The China-nexus actors maintained persistent access to at least one major Asian telecom provider for more than four years, leveraging sophisticated web shells and encrypted tunnelling techniques to hide their activities.
Weaver Ant used compromised Zyxel home routers across Southeast Asia as a relay network to conceal their origins and maintain stealthy access as they conducted long-term intelligence gathering, harvested user credentials, and monitored network activity within the operator’s internal networks.
Sygnia's research revealed Weaver Ant employed a non-provisioned operational relay box (ORB) network to proxy their malicious traffic and further hide their infrastructure.
The group bounced their attacks through compromised devices at one telecom provider before pivoting to others, evading standard security measures in the process.
Among the tools deployed by Weaver Ant were sophisticated web shells — malicious scripts placed on web servers, including a previously unknown type which Sygnia dubbed “INMemory”.
Unlike traditional web shells, which typically write code directly to the compromised server’s disk, INMemory shells execute their malicious payload entirely within a server’s memory. This approach leaves minimal traces, significantly complicating detection efforts.
“Multiple layers of web shells concealed malicious payloads, allowing the threat actor to move laterally within the network and remain evasive until the final payload,” said Oren Biderman, incident response and digital forensic team leader at Sygnia.
“These payloads and their ability to leverage never-seen-before web shells to evade detection speaks to Weaver Ant’s sophistication and stealthiness.”
Sygnia discovered Weaver Ant’s operation accidentally while investigating another threat.
Analysts noted suspicious activity when an account, previously disabled during remediation efforts, was suddenly reactivated by a service account. Further investigation confirmed the reactivated account belonged to Weaver Ant, with activity traced back to a server previously thought uncompromised.
Sygnia's forensic analysis uncovered an encrypted variant of the notorious China Chopper web shell on internal servers, confirming that infiltration had occurred years prior.
“Nation-state threat actors like Weaver Ant are incredibly dangerous and persistent with the primary goal of infiltrating critical infrastructure and collecting as much information as they can before being discovered,” Biderman added.
The revelation of Weaver Ant’s extensive operation follows a wave of attacks on major global telecom providers attributed to China-linked hacking groups toward the end of 2024.
Verizon, AT&T, T-Mobile, and Lumen were all targeted to varying degrees, with Salt Typhoon even compromising mobile devices belonging to US presidential candidates.
In response, US lawmakers have introduced prospective legislation designed to compel telecom operators to bolster their cybersecurity defences.
RELATED STORIES
New US bill would force telcos to fortify defences after Salt Typhoon attacks
FBI warns Chinese hackers are targeting telcos in major espionage campaign
Hackers breach Telefónica's internal ticketing system, stealing 2.3GB of data
