QUICKLOOK: China’s Silent Weapon for Global Cyber Recon
How China's cyberspace mapping tool has become the backbone of state-sponsored hacking operations
Executive Summary
FOFA has quietly become one of the most potent weapons in China's cyber espionage arsenal. With over 4 billion mapped internet assets and over 350,000 fingerprint rules, this Chinese-developed search engine is now used by at least 13 confirmed APT groups to identify vulnerable systems worldwide.
The scale is staggering: In just one recent campaign, threat actors used FOFA to identify and compromise 581 SAP NetWeaver systems across 140,000+ organizations. Even more concerning, China now controls two of the world's five top cyberspace search engines, giving Beijing unprecedented visibility into global internet infrastructure.
This investigation reveals how FOFA has evolved from a legitimate security tool into a strategic intelligence asset, backed by exclusive analysis of government advisories, vulnerability databases, and APT group activities from 2020 to 2025.
The Chinese APT Groups Using FOFA
Based on analysis of government reports, cybersecurity firm investigations, and declassified intelligence, here are the confirmed Chinese threat groups leveraging FOFA for reconnaissance:
Tier 1: Confirmed Heavy Users
APT41 (Earth Baku, Winnti)
Usage: "APT41 used FOFA to search open technical databases for passive scanning of victims" (Source: Natto Thoughts research, May 2024)
Activity: Global infrastructure targeting with sophisticated supply chain attacks
Notable: Operates both state-sponsored and financially motivated campaigns
Volt Typhoon (BRONZE SILHOUETTE)
Usage: "Chinese threat groups like Volt Typhoon are known to perform extensive reconnaissance even pre-compromise – Microsoft noted they used internet scanning tools like FOFA and Shodan to find target network devices" (Source: EclecticIQ analysis, 2025)
Activity: Critical infrastructure pre-positioning for potential future disruption
Impact: Compromised US power grids, water systems, and telecommunications
Earth Krahang
Usage: "Earth Krahang heavily employs open-source scanning tools that perform recursive searches," including FOFA integration (Source: Trend Micro, March 2024)
Activity: Cross-government attacks exploiting intergovernmental trust
Scope: Targeting government entities across Southeast Asia
Tier 2: Confirmed Users
APT40 (Leviathan)
Background: Active since 2009, US DoJ indicted four Chinese nationals affiliated with APT40 in July 2021
Focus: Maritime sector and research institutions
FOFA Role: Asset discovery for naval and maritime technology theft
APT10 (menuPass, Stone Panda)
Operation: Cloud Hopper campaign reported by PwC and BAE Systems in 2017
Target: Managed IT service providers globally
Method: Combined FOFA reconnaissance with modified NBTscan tools
GALLIUM (Granite Typhoon)
Activity: Targeted global telecommunication providers in 2019
Tools: "GALLIUM used a variety of tools, mainly off-the-shelf tools or modified versions of known security tools, to perform reconnaissance" (Source: Microsoft Threat Intelligence)
FOFA Integration: Network device discovery and mapping
Stately Taurus (Mustang Panda)
Campaign: Southeast Asian government targeting in 2023
Tools: "One of the scanning tools the threat actor used was NBTscan" combined with FOFA searches (Source: Unit42, Palo Alto Networks)
Pattern: Combines multiple reconnaissance tools for comprehensive target profiling
Tier 3: Likely Users (High Confidence)
Salt Typhoon
Notoriety: "Salt Typhoon has gained recent, significant notoriety for targeting Internet Service Providers (ISPs) to gather sensitive metadata and wiretap data" (Source: RH-ISAC, December 2024)
Method: Sophisticated telecom infrastructure mapping likely requires FOFA-level capabilities
Flax Typhoon (Ethereal Panda)
Specialty: "Flax Typhoon distinguishes itself by leveraging IoT devices for network access and botnet creation" (Source: SOCRadar, February 2025)
FOFA Role: IoT device discovery and vulnerability identification
UNC5221 & UNC5174
Activity: Both groups involved in 2025 SAP NetWeaver exploitation campaign
Evidence: Campaign used FOFA-identified targets based on EclecticIQ analysis
Tools: Deploy KrustyLoader and SNOWLIGHT malware via FOFA-discovered vulnerabilities
Recent Major Campaigns: FOFA in Action
