Menu
Browse

Cyber Threat Actor: n3tr1x

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
China
2 incidents
Profile

The threat actor known by the aliases n3tr1x and str0ng has been linked to activity originating from China, according to the available information. The actor first came to public attention through a series of compromises involving the jQuery project, a widely used JavaScript library. These incidents demonstrate the actor's use of online pseudonyms and a focus on web‑based assets. No further personal or organizational details about the actor are publicly disclosed.

Targeting appears to focus on organizations that rely on jQuery resources, particularly privileged enterprise IT administrators whose credentials are valuable for further network intrusion. In the 2014 incident the actor injected malicious code into the jQuery domain that redirected visitors to exploit kits, which delivered credential‑stealing malware designed to harvest authentication details for lateral movement within corporate networks. The 2017 incident involved the defacement of the official jQuery blog, where the actor gained access to a core team member's account—possibly through password reuse or a WordPress vulnerability—and published a fraudulent post under that individual's name. Across both events the actor demonstrated a pattern of exploiting trusted web platforms to either distribute malware or to manipulate content for visibility. The actor's tooling includes the use of known exploit kits and the manipulation of content management systems, rather than the deployment of custom malware families. No evidence has been presented of the actor developing or employing unique malware families beyond the observed exploit‑kit payloads.

The two publicly reported operations involving the jQuery project constitute the most notable campaigns attributed to n3tr1x/str0ng. The 2014 attack represents a classic watering‑hole strategy, leveraging the reputation of a legitimate software distribution point to deliver malware to high‑value targets. The 2017 blog defacement, while less damaging in terms of payload delivery, illustrates the actor's capability to compromise administrative accounts and to use those credentials for propaganda or further access. Together these incidents highlight a recurring theme of targeting widely trusted web assets to achieve either data theft or visibility gains. No additional campaigns have been publicly attributed to the actor at this time.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source