We assess with high confidence that the threat actor Xorcat recently published a suite of five exploitation tools targeting Chinese network infrastructure. The toolset bypasses authentication, extracts personally identifiable information, and maps financial associations. Analysts verify that the scripts exploit missing rate limits, static tokens, and insecure direct object references. Unmasking exact citizen identities remains the primary outcome. We assess with moderate confidence that attackers intend to expose structural vulnerabilities within centralized verification networks. Future exploitation will likely increase as other groups adopt the provided methods.
Modern telecommunications heavily rely on centralized verification. Centralization streamlines user experiences. Massive databases simultaneously create concentrated targets for threat actors. Recent intelligence reveals a specialized release of open-source scripts tailored for Chinese platforms. The actor distributed an Application Programming Interface bypass, a corporate registry exploit, a physical identity parser, a telecommunications exhaust script, and a financial tracking method. Analysts assess with high confidence that the combined operation strips user anonymity. Technical analysis separates the verified script mechanics from the adversary’s broader claims of disruption.
Threat Actor Profiling: Xorcat Evolution
Attribution points to an entity operating under the domain xorcat. deals as Xorcat. Historical logs confirm that Xorcat previously analyzed advanced exploits leaked from the Shadow Brokers in August 2016. The researcher successfully tested the EXTRABACON buffer overflow exploit against Cisco Adaptive Security Appliances. Executing remote code on enterprise firewalls requires advanced knowledge of memory corruption. We assess with high confidence that Xorcat possesses tier-one technical skills.
The shift from analyzing advanced persistent threat weaponry to publishing application-layer scripts represents a significant tactical change. We assess with moderate confidence that ideological opposition to state surveillance drives the current campaign. The actor likely wants to expose the fragility of verification systems. Alternatively, the actor seeks to crowdsource the disruption of regional platforms. Verified evidence confirms the tools function as advertised, lowering the entry barrier for novice attackers.
Identity Extraction: The WeChat Vector
The first tool targets an identity verification intermediary hosted on fws.xuanyanmeng.com. The Chinese government mandates real-name registration. Therefore, verification servers process highly sensitive data. The threat actor identified two exposed endpoints. Attackers send requests containing a physical name and a WeChat identifier. The server returns a binary match response.
Cryptographic Failures and Security Flaws
Code analysis proves the script relies on a hardcoded token. The 32-character hexadecimal string acts as a master password. The server architecture implicitly trusts the static token. Furthermore, the endpoint lacks threshold controls. Attackers execute mass enumeration without triggering defense mechanisms. We assess with high confidence that attackers map real-world identities to online profiles at an industrial scale.
Corporate Reconnaissance: Registry Exploitation
The toolset includes a corporate intelligence script. The script queries the sdnj.lcwl4.com domain. The targeted endpoint requires zero authentication. Users submit a company name formatted as a JSON payload. The server blindly returns sensitive leadership details.
Semiotics and Evasion Tactics
The script implements sophisticated header spoofing. The code sets the user agent to mimic a Vivo smartphone running Android 13. The code injects a Baidu tracking identifier as the referer. The server assumes the traffic originates from a legitimate mobile search. Analysts verified that the script extracts the legal representative’s name and the corporate credit code. The attacker maps out corporate structures invisibly.
Offline Intelligence: Identity Deconstruction
The third utility operates offline to parse Chinese national identity numbers. The 18-digit numbers conform to GB11643-1999. The identifier structure lacks cryptographic randomness. The Python script deconstructs the string computationally.
Data Parsing Mechanics
The regular expression engine validates the structural format. The script then extracts specific index slices. The first six digits reveal geographic origin. Digits seven through 14 contain the exact date of birth. The 17th digit exposes biological sex. We assess with high confidence that deterministic identity frameworks enable rapid offline surveillance.
| Extracted Data | Standard Logic | Intelligence Value |
| Address Code | First six digits dictate precise origin. | Enables geospatial targeting. |
| Birth Date | Digits seven through 14 show YYYYMMDD. | Breaks age-restricted access. |
| Gender | The 17th digit modulo operation determines sex. | Crafts synthetic profiles. |
| Checksum | The 18th character provides validation. | Confirms mathematical validity. |
Telecommunications Disruption: Application Exhaustion
The fourth component attacks the app2.100520.com infrastructure. Threat actors weaponize the platform’s authentication code generator. The script prompts the operator for a target phone number and initiates an infinite loop.
Evasion and Impact
The code spoofs the Yingyongbao application storefront. The header dictates the OkHttp client version. The script sends three requests per second. The target device receives 200 messages per minute. Analysts verify the attack renders messaging applications unusable. Attackers frequently use flooding to mask legitimate bank alerts during an account takeover.
Financial Reconnaissance: Third-Party Ledger Exploitation
The final technique relies on manual manipulation of the Alipay application. Alipay handles more than 80 percent of daily transactions nationwide. The attacker initiates a 0.01 RMB transfer to a target phone number. After the transaction clears, the attacker opens their native banking application. The attacker clicks the native interface button to repeat the transfer.
Systemic Ledger Flaws
The banking software queries the central clearing ledger. The application displays the target’s unredacted bank account number on the screen. The native bank interface strips the privacy layer that Alipay provides. We assess with high confidence that the technique compromises individual financial privacy.
The Xorcat toolset systematically dismantles anonymity across major Chinese networks. The scripts exploit missing rate controls, static authentication, and transparent ledgers. We assess with high confidence that independent operators will rapidly adopt the published methods. System administrators must implement strict authorization protocols and dynamic token generation to secure the infrastructure. Unchecked application interfaces remain a severe liability for national security.
