You Dun Exposed: Leaked Files Reveal Chinese Hacking Group’s Operations
The Chinese-speaking cybercriminal group You Dun has been implicated in widespread attacks on the digital infrastructure of various countries across Asia and the Middle East. Analysts from The DFIR Report uncovered an exposed directory that granted access to the hackers’ tools and archives, revealing their methods and infrastructure.
You Dun has been actively conducting reconnaissance and exploiting vulnerabilities using tools such as WebLogicScan, Vulmap, and Xray. Their targets include servers in South Korea, China, Thailand, Taiwan, and Iran. Analysts found that the group has effectively utilized SQL injection and other vulnerabilities, particularly through Zhiyuan OA software.
Their toolkit also includes Viper C2, an attack control system, and Cobalt Strike with the TaoWu and Ladon extensions. These modules significantly enhance their cyberattack capabilities, automating network penetration and malicious command execution.
The hackers deployed a leaked LockBit 3 builder to create their own ransomware executable. A note left on infected servers contained contact details for their Telegram group, managed by an administrator known as EVA. The group, also referred to as the “Dark Cloud Shield Technical Team,” not only conducts cyberattacks but also offers DDoS services and data sales.
Information on this group’s activities was gathered from January to February 2024. During this period, proxy servers were employed to manage attacks and mask real IP addresses. Network log files revealed that the team managed attacks through several linked IP addresses, using various services to obscure their activities.
Beyond traditional hacking, You Dun actively markets its services as legitimate “pentests” via Telegram channels. However, a thorough analysis of their operations and the traces left behind indicates illicit data sales, extortion, and network compromise.
Their primary attack vectors included exploiting vulnerabilities in WordPress and Docker containers. The group frequently leveraged tools for privilege escalation and deploying malicious payloads on compromised systems, enabling them to gain deeper access to victims’ infrastructures.
The DFIR Report experts also confirmed that the group targeted organizations across various sectors, from healthcare and education to government institutions. However, no industry-specific preference was evident; the hackers aimed primarily to access the most vulnerable resources.
Thus, You Dun has demonstrated professionalism in cyberattacks, blending advanced tools with social engineering. This group’s activities remain under close observation, as their attacks continue to threaten the security of numerous organizations both within and beyond the region.