• The tool was used in the massive ‘Operation Soft Cell’ attack campaign against telecommunication providers.
  • China Chopper is a web shell that allows malicious actors to remotely control a target system.

Several new instances of attack campaigns that make use of China Chopper have come to light in the past two years. It has been found that various threat actor groups are using the web shell to launch different cyberespionage campaigns. This includes the ‘Operation Soft Cell’ attack campaign which was carried out against telecommunication providers. Researchers note that the use of China Chopper in the massive ‘Operation Soft Cell’ campaign indicates that the tool is quite active and popular among cybercriminals even after nine years of its discovery.

What is China Chopper?

China Chopper is a web shell that allows malicious actors to remotely control a target system. According to researchers from Cisco Talos, it uses a “client-side application that contains all the logic required to control the target.”

The tool has been used by some state-sponsored actors such as Leviathan and Threat Group-3390.

Espionage campaigns linked to China Chopper

Cisco Talos researchers identified a couple of espionage campaigns linked to China Chopper.

  • The first instance involved the attack against an Asian government organization. Here, the China Chopper was used in the internal network, installed on a few web servers used to store potentially confidential documents. The purpose of the attack was to obtain documents and database copies.
  • For the second campaign, the attackers had tried to deploy ransomware like Sodinokibi and GandCrab on vulnerable servers using China Chopper. In addition to ransomware, the tool was used by another threat actor group to execute a Monero miner.
  • Several web-hosting providers were also compromised through the tool to install additional malware, conduct reconnaissance and pivot to other systems.


Although China Chopper is an old tool, it still finds a significant place in the attack tools used by threat actors. Researchers claim that the usage of the tool is likely to increase in the future.

Cyware Publisher