chinese_state_sponsored_threat_actor

Also known asChinese State-Sponsored Threat Actor

This threat actor is a Chinese state-sponsored group attributed to a cyber-espionage campaign disclosed by Anthropic in November 2025. The campaign was notable for being conducted primarily by an autonomous AI system. The actor leveraged compromised payment cards, validated through Chinese-operated card-testing services, to access Western AI platforms and mask their identities. The payment fraud followed a typical kill chain: initial card validation, aging, resale on dark web marketplaces, and subsequent use in targeted attacks. The infrastructure and tactics overlapped with those observed by Recorded Future's Payment Fraud Intelligence team, indicating a convergence of payment fraud and advanced cyber-espionage operations. The use of stolen cards to access AI platforms represents an evolution in tactics, supporting both operational security and access objectives. There is no mention of specific aliases or sub-groups in the provided content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

recorded future blogNews

Dec 17, 2025

The $0 Transaction That Signaled a Nation-State Cyberattack

Conducting cyber-espionage campaigns using autonomous AI systems, leveraging compromised payment cards to access Western AI platforms and shield attacker identities. The group also utilizes payment fraud infrastructure to support advanced threat operations.

scworldNews

Oct 17, 2025

Fours actions to take following the recent F5 hack

Conducting long-term, persistent cyber espionage operations targeting technology vendors for intelligence gathering, specifically stealing source code, vulnerability data, and customer configuration information from F5 to enable future targeted attacks and strategic advantage.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.