Security Experts:

Connect with us

Hi, what are you looking for?



Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

A China-linked state-sponsored hacking group named Bronze Starlight was observed deploying various ransomware families to hide the true intent of its attacks.

A China-linked state-sponsored hacking group named Bronze Starlight was observed deploying various ransomware families to hide the true intent of its attacks.

In attacks observed as early as mid-2021, the threat group started using the HUI Loader to drop ransomware such as AtomSilo, LockFile, Night Sky, Pandora, and Rook.

The short lifespan of each ransomware family, victimology, and the access to tools employed by Chinese nation-state threat actors (including known vulnerabilities and the HUI Loader) led researchers with cybersecurity firm Secureworks to believe that Bronze Starlight is likely interested in cyberespionage and intellectual property (IP) theft rather than financial gain.

Since at least 2015, HUI Loader has been used for the delivery of remote access trojans (RATs) and other types of malware, including Cobalt Strike, QuasarRAT, PlugX, and SodaMaster.

Starting in 2021, the loader has been used in campaigns focused on intellectual property theft, with two distinct clusters of activity identified: Bronze Riverside (APT10), which has been focusing on compromising Japanese organizations, and Bronze Starlight, which employs ransomware to distract incident responders and likely to destroy evidence of intrusion.

Secureworks analyzed the aforementioned five ransomware families – which were linked to HUI Loader samples that used to deploy Cobalt Strike Beacon – and discovered that they were built from two distinct codebases: an early one for AtomSilo and LockFile, and a more recent one – most likely based on leaked Babuk ransomware source code – for Night Sky, Pandora, and Rook.

“The use of HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure, and the code overlap suggest that the same threat group is associated with these five ransomware families,” the researchers note.

The cybersecurity firm also discovered that the same network had been compromised by both Bronze Starlight and Bronze University, which deployed the ShadowPad malware. The intrusions started in November 2021 and overlapped for several weeks.

“The simultaneous and continued operations by another Chinese threat group on the same network suggests that the two groups may have deconflicted their post-intrusion activity. This scenario assumes collaboration and knowledge sharing between the groups. It could indicate that Bronze Starlight participates in government-sponsored intelligence-gathering efforts rather than being a purely financially motivated threat group,” Secureworks notes.

What’s more, the victimology and operational cadence of the five ransomware families do not align with the operations typically associated with financially-motivated threat actors.

Of a total of 21 known victims associated with AtomSilo, Night Sky, Pandora, and Rook, roughly 15 are of interest to Chinese state-sponsored cyberespionage groups. These include pharmaceutical companies, electronic component designers and manufacturers, a media company, and the aerospace and defense unit of an Indian conglomerate.

Related: Chinese Cyberespionage Group Starts Using New ‘PingPull’ Malware

Related: Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in ‘SeaFlower’ Campaign

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...