In a deeply concerning case of prolonged cyberespionage, the Chinese state-linked hacking group Weaver Ant (a subgroup of the larger APT41) was discovered to have infiltrated a telecom provider’s internal network for more than four years, from 2019 to mid-2023. The hackers deployed custom malware, including xDealer and LionsBot, targeting both Windows and Linux environments with a level of stealth that helped them fly under the radar.

This wasn’t a quick exploit. It was a calculated, long-term operation that focused on surveillance—not disruption—executed with surgical precision and alarming patience.

Inside the Attack: Malware Built for Longevity

Weaver Ant’s primary implants, xDealer and LionsBot, were engineered for cross-platform infiltration.

• xDealer supported Linux and Windows, offering deep access to file systems, commands, and remote execution.

• LionsBot focused on Windows systems, helping maintain long-term persistence.

What made this breach so insidious was its stealth. Rather than relying on zero-day exploits or flashy malware signatures, the attackers used DLL side-loading—a method where malicious code is hidden inside trusted applications—and custom loader chains to blend into normal network traffic.

These tools enabled them to quietly monitor and access:

• Domain controllers

• Internal databases

• Authentication services

• Core enterprise services

Unlike typical ransomware campaigns that leave behind encryption notices or demand payments, the Weaver Ant telecom hack was built on quiet observation. The attackers had one goal: long-term access to sensitive internal systems for data collection, espionage, and possibly broader strategic insight.

Their tactics paid off. They remained inside the network undetected for over 1,460 days.

Statistical Snapshot: The Bigger APT41 Picture

• According to Mandiant, APT41 was responsible for 30+ intrusions across sectors in just the last two years.

• The Safety Detectives 2024 report notes that 32% of all state-sponsored cyberattacks targeted telecom and government networks.

• APT dwell time in these campaigns often exceeds 180 days—but Weaver Ant’s operation is an extreme case, showing what can happen when no one’s watching closely.
  

What it Spells Out for the Businesses of All Sizes

Even if you’re not a telecom giant, the tactics used in the Weaver Ant telecom hack are scalable—and increasingly common across attacks targeting small and mid-sized businesses. There are a few key takeaways that every organization, regardless of size, should consider.

First, don’t rely solely on automated security alerts. Malware like xDealer is engineered to avoid detection, and often won’t trigger any warnings. It’s critical to train your IT team to hunt for behavioral anomalies such as unfamiliar processes, suspicious login times, or odd outbound traffic patterns.

Second, auditing internal movement is essential. Threat actors rely on stealthy lateral movement to maintain long-term access. Segmenting your network and isolating critical infrastructure can prevent one compromised machine from opening the door to your entire system.

Another important consideration is comprehensive endpoint monitoring. Many businesses still focus primarily on Windows-based devices, leaving Linux systems relatively unguarded. But the Weaver Ant attack proves that Linux is no longer a low-risk blind spot—it’s a viable and active target.

Pay attention to the use of trusted applications within your network, too. DLL side-loading works by embedding malicious code into legitimate software. Keeping track of changes in file paths and software execution behavior can reveal early warning signs that something’s off.

Finally, and perhaps most importantly, invest in regular threat hunting. Rather than waiting for alerts or external indicators of compromise, organizations need to be proactively inspecting their system logs and network activity. That shift from a reactive to a proactive security approach is what makes the real difference in detecting advanced persistent threats before it’s too late.

The Real Threat Is the One You Don’t See

The Weaver Ant telecom hack reminds us that not all cyberattacks are loud. Some are quiet, strategic, and built for longevity. These kinds of intrusions demand a shift in mindset: from defending the perimeter to constantly evaluating the inside.

If your organization isn’t actively looking for subtle signals, it might already be compromised—and just not know it yet.