Tools typically employed by Chinese cyberespionage groups have been used in a recent ransomware attack, likely by an individual hacker, Symantec notes in a fresh report.
The toolset includes a legitimate Toshiba executable deployed on the victims’ systems to sideload a malicious DLL that deploys a heavily obfuscated payload containing the PlugX (aka Korplug) backdoor.
According to Symantec, the custom backdoor was previously linked to Mustang Panda (aka Earth Preta), a Chinese espionage group, and has never been used by threat actors in other countries.
Between July 2024 and January 2025, the PlugX variant was used in attacks on the foreign ministry of a country in Southeastern Europe, the government of another Southeastern European country, two government ministries in two Southeast Asian countries, and a telecoms operator in Southeast Asia.
All these intrusions were focused on espionage, but the same toolset was employed in a November 2024 extortion attempt on a medium-sized software and services company in South Asia, Symantec notes.
The attacker used the Toshiba executable to sideload the malicious DLL and deploy the same PlugX variant observed in the espionage attacks, and then executed a piece of ransomware named RA World on the victim’s systems.
A known Palo Alto Networks firewall vulnerability (CVE-2024-0012) was reportedly used for initial access. The attacker said they obtained administrative credentials from the organization’s intranet, stole Amazon S3 credentials from a Veeam server, and exfiltrated data from the S3 buckets before executing the file-encrypting ransomware.
Most tools used by the Chinese espionage groups are not public, meaning that an insider with access to them likely used the toolset in the ransomware attack.
According to Symantec, the ransomware attack was likely perpetrated by one individual looking to “make some money on the side using their employer’s toolkit”.
While there is the possibility that the ransomware was a decoy in an espionage operation, Synantec points out that the target was not strategically important, the attacker failed to effectively cover up their tracks, and the perpetrator seemed interested in receiving payment, spending time corresponding with the victim.
Symantec also points out that it is unusual for Chinese espionage groups, which typically share resources, to engage in ransomware operations, albeit the tactic is employed by North Korean threat actors.
However, the security firm also notes that, based on the use of a proxy tool called NPS, the attacker may have ties to the China-based advanced persistent threat (APT) actor Bronze Starlight (aka Emperor Dragonfly). The APT was previously seen using ransomware as a decoy.
Related: DeepSeek’s Blockbuster Chatbot Linked to Chinese Telecom Banned in US
Related: CISA Warns of Old jQuery Vulnerability Linked to Chinese APT
Related: US Sanctions Chinese Firm Linked to Flax Typhoon Attacks on Critical Infrastructure
Related: CISA Releases Mobile Security Guidance After Chinese Telecom Hacking
