Fscan

FScan is an open-source network scanning utility written in Go and described in the reporting as an intranet/network scanner used to identify open ports across IP subnets and support internal reconnaissance. It has been observed post-compromise in multiple intrusion sets as a public tool rather than a bespoke malware family. Cisco Talos reported Chinese-speaking APT cluster UAT-7237 using FScan during intrusions targeting web infrastructure entities in Taiwan, including a compromised Taiwanese web hosting provider, to search for open ports, discover endpoints, and support lateral movement alongside SMB scanning and stolen credentials. Talos also reported UAT-9921 using Fscan from compromised hosts in support of internal and external scanning tied to the VoidLink framework. Palo Alto Networks Unit 42 observed CL-STA-0969, a nation-state-linked cluster overlapping with Liminal Panda, using FScan in 2024 operations against telecommunications providers in Southwest Asia. JPCERT/CC reported attackers exploiting Ivanti Connect Secure vulnerabilities CVE-2025-0282 and CVE-2025-22457 deploying Fscan via DLL side-loading/FilelessRemotePE-based loaders during post-exploitation to scan internal systems; the same reporting notes Fscan has been adopted by various Chinese hacking groups. Additional reporting on attacks against South Korean web servers also describes use of Fscan for system and network discovery. High-confidence behavior directly mentioned in the content is limited to network/intranet scanning for open ports and endpoint discovery; no unique persistence or payload-delivery capability is attributed to FScan itself in the provided material.