A threat actor with ties to China has been attributed to a five-month-long intrusion targeting a Russian IT service provider, marking the hacking group’s expansion to the country beyond Southeast Asia and South America.
The activity, which took place from January to May 2025, has been attributed by Broadcom-owned Symantec to a threat actor it tracks as Jewelbug, which it said overlaps with clusters known as CL-STA-0049 (Palo Alto Networks Unit 42), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs).
The findings suggest Russia is not off-limits for Chinese cyber espionage operations despite increased “military, economic, and diplomatic” relations between Moscow and Beijing over the years.
“Attackers had access to code repositories and software build systems that they could potentially leverage to carry out supply chain attacks targeting the company’s customers in Russia,” the Symantec Threat Hunter Team said in a report shared with The Hacker News. “Notably too, the attackers were exfiltrating data to Yandex Cloud.”
Earth Alux is assessed to be active since at least the second quarter of 2023, with attacks primarily targeting government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions to deliver malware like VARGEIT and COBEACON (aka Cobalt Strike Beacon).
The attacks mounted by CL-STA-0049/REF7707, on the other hand, have been observed distributing an advanced backdoor named FINALDRAFT (aka Squidoor) that’s capable of infecting both Windows and Linux systems. The findings from Symantec mark the first time these two activity clusters have been tied together.
In the attack aimed at the Russian IT service provider, Jewelbug is said to have leveraged a renamed version of Microsoft Console Debugger (“cdb.exe”), which can be used to run shellcode and bypass application allowlisting, as well as launch executables, run DLLs, and terminate security solutions.
The threat actor has also been observed dumping credentials, establishing persistence via scheduled tasks, and attempting to conceal traces of their activity by clearing Windows Event Logs.
The targeting of IT service providers is strategic as it opens the door to possible supply chain attacks, enabling threat actors to leverage the compromise to breach several downstream customers at once through malicious software updates.
Furthermore, Jewelbug has also been linked to an intrusion at a large South American government organization in July 2025, deploying a previously undocumented backdoor that’s said to be under development – underscoring the group’s evolving capabilities. The malware uses Microsoft Graph API and OneDrive for command-and-control (C2), and can collect system information, enumerate files from targeted machines, and upload the information to OneDrive.
The use of Microsoft Graph API allows the threat actor to blend in with normal network traffic and leaves minimal…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
