top of page

Massive China-Linked Cybercrime Network Deploys 5,300+ Backdoors in 45,000+ Attacks

  • May 2
  • 2 min read

Key Findings


  • Massive China-linked cybercrime operation discovered using automated systems called Paperclip (backend) and OpenClaw (workflow agent)

  • Approximately 45,000 documented attack attempts with 5,300+ backdoor implants deployed across victims

  • Targets include fintech companies, Web3 platforms, and security vendors

  • Operation maintains centralized control enabling data enrichment and victim prioritization

  • Attackers have compromised thousands of hosts with custom backdoors and webshells while monitoring nearly 22,000 cryptocurrency addresses


Background


SOCRadar's Threat Research Team uncovered what appears to be a highly organized, automated cybercrime setup operating at an industrial scale. The operation leverages two main systems: Paperclip serves as the centralized backend managing operations, while OpenClaw handles the workflow through an agent-based system. The entire process runs like a business operation with distinct phases, making this less of a traditional hacking group and more of a sophisticated criminal infrastructure.


How the Scanning Works


The attackers use internet mapping engines like FOFA and 360Quake to identify internet-facing assets they can target. They've created thousands of automated accounts using a standardized email pattern (fofa@deltajohnsons.com) to bypass API rate limits. Researchers found 136 FOFA accounts actively used to maintain continuous scanning operations. This systematic approach allows them to identify systems running vulnerable software at scale without interruption.


Exploitation Strategy


Once vulnerable systems are identified, attackers focus on finding remote code execution flaws that grant complete system control. They actively exploit known vulnerabilities like React2Shell, Log4Shell, and other critical CVEs. To accelerate the process, they use four custom Python scripts that automate exploitation, execute commands across hundreds of targets simultaneously, and bypass Web Application Firewalls. The scripts prioritize reliable remote code execution over simple vulnerability detection.


Data Theft and Persistence


After gaining initial access, the group searches for high-value targets like AI API keys, Stripe tokens, and database credentials from PostgreSQL systems. They maintain persistence through multiple methods including Cloudflare tunnels, P2P clients, and custom backdoors called d2 and pl. A particularly dangerous technique involves fileless execution chains that feed web content directly into Node.js, running malicious code in memory without touching the disk, making detection significantly harder.


Operation Scale and Infrastructure


The logs reveal the staggering scope of this operation. The d2 backdoor has been deployed on 3,981 hosts while the pl backdoor secured access to 1,393 systems. The group manages approximately 900 webshell implants and tracks nearly 22,000 cryptocurrency addresses using blockchain intelligence APIs like OKLink and Tatum. They've also automated the validation of stolen Stripe keys to identify accounts with available balances, allowing them to prioritize the most profitable targets immediately.


Sources


  • https://hackread.com/45k-attacks-53k-backdoor-china-cybercrime-operation/

  • https://news.backbox.org/2026/05/01/45000-attacks-5300-backdoors-tied-to-china-linked-cybercrime-operation/

  • https://x.com/HackRead/status/2050301346390200693

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page