VERY IMPORTANT

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMemory' web shells, along with a recursive HTTP tunnel tool for internal network access. Weaver Ant demonstrated advanced evasion techniques, including ETW patching, AMSI bypassing, and 'PowerShell without PowerShell' execution. The operation involved extensive reconnaissance, credential harvesting, and data exfiltration. Despite eradication attempts, the group showed remarkable persistence, adapting their tactics to regain access.