[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKnjOftB2MY3Iv9UJv1nxf6LAnb0bcNyWi1N8ts_WqBE":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"8e22a300-0eaa-4a2e-92bf-e201cbd99360","45,000 Attacks, 5,300+ Backdoors Tied to China-Linked Cybercrime Operation","45-000-attacks-5-300-backdoors-tied-to-china-linked-cybercrime-operation-ff7570","SOCRadar researchers have uncovered a massive Chinese cybercrime operation using the OpenClaw and Paperclip systems to automate global attacks.","SOCRadar researchers uncovered a massive, automated cybercrime operation linked to Chinese threat actors employing a centralized backend called Paperclip and an agent-based workflow system (OpenClaw) to orchestrate global attacks. The operation targets fintech, Web3, and security vendors using internet mapping tools to identify vulnerable systems, exploiting flaws like CVE-2025-55182 and Log4Shell, and deploying custom backdoors (d2, pl) across thousands of hosts. The attackers maintain persistence through Cloudflare tunnels, P2P clients, and fileless execution chains while stealing API keys, payment tokens, and cryptocurrency wallet data at scale.","China-linked cybercrime operation uses OpenClaw and Paperclip systems for 45,000+ automated attacks.","Cyber Crime Malware Security45,000 Attacks, 5,300+ Backdoors Tied to China-Linked Cybercrime Operation SOCRadar researchers have uncovered a massive Chinese cybercrime operation using the OpenClaw and Paperclip systems to automate global attacks. byDeeba AhmedMay 1, 20262 minute read The SOCRadar Threat Research Team has discovered a massive, automated cybercrime setup linked to threat actors based in China. This operation uses a central backend called Paperclip and an agent-based workflow system known as OpenClaw. Using these tools, the hackers run their campaigns like a business, with a step-by-step workflow that starts with Planning, followed by Review, Dispatch, Recon, Scan, Validate, and ends with a Report on the stolen data. The details of this research were shared with Hackread.com. How the Attacks Work Hackers use internet mapping engines such as FOFA and 360Quake to identify the External Attack Surface (internet-facing assets). They particularly target high-value groups like fintech companies, Web3 platforms, and security vendors. To ensure their scanning remains uninterrupted, they have created thousands of automated accounts using the email pattern fofa@deltajohnsons.com. Attackers used 136 FOFA accounts to bypass API limits and sustain continuous scanning (Source: SOCRadar Threat Research Team) This scanning helps them find systems running software with known security flaws. They prefer flaws that allow remote code execution (RCE) to gain full control over the compromised device, such as React2Shell (CVE-2025-55182) and CVE-2025-66478, and Log4Shell (CVE-2021-44228). Researchers observed four custom Python scripts, 2.py, 3.py, 4.py, and 11.py, which help the attackers make this entire process faster and bypass security filters. This also helps them run commands on hundreds of targets at once. “Custom Python scripts automate exploitation by executing commands such as environment variable dumps. These scripts support WAF bypass and parallel execution, enabling scalable exploitation across hundreds of targets. The primary objective is reliable remote code execution rather than simple vulnerability detection,” researchers noted in the blog post. Stealing Data and Maintaining Persistence After achieving initial access, the threat actors search for sensitive data, mainly targeting AI API keys, Stripe tokens, and database credentials stored in PostgreSQL. To maintain persistence, they use several methods to ensure they stay hidden, like deploying Cloudflare tunnels via cf-client, P2P clients named mayun, and backdoors identified in logs as d2 and pl. The group also uses a fileless execution chain using commands that feed web content directly into Node.js to run malicious code in the system’s memory without saving any files to the disk. This makes malware detection much more difficult. Operation workflow (Source: SOCRadar) The Scale of the Operation This is a very large operation. The hackers’ own logs show around 45,000 attack attempts. Their database shows they have placed the d2 backdoor on 3,981 hosts and the pl backdoor on 1,393 hosts. They also managed 900 webshell implants and are tracking nearly 22,000 cryptocurrency addresses. For context, d2 and pl are two custom backdoor implants used by the attackers to maintain access to the compromised system. “The operation is coordinated through a centralised backend,” the report explains, which helps the group manage and enrich stolen data. The hackers use blockchain intelligence APIs such as OKLink and Tatum to monitor nearly 22,000 cryptocurrency addresses. They also use automated scripts to validate stolen Stripe keys by checking for active accounts with available balances. This organised approach allows the threat actors to immediately prioritise the most profitable targets. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts backdoorChinaCyber AttackCyber CrimeCybersecurityMalwareOpenClawSOCRadar Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Crime Hacking Team’s Licence Canceled, No More Malware Selling Outside Europe HACKING TEAM YET AGAIN IN HOT WATER, LOSES LICENSE TO SELL MALWARE OUTSIDE EUROPE Just a year after… byWaqas Security Wireless Router security: How to set up a WiFi router securely Highly useful and practical as they are, wireless routers can cost us a lot if we fail to secure them properly.... byWaqas Read More Security Canon Printer Drivers Flaw Could Let Hackers Run Malicious Code A critical vulnerability (CVE-2025-1268) in Canon printer drivers allows remote code execution. See which drivers are affected, how to patch them. byDeeba Ahmed Hacking News Cyber Crime Massive Data Breach Hits Russian Users of Gmail, Yahoo and Hotmail Massive Data Breach Hits Russian Users of Gmail, Yahoo and Hotmail — Russian Hacker Steals 250 million Email… byRyan De Souza","https:\u002F\u002Fhackread.com\u002F45k-attacks-53k-backdoor-china-cybercrime-operation\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002F45k-attacks-53k-backdoor-china-cybercrime-operation.jpg","2026-05-01T19:38:50+00:00","2026-05-01T20:00:10.034524+00:00",9,[18,21,24,27,29,31],{"name":19,"type":20},"China-linked cybercrime operation","threat_actor",{"name":22,"type":23},"SOCRadar","vendor",{"name":25,"type":26},"FOFA","technology",{"name":28,"type":26},"360Quake",{"name":30,"type":26},"Cloudflare",{"name":32,"type":26},"Log4j","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,54,57,60,64,67,70,73],{"type":51,"value":52,"context":53},"cve","CVE-2025-55182","React2Shell vulnerability exploited for RCE",{"type":51,"value":55,"context":56},"CVE-2025-66478","Vulnerability exploited for RCE in automated attacks",{"type":51,"value":58,"context":59},"CVE-2021-44228","Log4Shell vulnerability exploited for code execution",{"type":61,"value":62,"context":63},"email","foxa@deltajohnsons.com","Email pattern used to create automated FOFA accounts for API bypass",{"type":37,"value":65,"context":66},"OpenClaw","Agent-based workflow system for attack automation",{"type":37,"value":68,"context":69},"Paperclip","Central backend managing cybercrime operation",{"type":37,"value":71,"context":72},"d2","Custom backdoor deployed on 3,981 hosts",{"type":37,"value":74,"context":75},"pl","Custom backdoor deployed on 1,393 hosts"]