Skip to content

Unveiling China's cyber scanning capabilities

The following is summary of three insightful blog posts on Chinese scanning capabilities by Natto Team.

The following is summary of three insightful blog posts by Natto Team, an emerging threat intelligence team focused on the human, language and geopolitical aspects of cyber threat intelligence. I encourage readers to read the primary sources when they have time due to amazing details on Chinese scanning capabilities.

We have summarised this reporting as scanning is the key first step of cyber reconnaissance activities. The Internet 2.0’s Cloaking capability does mitigate all open information provided by scanning tools when we conducted initial analsyis of these insights.

Decoding the i-SOON Leaks

The initial Natto Team's analysis of leaked documents from the Chinese hacker-for-hire company i-SOON reveals the prominence of "TZ," an enigmatic acronym appearing frequently in various documents. Despite extensive mentions, its precise meaning remains elusive. Natto Team speculates that "TZ" might denote "special investigation" or "special reconnaissance," indicating a focus on network security and cyber capabilities. This aligns with the Chinese Public Security Bureau’s emphasis on building specialized network teams for cybersecurity tasks, emphasizing the importance of reconnaissance in cyber operations.

APT41's Reconnaissance Techniques

APT41, a company with affiliation to i-Soon and a Chinese attributed state-sponsored hacking group, also leverages sophisticated reconnaissance techniques to gather critical information about targets. Their toolkit includes both globally recognized tools like Nmap and specialized Chinese-developed tools such as OneForAll and Subdomain3. Techniques like Execution Guardrails enable APT41 to limit malware activation to specific targets, enhancing stealth and reducing detection risk.

Comprehensive Review of Scanning Tools

To understand the scope and capabilities of the tools used by Chinese cybersecurity firms and state-sponsored groups like APT41, Natto Team took a deep dive into the tools.  

1. Nmap (Network Mapper)

Nmap is a free and open-source network scanner used for network discovery and security auditing. In China, Nmap has been widely adopted not only by cybersecurity firms but also by hacking groups due to its robust feature set and versatility. It can:

  • Identify active devices on a network.
  • Discover open ports and services.
  • Detect operating systems and hardware addresses.
  • Perform version detection and scriptable interaction with the target.

Nmap's popularity is evident from its widespread availability on Chinese websites, tutorials, and even training videos from platforms like 51CTO, which caters to millions of IT professionals.

2. OneForAll

OneForAll, developed by Chinese coder Jing Ling, is a powerful tool for subdomain enumeration. This tool is particularly noted for its ability to pull data from unique Chinese data sources like Baidu Cloud Observation and Gitee, which are typically not accessed by non-Chinese tools. Features include:

  • Subdomain blasting and verification.
  • Subdomain takeover detection.
  • Integration with various data sources for comprehensive subdomain discovery.

OneForAll’s ability to leverage local Chinese data sources gives it a distinct edge in regional cyber operations.

3. Subdomain3

Subdomain3 is another tool designed for subdomain discovery. Developed by a Chinese coder under the GitHub handle "yanxiu0614," Subdomain3 is recognized for its efficiency and effectiveness in:

  • Bruteforcing subdomains using predefined wordlists.
  • Integrating with other reconnaissance tools for extended capabilities.
  • Providing a user-friendly interface for rapid deployment and scanning.

Its development by a local coder and tailored features make it a go-to tool for both defensive and offensive operations in China.

4. SubDomainsBrute

SubDomainsBrute, hosted on GitHub by "lijiejie," is specialized in subdomain brute forcing. It uses common subdomain names to attempt connections, aiding in uncovering hidden assets of a target organization. This tool's key aspects include:

  • Comprehensive wordlists for extensive subdomain coverage.
  • High-speed brute forcing capabilities.
  • Integration with other tools for combined reconnaissance efforts.


FOFA is an internet asset search engine developed by Beijing Huashun Xin’an Technology Co. Ltd. It is comparable to Shodan and Censys, focusing on:

  • Identifying connected devices and services worldwide.
  • Leveraging a vast database of over 4 billion internet assets.
  • Offering advanced search functionalities to filter results based on specific criteria.

APT41 uses FOFA extensively for passive reconnaissance, making it a critical component of their operational toolkit.

In addition to the aforementioned tools, several other Chinese-developed scanning tools are worth noting due to their capabilities and prevalence in the cybersecurity landscape.

6. X-scan

X-scan, developed by the hacker group Xfocus, is a comprehensive network vulnerability scanner known for:

  • Command-line and GUI front-end operation.
  • Identifying a wide range of vulnerabilities across different network services.
  • Integration with other security tools for enhanced scanning and reporting.

Xfocus's historical significance and continuous development of X-scan underscore its importance in China's cybersecurity toolkit.

7. ZoomEye

ZoomEye, developed by Knownsec, is a powerful search engine for internet-connected devices and services. It is known for:

  • Identifying industrial control systems (ICS) and other critical infrastructure components.
  • Providing detailed information on devices, including IP addresses, operating systems, and open ports.
  • Offering advanced search capabilities to uncover potential vulnerabilities.

ZoomEye’s focus on ICS makes it particularly valuable for targeting critical infrastructure.

Key Insights

Natto Team has been auditing many cyber security companies. The below table is their analysis of which company is using which tools.

Source Natto Team


The comprehensive analysis of i-SOON's leaks, APT41's techniques, and the broader cybersecurity industry highlights China's sophisticated and multifaceted approach to cybersecurity reconnaissance. The Natto Team’s insights offer a valuable perspective on the intricate dynamics of this capability, emphasizing the critical role of reconnaissance China’s cyber security industry.

Original Natto Blogs:

Who Has the Best Scanning Tools in China?
Recent “China Cybersecurity Industry Panorama” gives one assessment of China’s top scanning companies.
APT41’s Reconnaissance Techniques and Toolkit: Nmap and What Else?
APT41 and other Chinese malicious cyber actors can choose from numerous reconnaissance tools developed in China and abroad, including those developed for legitimate defensive purposes.
i-SOON Toolkit: What is “TZ”?
Network investigation and reconnaissance work is so critical for the Chinese Public Security bureaus that it needs a code name, “TZ.”