1 malware family

xfocus

Also known asxfocus

XFocus was a Chinese “red hacker” group active in the late 1990s and 2000s and discussed in a July 2025 CSS at ETH Zurich report on the communities that shaped China’s cyber ecosystem. The available content indicates that, like other contemporary Chinese hacker groups, XFocus had a relatively small core team despite much larger public community numbers. Archived versions of its website from 2004 to 2012 listed up to 18 core members, while the site reported 50,000 registered users in September 2012. The source material emphasizes that for these groups, registered-user counts often reflected low-barrier forum participation rather than operational capability, whereas core members conducted the meaningful technical work and also supported organizational functions. No additional aliases, sub-groups, specific targeting, or specific tactics and techniques are directly provided in the content beyond its characterization as part of the broader Chinese red hacker ecosystem.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics8 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1595

Active Scanning

TA0042

Resource Development

1 technique

T1587

Develop Capabilities

T1587.001

Malware

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0004

Privilege Escalation

1 technique

T1068

Exploitation for Privilege Escalation

TA0007

Discovery

1 technique

T1046

Network Service Discovery

TA0008

Lateral Movement

1 technique

T1210

Exploitation of Remote Services

TA0011

Command and Control

1 technique

T1219

Remote Access Tools

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BlasterA US teenager has been arrested under suspicion of creating the Blaster or LoveSan.B virus, and court papers reveal intriguing details about the origin of the Blaster worm. Jeffrey Lee Parson, 18, has admitted modifying the original Blaster worm using a text editor, adding a Trojan to allow backdoor access to infected computers and releasing it into the wild.2May 26, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

natto thoughts blogNews

Aug 13, 2025

Few and Far Between: During China’s Red Hacker Era, Patriotic Hacktivism Was Widespread—Talent Was Not

Chinese hacker/security community with a small core team and a large registered user base; reflects the broader 'red hacker' pattern of a small operational nucleus and a large forum population.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.