Student Sells Gov’t, University Sites to Chinese Actors

Steven

Student Sells Gov’t, University Sites to Chinese Actors

Summary

Researchers at Cyderes’ Howler Cell tracked a Bangladesh-based college student who has been harvesting and selling access to misconfigured websites on Telegram for roughly a year and a half. The operation spans more than 5,200 compromised sites — heavily skewed towards educational (about half) and government (around a quarter) domains, primarily in Asia. Low-value sites sell for a few dollars; high-value government and university sites fetch up to US$220.

Buyers include financially motivated cybercriminals and actors apparently pursuing espionage. Several compromised sites were observed running a previously undocumented Chinese-language webshell called “Beima.” Beima uses RSA-encrypted commands, JSON-based C2 that mimics legitimate API traffic, randomised payload placement, and timestamp manipulation (backdating files by 6–12 months) to evade detection. Cyderes reports Beima went undetected by modern security tools in their observations.

The student exploited common misconfigurations: leftover WordPress installers, exposed cPanel instances, default or weak admin credentials, and exposed .env files containing secrets. The student organised infected hosts into a panel-driven botnet and sold access via Telegram channels where buyers pay in cryptocurrency.

Key Points

  • One student in Bangladesh sold access to more than 5,200 compromised websites via Telegram, targeting mainly Asia-based organisations.
  • Nearly 50% of the sites were in education and ~25% in government — hence higher value and interest from state-aligned actors.
  • High-value targets (universities, law enforcement, courts, military sites) were priced up to about US$220; ordinary sites sold for a few dollars.
  • Buyers included Chinese, Malaysian and Indonesian threat actors; some uses point to espionage, not just profit.
  • The Beima webshell — Chinese-language, RSA-encrypted commands, JSON C2 and timestamp manipulation — was deployed on many of the student’s sites and is hard for signature-based tools to detect.
  • Common attack vectors: leftover WordPress installers, misconfigured cPanel, exposed .env files and weak/default admin credentials.

Why should I read this?

Short version — this is a nasty shortcut: folks with tiny budgets can buy footholds on gov and uni sites, and some buyers are clearly doing spy stuff. If you manage websites or defend networks, skim this now: it shows how cheap access + stealthy webshells can create big headaches.

Author’s take

Punchy and important: the story exposes a low-cost supply chain for access that feeds higher-tier actors. Beima’s anti-detection tricks and the focus on public institutions make this a security priority — especially for organisations that still run legacy WordPress installs or poorly managed control panels. Patch, remove installers, secure .env files and rotate credentials — pronto.

Source

Source: https://www.darkreading.com/threat-intelligence/govt-university-sites-chinese-actors