A China-based menace actor, tracked as Emperor Dragonfly and generally related to cybercriminal endeavors, has been noticed utilizing in a ransomware assault a toolset beforehand attributed to espionage actors.
The hackers deployed the RA World ransomware towards an Asian software program and providers firm and demanded an preliminary ransom cost of $2 million.
Researchers from Symantec’s Risk Hunter Crew noticed the exercise in late 2024 and spotlight a possible overlap between state-backed cyber espionage actors and financially motivated cybercrime teams.
“Through the assault in late 2024, the attacker deployed a definite toolset that had beforehand been utilized by a China-linked actor in basic espionage assaults,” the researchers say, including that “instruments related to China-based espionage teams are sometimes shared sources” however “many aren’t publicly out there and aren’t often related to cybercrime exercise.”
A report in July 2024 from Palo Alto Networks’ Unit 42 additionally related Emperor Dragonfly (a.ok.a. Bronze Starlight) with RA World, albeit with low confidence. In accordance with the researchers, the RA World spun from RA Group, which launched in 2023 as a Babuk-based household.
From espionage to ransomware
Between July 2024 to January 2025, the China-based espionaged actor focused authorities ministries and telecom operators in Southeast Europe and Asia, the obvious aim being long-term persistence.
In these assaults, a selected variant of the PlugX (Korplug) backdoor was deployed with a Toshiba executable (toshdpdb.exe) by way of DLL sideloading, together with a malicious DLL (toshdpapi.dll).
Furthermore, Symantec noticed the usage of NPS proxy, a China-developed device used for covert community communication, and varied RC4-encrypted payloads.
In November 2024, the identical Korplug payload was used towards a South Asian software program firm. This time, it was adopted by an RA World ransomware assault.
The attacker allegedly exploited Palo Alto PAN-OS (CVE-2024-0012) to infiltrate the community after which adopted the identical sideloading method involving the Toshiba executable and DLL file to deploy Korplug earlier than encrypting the machines.
Based mostly on the out there proof, the speculation is that the Chinese language state-backed cyber operatives finishing up espionage assaults could “moonlight” as ransomware actors for private revenue.
Symantec’s report lists the indications of compromise (IoCs) related to the noticed exercise to assist defenders detect and block the assaults earlier than harm is completed.