Inside the Open Directory of the “You Dun” Threat Group

SUMMARY :

An open directory exposed a Chinese-speaking threat actor's toolkit and operational history. The actor conducted extensive scanning and exploitation targeting organizations in South Korea, China, Thailand, Taiwan, and Iran using tools like WebLogicScan, Vulmap, and Xray. The Viper C2 framework and a Cobalt Strike kit with TaoWu and Ladon extensions were found. The actor also utilized the leaked LockBit 3 builder to create a custom ransomware payload with a ransom note referencing a Telegram group. The group claims to offer 'penetration testing' services but engages in illicit activities including data sales, DDoS attacks, and ransomware operations.

OPENCTI LABELS :

cobalt strike,ransomware,lockbit,weblogic exploitation,viper c2,chinese threat actor


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Inside the Open Directory of the “You Dun” Threat Group