Chinese Cyber Contractors Exploit Malware and Botnets in State-Sponsored Attacks

Key Takeaways

• Chinese state-sponsored cyber operations have evolved into a “composite responsibility” model, heavily relying on private contractors and technology firms.
• These private entities develop and sell hacking tools, establish botnets, and broker stolen data to Chinese government intelligence services.
• High-profile campaigns like Salt Typhoon, Flax Typhoon, and Volt Typhoon demonstrate this commercialized cyber espionage ecosystem.
• Organizations should strengthen defenses by mapping network devices, implementing MFA, employing zero-trust, and actively hunting for suspicious traffic from consumer-grade devices.

The Evolution of Chinese State-Sponsored Cyber Operations

China’s approach to cyber warfare and espionage has undergone a significant transformation, moving beyond the traditional model of isolated state-backed hacking groups. Recent analysis reveals a sophisticated, composite responsibility framework, where the state extensively leverages private cybersecurity firms and contractors.

Instead of relying solely on government personnel, China now operates a complex ecosystem involving private companies, external contractors, and data brokers. These entities collaboratively conduct espionage activities on behalf of the nation’s intelligence apparatus, a scale and level of sophistication that has reportedly surprised even veteran security researchers.

The Commercial Underbelly of Cyber Espionage

At the core of this expansive network are private technology companies. These firms are responsible for developing and commercializing hacking tools, constructing extensive botnets, exfiltrating sensitive data, and then reselling access and information to government clients. Operations attributed to groups such as Salt Typhoon, Flax Typhoon, and Volt Typhoon underscore the critical role this commercial layer plays in Chinese state-sponsored campaigns.

This private sector provides a full spectrum of services, ranging from custom malware and network infrastructure to raw, illicitly obtained data, effectively transforming cyber espionage into a market-driven enterprise.

Analysts at BindingHook introduced a new framework, terming it “composite responsibility,” to better understand these multifaceted operations. This model deviates from attributing an entire campaign to a single Advanced Persistent Threat (APT) group. Instead, it acknowledges that a single cyber operation can involve multiple distinct entities, each contributing with varying levels of involvement and accountability.

A report by BindingHook, shared with Cyber Security News (CSN), detailed how the United States and its allies linked Salt Typhoon – a highly damaging cyber espionage campaign targeting Western telecommunications infrastructure – to at least three private firms based in China. These companies are alleged to have supplied cyber-related products and services to China’s intelligence agencies, with the UK’s NCSC indicating they “enabled” the malicious activity. Despite these attributions, specific roles and direct tasking relationships of these firms remained largely undisclosed to the public as of mid-2025.

A significant leak of internal documents from I-Soon, a Chinese private contractor reportedly connected to both the Ministry of State Security and the Ministry of Public Security, provided an unprecedented glimpse into the mechanics of this model. The leaked information revealed that I-Soon employees conducted intrusions as contractors, reported findings to government clients, and managed campaigns targeting at least 14 governments. This leak solidified the understanding that Chinese cyber operations are not monolithic but rather intricate, commercially driven ecosystems.

Chinese Cyber Contractors: Tools, Botnets, and Data Exploitation

Private sector entities within China have become indispensable to state-sponsored hacking campaigns, supplying government buyers with essential tools, infrastructure, and stolen data. For instance, the privately developed ShadowPad backdoor was reportedly sold to multiple suspected People’s Liberation Army (PLA) units, including RedFoxtrot and Tonto Team, and shared with groups like Chengdu404, whose personnel faced charges for activities associated with APT41. This demonstrates that accountability can extend beyond the direct attackers to the companies that commercialize malicious software.

The Raptor Train botnet, which was ultimately disrupted by US authorities, serves as a prime example of this contractor-based model. Its development was attributed to Chengdu-based Integrity Technology Group, making the firm partly accountable for intrusion activities linked to Flax Typhoon. Both the US and UK governments subsequently sanctioned Integrity Tech for controlling a covert cyber network and providing technical support to those orchestrating attacks.

Data brokering introduces another complex layer to these operations. Individuals linked to APT27, such as Yin Kecheng and Zhou Shuai, not only conducted hacking campaigns but also subsequently sold the exfiltrated data to various customers, including Chinese government entities. In some instances, data stolen by Yin was resold through i-Soon, creating additional resale stages between the initial intrusion and the eventual recipient of the data.

What You Should Do

Organizations facing these evolving and layered threats must adopt robust defensive strategies:

• Comprehensive Network Mapping: Begin by mapping all network-connected devices and establishing a baseline understanding of normal network traffic patterns.
• Implement Strong Authentication: Deploy multi-factor authentication (MFA) across all systems and services.
• Restrict Access: Utilize allowlists to control network access and adopt zero-trust architectures to ensure continuous verification.
• Leverage Threat Intelligence: Integrate real-time threat intelligence feeds to identify potential botnet activity or other indicators of compromise before they escalate into major intrusions.
• Proactive Threat Hunting: For high-risk environments, actively hunt for suspicious traffic, particularly from consumer-grade devices like SOHO routers, which are frequently co-opted into covert networks.
• Monitor Network Flows: Continuously monitor network traffic for unusual behavior patterns that could indicate hidden infrastructure or malicious activity.
• Network Segmentation and IDS: Apply network segmentation to isolate critical assets and deploy host-based intrusion detection systems (HIDS) to limit potential damage from a successful breach.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.