Charles Li

Charles is the chief analyst of TeamT5. He leads the analyst team in TeamT5 for threat intelligence research. He has been studying cyber-attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He has published researches and training courses in security conferences.

‍

Talk (with Greg Chen & Yi-Chin Chuang): KnockHuoDuo Unmasked: The Fruit of China's Evolving Zero-Day Exploitation Strategy [TLP:AMBER+STRICT]

In recent years, Chinese state actors have increasingly exploited zero-day vulnerabilities, surpassing all other nations combined. This surge reflects a deliberate policy shift since 2018, when China began systematically collecting vulnerabilities and treating them as national assets. Following this strategy, we identified an emerging Chinese state actor, KnockHuodou (UNC4841), specializing in vulnerability exploitation. Their expertise in pwning, binary exploitation, and reverse engineering has enabled some of the most sophisticated compromises. This presentation will reveal our research on KnockHuodou in 2024. We will start by introducing KnockHuodou and their recent campaigns, particularly their exploitation of zero-day vulnerabilities in edge devices. Next, we will present case studies to highlight the evolving threat they pose. KnockHuodou serves as a vivid example of how China-nexus actors can adopt the centralized vulnerability research in cyberattacks. In the last part of the speech, we will conclude with key implication based on our understanding of KnockHuodou, and how it represents the emerging Chinese cyber threats – because, as the saying goes, know the enemy and know yourself; in a hundred battles, you will never be in peril. We believe that intelligence is the best key for defending.