Security News > 2021 > February > Chinese hackers used NSA exploit years before Shadow Brokers leak
Chinese state hackers cloned and started using an NSA zero-day exploit almost three years before the Shadow Brokers hacker group publicly leaked it in April 2017.
"To our surprise, we found out that this APT31 exploit is in fact a reconstructed version of an Equation Group exploit called 'EpMe'," Check Point said.
This was made possible after the Chinese state hackers captured 32-bit and 64-bit samples of the Equation Group's EpMe exploit.
Once replicated, the zero-day exploit was used by APT31 alongside other hacking tools in their arsenal, including the group's multi-staged packer.
As Check Point says, the APT31 operators could get their hands on the exploit samples themselves in all of their supported versions since Jian was assembled using the 32-bits and 64-bits versions of Equation Group's exploit.
Captured during an Equation Group operation on a 3rd-party network which was also monitored by the Chinese APT. Captured by the Chinese APT during an attack on Equation Group infrastructure.
News URL
Related news
- Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell (source)
- Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks (source)
- Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)
- Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool (source)
- Ex-NSA cyber-boss: AI will soon be a great exploit coder (source)
- Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet (source)