Check Point Research revealed that Chinese hackers created “Jian,” an attack tool that was designed to exploit a zero-day vulnerability in Microsoft’s operating systems from Windows XP to Windows 8, by cloning software developed by the U.S. National Security Agency, ZDNet reports.

Analysts once theorized that Jian was developed by APT31, a Chinese advanced persistent threat group also known as Zirconium. Check Point says Jian was being used in attacks between 2014 and 2017, until the hacking group Shadow Brokers released EpMe to the public in 2017 along with a number of tools and files that belonged to the NSA's Equation Group. Microsoft patched the CVE-2017-0005 vulnerability that same year.

The cybersecurity researchers theorized that APT31 may have acquired and repurposed EpMe either when the Equation Group attacked a Chinese target, after an attack by APT31 on Equation Group systems, or while Equation Group was active in a network also being monitored by APT31.