Case Study: SAP NetWeaver Exploitation (2025)
The most dramatic recent example of FOFA's offensive use occurred in the 2025 SAP NetWeaver campaign:
The Discovery: "Threat actor–controlled server hosted at IP address 15.204.56[.]106 exposed the scope of the SAP NetWeaver intrusions" with direct reference to fofa.info (Source: EclecticIQ blog, 2025)
The Scale:
581 SAP NetWeaver instances compromised and backdoored
140,000+ tenant organizations affected globally
Critical sectors targeted: Energy, telecommunications, water systems, government
The Method:
Attackers used FOFA to scan for vulnerable SAP NetWeaver Visual Composer instances
Created comprehensive target lists via CVE-2025-31324-results.txt
Deployed webshells named helper.jsp, cache.jsp, and randomized variants
Leveraged AWS S3 buckets to host additional malware payloads
Geographic Impact:
United Kingdom: Critical natural gas distribution, water utilities
United States: Medical device manufacturing, oil/gas exploration
Saudi Arabia: Government investment ministries
This campaign demonstrates FOFA's evolution from reconnaissance tool to operational enabler, providing the intelligence foundation for large-scale compromise operations.
FOFA vs. The Competition: Why China Has the Advantage
The Global Cyberspace Search Engine Landscape
The market for internet asset discovery is dominated by just five major players. Here's the concerning reality: China controls 2 of the 5 top platforms.
The Big Five (According to ESET's WeliveSecurity ranking):
Shodan 🇺🇸 - ~3 billion assets, IoT focus
FOFA 🇨🇳 - 4+ billion assets, 350,000+ fingerprints
ZoomEye 🇨🇳 - ~2 billion assets, deep application scanning
Censys 🇺🇸 - ~4 billion assets, certificate analysis
BinaryEdge 🇪🇺 - ~2 billion assets, threat intelligence
FOFA's Technical Advantages
Scale and Scope:
4+ billion internet assets mapped globally (Source: FOFA official documentation)
350,000+ fingerprint rules for device identification
Hierarchical asset portraits showing IP relationships
Global coverage with superior Asian infrastructure visibility
Operational Advantages:
IP Rotation Strategy: "FOFA typically rotating its ScanIPs every three months" to avoid blocklisting (Source: Academic research, 2024)
Deep Content Analysis: Beyond banner grabbing to full web application fingerprinting
Integration Ecosystem: 20+ tools with official FOFA API support
Historical Tracking: Long-term asset change monitoring
Speed Comparison: Research shows scanning frequency differences:
Shodan/Censys: Every 1-2 days (higher frequency)
FOFA/ZoomEye: Every 3-7 days (broader coverage per scan)
FOFA Advantage: "665 IPs found are reported abusive in AbuseIPDB by users, the rotation may aim to avoid being blocklisted"
Why Chinese Tools Dominate APT Operations
Legal Framework: Under China's National Intelligence Law, "any domestic company can be compelled to assist state security operations—covertly or overtly" (Source: Armis Security analysis, 2025)
Intelligence Integration: "The CNNVD is essentially a shell for the Ministry of State Security (MSS); it has a website, but appears to be separate from the MSS in name only" (Source: Recorded Future, 2022)
Commercial Support: Companies like i-SOON "advertises an 'APT service system', 'target penetration services', and 'battle support services'" (Source: GitHub leak analysis, 2024)
The Vulnerability Database War: China's Information Advantage
The Numbers Don't Lie
China's vulnerability databases are systematically outperforming Western counterparts:
Speed Advantage:
Chinese CNNVD: 13-day average from discovery to publication
US NVD: 33-day average disclosure time
Result: China gets 20-day head start on vulnerability intelligence
Coverage Gaps:
CNNVD has 1,661 more vulnerability entries than the US NVD (Source: IEEE research, 2022)
40+ additional Chinese vendor vulnerabilities not tracked by Western databases
282,794+ total vulnerabilities tracked by Chinese databases (Source: ARPSyndicate VEDAS project)
The Manipulation Problem: "CNNVD altered the original publication dates in its public database for at least 267 vulnerabilities" to hide MSS evaluation processes (Source: Recorded Future, September 2022)
Recent CVE Campaigns Using FOFA
CVE-2025-31324 (SAP NetWeaver):
FOFA identified 581 vulnerable instances before widespread awareness
"CVE-2025-31324-results.txt documented 581 SAP NetWeaver instances compromised and backdoored"
CVE-2024-21762 (Fortinet):
"Volt Typhoon intensified its cyber operations, exploiting CVE-2024-21762, a Fortinet FortiOS SSL VPN vulnerability"
Large-scale FOFA scanning preceded mass exploitation
CVE-2024-7593 (Ivanti):
"A FOFA search lists more than 400 results tied to over 200 unique IPs that might be affected"
Threat actors had comprehensive target lists before patches deployed
The 0.2% Problem
Here's the most alarming statistic: "Only 0.2% of CVEs are used in ransomware/APT campaigns" but "24.2% of organizations were vulnerable to a CVE known to be used in ransomware or by an APT" (Source: Bitsight, January 2025)
This means:
Threat actors are highly selective in vulnerability exploitation
FOFA provides the targeting intelligence to find vulnerable instances of specific CVEs
Most organizations are exposed to the small subset of CVEs actually used in attacks
Inside FOFA's Technical Arsenal
Advanced Reconnaissance Capabilities
Fingerprinting Technology: FOFA goes far beyond basic banner grabbing. Its 350,000+ fingerprint rules can identify:
Specific software versions and configurations
Hidden administrative interfaces
Development and testing environments
Misconfigured security devices
Industrial control systems
Hierarchical Asset Analysis: Unlike competitors, FOFA creates "hierarchical portraits of assets based on IP" allowing analysts to:
Map organizational network relationships
Identify parent-subsidiary connections
Discover related infrastructure across IP ranges
Track infrastructure changes over time
Content Search Capabilities: FOFA can search within:
HTML page content
HTTP headers
SSL certificate details
Server response banners
Application framework signatures
Real-World FOFA Queries Used by APTs
Based on analysis of APT campaigns and tool documentation:
# Infrastructure Reconnaissance
title="BIG-IP" && country="US"
app="SAP NetWeaver" && status_code="200"
service="FortiGate" && version="<6.4.7"
# Government Targeting
org="Department" && country="US"
title="Login" && org="gov"
# Industrial Systems
protocol="modbus" || protocol="s7"
app="Siemens" && port="102"
# Cloud Infrastructure
cloud="AWS" && port="22"
cert="*.amazonaws.com"
Integration with Exploitation Frameworks
FOFA's API enables seamless integration with:
Nuclei: Vulnerability scanning integration
Xray: Web application security testing
Custom frameworks: APT-developed reconnaissance pipelines
Metasploit modules: Direct exploitation capability
The Strategic Intelligence Dimension
Government Control and Oversight
Ministry of State Security (MSS) Integration: The MSS "is roughly China's equivalent to the American CIA" but with expanded domestic surveillance mandates (Source: Recorded Future podcast, March 2024)
Vulnerability Evaluation Process: "High-threat vulnerabilities were consistently published substantially later (anywhere from 21 to 156 days later) than low-threat vulnerabilities" suggesting deliberate operational assessment (Source: Recorded Future, November 2017)
Commercial Hacking Industry: Companies like Chengdu 404 provided "penetration test services for i-SOON" and technical service contracts, blurring lines between legitimate business and state-sponsored operations (Source: Natto Thoughts analysis)
Critical Infrastructure Targeting
Recent campaigns show systematic targeting of:
Energy Sector:
Power grid components and smart grid systems
Oil and gas pipeline infrastructure
Renewable energy management systems
Water Systems:
Treatment plant control systems
Distribution network monitoring
Quality monitoring sensors
Telecommunications:
ISP core infrastructure
5G network components
International gateway systems
Government:
Diplomatic missions and embassies
Military network infrastructure
Emergency response systems
Defensive Implications and Recommendations
The Attribution Challenge
Detecting FOFA-based reconnaissance is difficult because:
IP rotation every 3 months makes blocking ineffective
Legitimate use cases create false positive challenges
Passive scanning doesn't trigger traditional intrusion detection
Chinese infrastructure less monitored by Western security tools
Immediate Actions for Organizations
Asset Discovery and Visibility:
Conduct your own FOFA searches of organizational assets.
