QuietCrabs
QuietCrabs is a cyber-espionage intrusion set assessed in the provided content as being of Asian origin and also described as a suspected Chinese hacking group. It has been reported targeting organizations globally, including victims in the US, UK, Germany, South Korea, Russia, Taiwan, the Philippines, Iran, and the Czech Republic, and was observed in investigations involving intrusions at Russian companies. Tradecraft described includes rapid exploitation of newly published proof-of-concept (PoC) exploits for edge/server products, notably Microsoft SharePoint Server CVE-2025-53770 ("ToolShell") and Ivanti Endpoint Manager Mobile CVE-2025-4427/CVE-2025-4428, as well as leveraging Ivanti Connect Secure CVE-2024-21887 and Ivanti Sentry CVE-2023-38035 for initial access. Post-exploitation, QuietCrabs deploys an ASPX web shell, then uses it to deliver a JSP loader that downloads and executes KrustyLoader (a malware family uniquely associated with QuietCrabs in the cited reporting), which in turn drops the Sliver command-and-control implant. The content also notes long dwell time, citing an average dwell time of 393 days (attributed to Mandiant in the source material). Known aliases in the content: UTA0178, UNC5221.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇷🇺 Russia
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated vulnerabilities
3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.
“...as well as CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. QuietCrabs were spotted exploiting the mentioned vulnerabilities within hours of the PoC’s publication.”
“...as well as CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. QuietCrabs were spotted exploiting the mentioned vulnerabilities within hours of the PoC’s publication.”
“...exploitation of RCE vulnerabilities, including CVE-2025-53770 in Microsoft SharePoint...”
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
QuietCrabs is a suspected Chinese threat group conducting attacks by exploiting vulnerabilities in enterprise software to gain initial access, deploy web shells, and deliver custom loaders and implants for further compromise.
Highly opportunistic exploitation of newly published n-days (rapid PoC-to-exploitation turnaround) against Russian organizations, leveraging multiple RCEs in enterprise products.
QuietCrabs is known for cyber espionage operations, using custom malware and maintaining long dwell times within victim infrastructure.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.