S0020: China Chopper
Analyst context for executives and security teams
China Chopper matters because it represents a web shell access pattern: an adversary can maintain access through a web server without requiring an infected endpoint to call out like traditional malware. For leaders, the business issue is not just malware on a Windows system; it is whether internet-facing web servers, including high-value application and mail infrastructure, are monitored well enough to prove that unauthorized server-side scripts, command execution, file discovery, tool transfer, and follow-on collection would be noticed and contained.
Executive priority
Prioritize China Chopper as a resilience and incident-response readiness concern for organizations with exposed web services. ATT&CK links it to multiple groups and to behaviors including Web Shell, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, File and Directory Discovery, Data from Local System, Password Guessing, Software Packing, and Timestomp. Executives should ask whether web server integrity monitoring, web access logging, endpoint telemetry on servers, privileged account monitoring, and rapid web-shell eradication procedures are in place and usable as audit and incident evidence.
Technical view
ATT&CK does not provide a specific detection analytic for this object, so SOC and IR teams should validate coverage around the related behaviors. On Windows web servers, confirm visibility into creation or modification of web-accessible scripts, suspicious child processes from web service processes, cmd.exe execution, anomalous HTTP/S requests that carry commands or results, unexpected file uploads/downloads, local file and directory enumeration, service discovery, timestamp anomalies, and password-guessing activity against exposed or adjacent services. Relationship context shows China Chopper as a web shell used by several groups, so detection should focus on the server-side access pattern and post-compromise activity rather than relying only on a malware name or static signature.
Likely telemetry
- Web server access logs and error logs for unusual requests to server-side scripts or unexpected web paths
- File integrity and file creation/modification telemetry for web roots and application directories
- Endpoint process telemetry on Windows servers, especially web service processes spawning Windows Command Shell
- Command-line logging for discovery, collection, and file transfer activity
- Network telemetry for HTTP/S traffic patterns involving web servers and external clients
Detection direction
- Do not depend on ATT&CK-provided detection text; none is supplied for this object.
- Tune detections around web server processes launching command shells or utilities used for discovery, collection, and transfer.
- Baseline legitimate administrative web maintenance so alerts for new or modified web-accessible scripts can distinguish deployments from suspicious persistence.
- Correlate web requests with host process creation and file writes; web-shell activity may look like ordinary web traffic without host context.
- Review gaps where internet-facing servers lack EDR, command-line logging, file integrity monitoring, or retained web logs.
Mitigation priorities
- Reduce exposure and harden internet-facing web servers and applications; prioritize assets that provide access into sensitive business networks.
- Implement change control and integrity monitoring for web roots, application directories, and server-side scripts.
- Ensure Windows web servers have endpoint logging, process visibility, and retained web logs sufficient for incident reconstruction.
- Restrict service account privileges and administrative access paths so a web shell cannot easily become broad network access.
- Prepare IR playbooks for web-shell triage, including containment of the host, credential review, file system inspection, log preservation, and scoping for discovery, transfer, and collection behaviors.
Analyst notes and limits
The strongest decision value is in treating China Chopper as an indicator of web-server persistence and hands-on-keyboard follow-on activity. The relationships to multiple groups increase its intelligence relevance, but local prioritization should be based on exposed web assets, server telemetry maturity, and whether SOC workflows can correlate web requests to host actions.
The supplied ATT&CK object lists Windows as the platform and provides no official detection guidance or explicit malware tactics. Group relationships show historical use by several groups, but this take does not infer current exploitation, local exposure, or attribution. Detection and mitigation recommendations are therefore behavior-based and require validation against the organization’s actual web server stack, logging, and response processes.
China Chopper
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1110.001 | Password Guessing Sub-technique | China Chopper's server component can perform brute force password guessing against authentication portals.CitationFireEye Periscope March 2018 |
| Enterprise | T1005 | Data from Local System | China Chopper's server component can upload local files.CitationFireEye Periscope March 2018CitationLee 2013CitationNCSC Joint Report Public ToolsCitationRapid7 HAFNIUM Mar 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | China Chopper's client component is packed with UPX.CitationLee 2013 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | China Chopper's server component is capable of opening a command terminal.CitationSecureWorks BRONZE UNION June 2017CitationLee 2013CitationNCSC Joint Report Public Tools |
| Enterprise | T1071.001 | Web Protocols Sub-technique | China Chopper's server component executes code sent via HTTP POST commands.CitationFireEye Periscope March 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | China Chopper's server component can download remote files.CitationFireEye Periscope March 2018CitationLee 2013CitationNCSC Joint Report Public ToolsCitationRapid7 HAFNIUM Mar 2021CitationKaspersky ToddyCat June 2022 |
| Enterprise | T1046 | Network Service Discovery | China Chopper's server component can spider authentication portals.CitationFireEye Periscope March 2018 |
| Enterprise | T1070.006 | Timestomp Sub-technique | China Chopper's server component can change the timestamp of files.CitationFireEye Periscope March 2018CitationLee 2013CitationNCSC Joint Report Public Tools |
| Enterprise | T1505.003 | Web Shell Sub-technique | China Chopper's server component is a Web Shell payload.CitationLee 2013 |
| Enterprise | T1083 | File and Directory Discovery | China Chopper's server component can list directory contents.CitationFireEye Periscope March 2018CitationRapid7 HAFNIUM Mar 2021 |
Groups, software, and campaigns
G0093: GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]
G0135: BackdoorDiplomacy
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[1]
G0117: Fox Kitten
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G1022: ToddyCat
G0125: HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.5 | Current bundle | 43fd5705766b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lee 2013
Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
Open source URL -
[2]
Dell TG-3390
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
Open source URL -
[3]
FireEye Periscope March 2018
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Open source URL -
[4]
CISA AA21-200A APT40 July 2021
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Open source URL -
[5]
Rapid7 HAFNIUM Mar 2021
Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
Open source URL -
[6]
China Chopper
(Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)
-
[7]
mitre-attack S0020Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.