Monitor Chinese search engines for organizational exposure.
Implement external attack surface management programs.
Regular vulnerability scanning of internet-facing systems
Enhanced Monitoring:
Deploy honeypots to detect advanced reconnaissance.
Monitor for Chinese scanning IPs based on published threat intelligence.
Implement behavioral analysis for unusual network probing.
Coordinate with industry peers on reconnaissance pattern sharing
Policy and Governance:
Restrict use of Chinese cybersecurity tools in sensitive environments
Enhance threat intelligence programs to include Chinese vulnerability databases
Coordinate with government agencies on critical infrastructure protection
Implement supply chain security for all cybersecurity tools and services
Strategic Recommendations
For Government:
Develop domestic cyberspace search capabilities to match Chinese tools.
Enhance Five Eyes intelligence sharing on Chinese reconnaissance activities.
Implement regulatory frameworks for foreign cybersecurity tool usage.
Invest in vulnerability discovery and disclosure acceleration
For the Private Sector:
Diversify threat intelligence sources beyond Western databases.
Implement defense-in-depth architectures, assuming reconnaissance.
Coordinate industry response to large-scale scanning campaigns.
Enhance incident response capabilities for state-sponsored threats.
The Broader Implications
Information Warfare in the Digital Age
FOFA represents more than just a reconnaissance tool—it's a strategic intelligence platform that provides China with:
Persistent Global Surveillance:
Real-time mapping of critical infrastructure changes
Early warning of new technology deployments
Comprehensive targeting databases for crisis scenarios
Economic Intelligence:
Corporate merger and acquisition intelligence
Technology development tracking
Supply chain vulnerability identification
Military Advantage:
Pre-positioning for potential cyber warfare
Critical infrastructure disruption capabilities
Strategic target identification and prioritization
The Future Threat Landscape
As FOFA and similar tools evolve, we can expect:
AI Integration:
Machine learning-enhanced target identification
Automated vulnerability correlation
Predictive targeting based on infrastructure patterns
Expanded Coverage:
IoT and edge device proliferation
5G and next-generation infrastructure
Space-based and satellite systems
Operational Sophistication:
Multi-tool reconnaissance pipelines
Real-time campaign adjustment based on scanning results
Coordinated global operations across multiple APT groups
Conclusion: The New Reality of Cyber Reconnaissance
FOFA's emergence as a cornerstone of Chinese cyber espionage operations represents a fundamental shift in our thinking about cybersecurity. This isn't just about protecting against individual attacks—it's about defending against persistent, state-level surveillance of our entire digital infrastructure.
The scale is unprecedented: 4+ billion assets mapped, 350,000+ fingerprint rules deployed, and 13+ APT groups actively using this intelligence for targeting decisions.
The implications are strategic: China now has persistent visibility into global internet infrastructure changes, emerging vulnerabilities, and critical system dependencies that could be exploited in future conflicts.
The response must be comprehensive: Enhanced monitoring, improved vulnerability management, international cooperation, and potentially the development of competing indigenous capabilities.
Most importantly, we must recognize that in the modern threat landscape, reconnaissance isn't just the first step of an attack—it's a continuous intelligence operation that provides strategic advantage to our adversaries. FOFA has made this reality impossible to ignore.
As we move forward, the organizations and nations that best understand and adapt to this new reconnaissance reality will be those best positioned to defend against the evolving threat from Chinese state-sponsored cyber operations.