Cyber Threat Actor: Xiaoqiying

Genesis Day, also tracked as Xiaoqiying or Teng Snake, is a Chinese‑language hacktivist group that has used multiple aliases in its public communications. The actors describe themselves as motivated by patriotism toward China and explicitly state that financial gain is not their primary objective. Researchers have noted that the group operates without any confirmed ties to the Chinese government, and no state sponsorship has been demonstrated in open sources. Their activity has focused on South Korean academic and research institutions, with claims of additional targeting in Japan, Taiwan, and occasional references to entities such as the FBI, Ukrainian organizations, and South Korean government ministries. The group has also asserted intrusions into Samsung’s internal employee platform, file transfer service, and intranet in South Korea, although Samsung has only confirmed that it is investigating these claims.

In terms of tactics, the actors repeatedly exploit internet‑facing devices by employing widely available penetration‑testing tools and proof‑of‑concept exploit code. They have used Telegram channels for recruitment, announcements, and the sharing of unverified claims about past operations, and after those channels were shut down they maintained a clearnet website to post statements. Their operations involve data exfiltration—most notably a claimed 54‑gigabyte haul from South Korean targets—and website defacement, where they replace content with generic error pages or messages declaring that the “Korean Internet” has been “invaded.” Stolen data has been posted to cybercriminal forums such as BreachForums and Ramp Forum, and the actors have touted partnerships with groups like Lapsus$, the now‑defunct Hive ransomware collective, Pakistani hacking collectives, and Russian government hackers, though these alliances remain unverified. The group’s public statements have included claims of compromising institutions such as National Taiwan University, but the supporting evidence has been described as inconclusive by researchers. Overall, the available material portrays Genesis Day as an ideologically driven hacktivist collective that relies on open‑source tools and messaging platforms to conduct and publicize its attacks.