Chinese Hackers Weaponizes Software Vulnerabilities to Compromise Their Targets

Over the past year, a previously quiet Chinese threat cluster has surged onto incident-response dashboards worldwide, pivoting from single zero-day hits to an industrialized pipeline of weaponized vulnerabilities.

First detected targeting unpatched Fortinet SSL-VPN appliances in late-2024, the group—dubbed “Goujian Spider” by incident handlers—now blends rapid vulnerability acquisition with skillful post-exploitation automation, breaching defense contractors, chip designers, and maritime-logistics firms in nine countries.

Each intrusion begins with a freshly harvested flaw, usually appearing on China’s internal National Vulnerability Database (NVDB) weeks before a public CVE number is assigned, giving operators a decisive head start.

Initial access is followed by the quiet deployment of an encrypted loader that unwraps a bespoke Golang implant nicknamed “REDSAM” for its hard-coded command string, red_sam_initialize().

Archive analysts noted the malware after correlating traffic spikes from a Shanghai AS to simultaneous NVDB disclosures on February 11, 2025, flagging the campaign as the first field proof that China’s 2021 Regulations on the Management of Network Product Security Vulnerabilities (RMSV) had matured into a full offensive supply chain.

Researchers identified that Goujian Spider cycled through three distinct exploits in just forty-eight hours—one for Ivanti Connect Secure, one for Atlassian Confluence, and one for a niche OPC UA gateway—suggesting privileged access to vulnerability feeds well before patches shipped.

The impact is significant: incident responders trace at least sixty hosts exfiltrating design files, satellite telemetry, and employee single sign-on cookies.

Post-mortem forensic timelines show REDSAM executing only after vulnerabilities were publicly acknowledged, indicating deliberate staging to mask the initial foothold and frustrate attribution.

Inside the Infection Mechanism

Goujian Spider’s infection chain compresses reconnaissance, exploitation, and persistence into fewer than 400 lines of code.

Once the vulnerable web component is probed with a crafted request, a memory-only loader called “LilacDrop” is streamed via chunked HTTP and executed through reflective DLL loading.

The following Go fragment (de-obfuscated by reversing teams) reveals how LilacDrop injects REDSAM into spoolsv.exe, bypassing common EDR hooks:-

func elevateAndSpawn(shellcode []byte) error {
    hProc, _ := windows.OpenProcess(windows.PROCESS_ALL_ACCESS, false, pidByName("spoolsv.exe"))
    remoteAddr, _ := windows.VirtualAllocEx(hProc, 0, uintptr(len(shellcode)),
                                            windows.MEM_COMMIT, windows.PAGE_EXECUTE_READWRITE)
    var written uintptr
    windows.WriteProcessMemory(hProc, remoteAddr, &shellcode[0], uintptr(len(shellcode)), &written)
    thd, _, _ := procCreateRemoteThread.Call(uintptr(hProc), 0, 0, remoteAddr, 0, 0, 0)
    windows.WaitForSingleObject(windows.Handle(thd), windows.INFINITE)
    return nil
}

The snippet highlights three tactical choices:-

1. Process hijack over service creation — hijacking spoolsv.exe avoids new services that defenders often audit.
2. Memory-only execution — no payload touches disk, thwarting signature-based scanners.
3. Single-thread completion — the code waits for the injected thread to finish before cleaning up, erasing forensics.

To remain resident, REDSAM creates a hidden Scheduled Task named “Windows LSM Cache” that runs every 15 minutes, but only if the NVDB entry for its initial CVE receives a public proof-of-concept tag—ensuring the implant reactivates when defenders are busiest.

Detection evasion extends to log pruning: a built-in routine searches Windows Event ID 4104 (PowerShell), 4688 (process creation), and 1102 (audit log cleared) and selectively deletes lines containing its mutex GlobalRS_MUTEX.

This maps each stage—from exploit to exfiltration—overlaying observed mutexes and command-and-control URIs extracted during a breach of a Taiwanese semiconductor fab.

While the timeline of NVDB vs. CVE Release shows the group’s average eleven-day advantage between domestic disclosure and public CVE assignment.

Despite Goujian Spider’s sophistication, defenders can hunt for abnormal network egress to hard-coded /public/upload paths on TCP 443 and monitor Scheduled Tasks for non-Microsoft descriptions.

Rapid patch adoption remains paramount: in the fab case, a timely vendor hotfix would have neutralized the Ivanti exploit three days before weaponization.

As RMSV-driven vulnerability harvesting accelerates, organizations must treat every NVDB listing—public or leaked—as an imminent threat window, shortening internal patch cycles accordingly.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches