China-linked APT espionage tools are starting to appear in corporate ransomware attacks, blurring threat actor attribution and forcing security teams to rethink how they combat state-backed hackers in the wild.
Researchers at Symantec and Trend Micro separately discovered sophisticated tools, once deployed exclusively for nation-state level cyberespionage, in financially motivated extortion schemes, suggesting deliberate collusion or even the possibility that members of APT groups are moonlighting as ransomware criminals.
In one striking case, Symantec threat hunters documented an incident where a toolset typically linked to China-based espionage was used against an Asian software and services company.
The attacker used a legitimate Toshiba executable (toshdpdb.exe) to sideload a malicious DLL (toshdpapi.dll) that decrypted a file (toshdp.dat) containing a variant of PlugX — a notorious backdoor known only from previous Chinese cyberespionage operations.
The FBI, working in tandem with law enforcement authorities in France, recently erased the China-linked PlugX trojan from more than 4,200 infected computers in the United States.
In earlier intrusions dating back to July 2024, Symantec notes that similar PlugX variants were seen in attacks against government entities in southeastern Europe and Asia. In those cases, the objective was clear: maintain persistent, covert access to target networks. That same toolset, however, was later deployed alongside the RA World ransomware in a campaign where encrypted machines were held for ransom, with demands reaching $2 million.
Further complicating the picture, a separate Trend Micro report is warning that Shadowpad — a modular malware family long associated with Chinese threat actors like APT41 — unexpectedly appeared alongside an unreported ransomware variant during incident response cases across Europe.
In these incidents, Trend Micro said, attackers exploited weak passwords and bypassed multi-factor authentication to penetrate networks, deploying Shadowpad not only to conduct espionage operations but also to encrypt data for ransom.
“After gaining access to the internal network, and armed with administrative privileges, the threat actor deployed the Shadowpad malware, sometimes in the domain controller,” Trend Micro explained.
“In two cases, the threat actor deployed a ransomware of a previously unreported family. This is an uncommon move for threat actors using Shadowpad, although it has been reported that APT41 used Encryptor RaaS,” Trend Micro added.
Unlike typical state-sponsored malware campaigns, the ransomware campaign was marked by active ransom negotiations and detailed instructions, underscoring a financially driven motive that is atypical for Chinese espionage groups.
“Hunting for similar TTPs, we found a total of 21 companies being targeted with similar malware toolkit in the last 7 months. Nine of them in Europe, eight in Asia, three in the Middle East, and one in South America,” Trend Micro said, noting that more than half of the targets are in the manufacturing sector.
Experts point to these overlapping tactics as a disturbing trend. Historically, Chinese espionage operations have not pursued overt financial gain; instead, they have relied on stealth and persistence and long-term data exfiltration. In contrast, Iranian and North Korean threat actors are known to blend cyberespionage with criminal schemes.
The reality that crippling ransomware campaigns are now accessing and using Chinese espionage tools suggests a possible strategic shift — or at the very least, the blurring of traditional boundaries between state-sponsored espionage and cybercrime with speculation that either deliberate collusion is at play, or individual operatives may be taking advantage of an employer’s advanced toolkit to generate supplementary income.
Technical indicators appear to further reinforce the connection. Multiple anti-malware research units have identified string and code overlap between PlugX and ShadowPad, indicating a close link between the ShadowPad and PlugX developers. Trend Micro also made it clear the malware “is in active development” and the developers are constantly tweaking the code to evade detection and analysis.
Similarly, infrastructure overlaps and the re-use of command and control domains complicate attribution efforts, muddying the waters for cybersecurity defenders seeking to distinguish between state and criminal motivations.
In some cases, experts note that intelligence agencies may be piggybacking on ransomware infiltrations, leveraging these as an efficient strategy to maintain covert access and, perhaps deliberately, to avoid enforcing laws that would otherwise disrupt their collusion with criminal actors.
Related: FBI Uses Malware ‘Self-Delete’ Trick to Erase PlugX From US Computers
Related: Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job
Related: PlugX RAT Used to Gather Intel on Afghan, Russian Military
Related: Microsoft Dives Into Iranian Ransomware APT Attacks
Related: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure
