China’s cybersecurity ecosystem has attracted growing attention in recent years, particularly following multiple document leaks that revealed close overlap between private security firms, red-team operators, and government-aligned cyber activity. While much has been written about advanced persistent threats and large-scale espionage campaigns, far less is publicly known about the everyday tools used by commercial penetration testers operating inside China.
That gap narrowed recently after analysts obtained a collection of penetration-testing tools belonging to an active Chinese security professional. The dataset provides a rare look into the software, frameworks, and workflows used by red-team operators who focus on exploit discovery, vulnerability testing, and infrastructure access within Chinese and regional technology environments.
The collection does not indicate direct involvement with state-sponsored hacking groups or advanced persistent threat operations. Instead, it offers insight into the practical tooling used by what could best be described as the operational base layer of China’s offensive security industry.
Burp Suite as the Core Testing Platform
As with penetration testers worldwide, Burp Suite remains the central tool for web application testing. Developed by PortSwigger, Burp has long been considered an industry standard for intercepting traffic, identifying vulnerabilities, and crafting exploit payloads.
The dataset shows that Chinese pen-testers rely heavily on Burp, but often extend its capabilities using locally developed plugins and customized extensions. These additions reflect both language localization and region-specific attack patterns.
Notable Burp plugins found in the toolkit include:
- ByPassPro, an automated authorization bypass tool derived from AutoBypass403
- Domain Hunter Pro, a target information and asset management plugin
- MingDong, a localized Burp environment offering plugins, questionnaires, and Mandarin-language workflows
- OneScan, a recursive directory scanning plugin discontinued in mid-2025
- Turbo Intruder, a high-volume request engine originally developed by PortSwigger
- xia_yue, a privilege escalation automation plugin
- xia_sql, a SQL injection testing extension
- TsojanScan, an extended vulnerability detection plugin from the TsojanScanTeam
Most of these plugins encapsulate well-known exploitation techniques rather than introducing novel methods. Their presence suggests a preference for automation, efficiency, and integration rather than experimental exploit development.
Chinese-Language Exploit Frameworks
Beyond Burp Suite extensions, the toolkit contains several Chinese-developed exploitation frameworks that have been linked to past intrusion campaigns and red-team operations.
One of the most notable tools present is Godzilla, a webshell and post-exploitation framework that drew attention during attacks against United States infrastructure in 2021. Godzilla was later analyzed in detail by the U.S. Health Sector Cybersecurity Coordination Center.
According to public assessments, Godzilla was designed to evade detection by encrypting command-and-control traffic using Advanced Encryption Standard encryption. This makes network-based detection significantly more difficult and allows attackers to maintain persistent access.
Although Godzilla has been associated with actors linked to the Chinese state, the tool itself is publicly available and widely used within Chinese penetration-testing communities. Its inclusion in the toolkit suggests that it remains a favored option for post-exploitation activities.
LiqunKit and Infrastructure-Focused Exploitation
The dataset also includes LiqunKit, a Chinese-language exploitation framework focused on enterprise infrastructure vulnerabilities. LiqunKit targets technologies commonly deployed within Chinese organizations, including MySQL, Oracle, Redis, PostgreSQL, Apache Struts, WebLogic, and Office Automation components.
LiqunKit received its last major update around 2021 but remains relevant due to the continued presence of legacy systems within many enterprise environments. Its focus on database access, middleware exploitation, and service misconfiguration reflects a pragmatic approach to gaining persistence and privilege escalation.
Exploit Meta-Frameworks and Control Platforms
Another significant component of the toolkit is a full copy of 天狐渗透工具箱 社区版, a commercial exploit meta-framework. Rather than delivering exploits directly, this platform functions as a centralized control interface for coordinating tools such as Burp Suite, Cobalt Strike, and other exploitation frameworks.
These types of platforms streamline workflow management, target tracking, and payload delivery across large-scale assessments. Their presence suggests structured testing operations rather than ad-hoc exploitation.
NacosExploitGUI and Alibaba Cloud Targeting
One of the most regionally specific tools identified is NacosExploitGUI, a graphical exploitation framework targeting Alibaba’s Nacos microservices management platform.
Nacos is widely deployed across Alibaba Cloud environments and is commonly used for service discovery, configuration management, and microservice orchestration. As a result, vulnerabilities in Nacos deployments can provide access to cloud infrastructure, databases, and container environments.
The NacosExploitGUI framework integrates detection and exploitation of default credentials, SQL injection vulnerabilities, authentication bypass flaws, and deserialization issues. Its inclusion underscores how exploit tooling often mirrors dominant cloud platforms within a given region.
Custom Python Utilities
The collection contains only two custom Python scripts, indicating that most of the operator’s workflow relied on established frameworks rather than bespoke development.
The first script functions as a lightweight HTTP file server, allowing rapid transfer of files between systems during testing. The second script wraps SQL queries inside SOAP request structures, suggesting use in SQL injection scenarios where SOAP-based services are targeted.
These scripts are simple but functional, designed to support exploitation rather than perform it directly.
Observed Pen-Testing Results
Alongside the toolset, analysts obtained a partial vulnerability assessment report generated by the same operator. Although incomplete, the document provides insight into how the tools were applied in real-world testing.
Examples observed in the report include exploitation of Nacos services to deploy webshells, extraction of Kubernetes administrator configuration files, database privilege escalation through SQL injection, and access to dozens of Alibaba Cloud instances via leaked access keys.
While details remain limited, the results suggest effective exploitation of misconfigurations rather than zero-day vulnerabilities.
What This Reveals About Chinese Pen-Testing Practices
The toolkit does not indicate advanced or novel offensive capabilities. Instead, it reflects a mature, standardized penetration-testing ecosystem built around automation, region-specific infrastructure, and widely known exploitation techniques.
Much like pen-testers in other countries, Chinese operators appear to favor efficiency, repeatability, and integration over experimental tooling. The heavy emphasis on Alibaba Cloud, Nacos services, and localized frameworks highlights how exploit development follows market dominance rather than geopolitical boundaries.
Ultimately, this collection does not expose hidden state-level cyber operations. It offers a grounded view of how commercial security testing is conducted within China, using tools and techniques that would be familiar to penetration testers around the world.
