China-Linked Cybercrime Operation Deploys 5,300+ Backdoors Across 45,000 Global Attacks
What Happened — Researchers at SOCRadar identified a large‑scale Chinese cybercrime campaign that has launched roughly 45,000 attacks and installed more than 5,300 backdoors worldwide. The operation leverages two custom toolkits, OpenClaw and Paperclip, to automate credential harvesting, lateral movement, and persistent access.
Why It Matters for TPRM —
- The automated nature of the toolkits enables rapid compromise of third‑party vendors, increasing supply‑chain risk.
- Persistent backdoors can remain undetected for months, exposing downstream customers to data exfiltration and ransomware.
- The campaign’s global reach means any organization that outsources services to Chinese‑based providers or uses shared infrastructure may be at risk.
Who Is Affected — Technology & SaaS providers, cloud hosting services, MSP/MSSP partners, and any downstream enterprises that rely on these vendors.
Recommended Actions —
- Conduct a rapid inventory of any third‑party services that originate from or route through Chinese infrastructure.
- Verify that all vendors enforce multi‑factor authentication and have robust endpoint detection and response (EDR) controls.
- Review logs for indicators of compromise (IOCs) associated with OpenClaw and Paperclip (e.g., known C2 domains, file hashes).
Technical Notes — The attackers use a combination of phishing lures and credential‑stuffing to gain initial footholds, then deploy OpenClaw for automated credential dumping and Paperclip for backdoor implantation. No specific CVE is cited; the threat relies on existing software vulnerabilities and weak authentication. Data types at risk include intellectual property, personal identifiers, and financial records. Source: HackRead