications provider.
Sygnia’s investigation sheds light on Weaver Ant’s stealthy and highly persistent attack methods, which revolved around long-term access to sensitive telecom infrastructure — a goldmine for cyber-espionage efforts.
How Weaver Ant APT Infiltrated Telecom Networks
The incident came to light during a separate forensic investigation when Sygnia’s team noticed unusual activity sparking multiple alerts. Interestingly, a previously disabled account tied to earlier threat actor activity was mysteriously re-enabled by a service account. What raised further red flags was that this action originated from a server not previously flagged as compromised.
Digging deeper, Sygnia’s responders uncovered a variant of the infamous China Chopper Web shell quietly embedded on an internal server. Shockingly, the system had been compromised for years without detection. What appeared as lingering traces of a past attack turned out to be the active operations of Weaver Ant APT, a distinct Chinese cyber-espionage group exploiting the same environment.
Further investigation unearthed dozens of similar Web shells scattered across the network, revealing a broader campaign where Weaver Ant relied almost entirely on Web shells for persistent access and lateral movement.
The Tools Behind Weaver Ant’s Stealth Operations
Weaver Ant deployed two primary types of Web shells to maintain its grip on the network. The first — China Chopper — is a notoriously lightweight and versatile tool originally crafted by Chinese threat actors. Its compact size enables stealthy control over compromised systems, offering capabilities like file manipulation, command execution, and data theft, all while slipping past traditional security defenses.
Sygnia identified a second, more covert Web shell they named INMemory. Unlike China Chopper, INMemory operates entirely in memory, decoding a hardcoded GZipped Base64 string to execute a Portable Executable (PE) file dubbed ‘eval.dll’. This method allowed Weaver Ant to execute malicious payloads without leaving traces on the disk — significantly lowering detection risks.
While monitoring the network, Sygnia discovered that Weaver Ant was still active. Realizing the threat actor could alter tactics if spooked, investigators avoided direct confrontation. Instead, they implemented stealth monitoring techniques, using port mirroring and live log analysis to secretly track the group’s movements.
What they uncovered was an intricate web of Web shell tunnels. These tunnels enabled Weaver Ant to pivot across different network segments, accessing internal servers that weren’t even internet-facing. By chaining Web shells as proxy nodes, the attackers built recursive HTTP tunnels — an advanced technique that let them exfiltrate data and execute commands deep within the telecom’s environment.
Sygnia compared this method to operating through digital nesting dolls — each layer of encryption and obfuscation carefully peeled away until the final malicious payload was revealed. This multi-layered approach helped Weaver Ant stay hidden, with their real objectives surfacing only when the last shell executed the core payload.
How Telecoms Can Defend Against Weaver Ant APT
Sygnia’s report provides valuable recommendations to help defenders hunt for and block groups like Weaver Ant APT. First, organizations should ensure comprehensive logging is in place — particularly PowerShell transcript logging and IIS web server logs — to track suspicious behaviors.
From a defense perspective, the report urges companies to:
- Apply the principle of least privilege for all web-facing accounts.
- Regularly rotate credentials to reduce the risk of compromised accounts.
- Deploy advanced Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) tools.
- Fine-tune Web Application Firewalls (WAF) to detect telltale signatures of China Chopper and INMemory activity.
Sygnia’s findings include specific indicators of compromise (IoCs) to aid in detection and response efforts.
Weaver Ant’s attack adds to the growing list of Chinese-linked cyber-espionage campaigns targeting Asia’s critical infrastructure. Just last month, Cisco Talos exposed another China-based group, “Lotus Blossom,” deploying custom malware against targets across Hong Kong, the Philippines, Taiwan, and Vietnam.
As these nation-state threats grow more sophisticated, telecom companies — often gateways to vast amounts of sensitive data — remain prime targets. The Weaver Ant campaign is a stark reminder of the evolving cyber battlefield, where persistence, stealth, and technological sophistication define the new normal.
