Date: 06/11/2025
Severity: Medium
Summary
A recent campaign has been uncovered targeting the Chinese telecom sector, with a specific focus on China Mobile Tietong Co., Ltd., a major subsidiary of China Mobile. The attack leverages a malware ecosystem built around VELETRIX and VShell malware. VShell, a well-known adversary simulation tool, is commonly used by threat actors in China and has been employed in attacks against various Western entities in the wild.
Indicators of Compromise (IOC) List
IP Address | 62.234.24.38 47.115.51.44 47.123.7.206 |
Hash | 40450b4212481492d2213d109a0cd0f42de8e813de42d53360da7efac7249df4
ac6e0ee1328cfb1b6ca0541e4dfe7ba6398ea79a300c4019253bd908ab6a3dc0
645f9f81eb83e52bbbd0726e5bf418f8235dd81ba01b6a945f8d6a31bf406992
ba4f9b324809876f906f3cb9b90f8af2f97487167beead549a8cddfd9a7c2fdc
bb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7
2206cc6bd9d15cf898f175ab845b3deb4b8627102b74e1accefe7a3ff0017112
a0f4ee6ea58a8896d2914176d2bfbdb9e16b700f52d2df1f77fe6ce663c1426a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("47.115.51.44","47.123.7.206","62.234.24.38") or srcipaddress IN ("47.115.51.44","47.123.7.206","62.234.24.38") |
Detection Query 2 : | sha256hash IN ("ba4f9b324809876f906f3cb9b90f8af2f97487167beead549a8cddfd9a7c2fdc","bb6ab67ddbb74e7afb82bb063744a91f3fecf5fd0f453a179c0776727f6870c7","2206cc6bd9d15cf898f175ab845b3deb4b8627102b74e1accefe7a3ff0017112","ac6e0ee1328cfb1b6ca0541e4dfe7ba6398ea79a300c4019253bd908ab6a3dc0","40450b4212481492d2213d109a0cd0f42de8e813de42d53360da7efac7249df4","645f9f81eb83e52bbbd0726e5bf418f8235dd81ba01b6a945f8d6a31bf406992","a0f4ee6ea58a8896d2914176d2bfbdb9e16b700f52d2df1f77fe6ce663c1426a")
|
Reference:
https://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/