Inside the Open Directory of the “You Dun” Threat Group

This report analyzes an exposed open directory (Jan–Feb 2024) linked to a Chinese‑speaking criminal group calling itself “You Dun,” documenting extensive reconnaissance (WebLogicScan, Vulmap, Xray, dirsearch), exploitation (SQLmap, Zhiyuan OA and WordPress CVE-2021-25003), post‑exploitation tooling (Cobalt Strike with TaoWu and Ladon, Viper C2), privilege escalation tools (CDK, Traitor), and use of a leaked LockBit 3 builder that generated a ransomware payload referencing a Telegram contact; it includes IPs, SSH fingerprint, TLS/certificate artifacts, and multiple file hashes as IOCs.