A China-based threat actor, tracked as Emperor Dragonfly and commonly associated with cybercriminal endeavors, has been observed using in a ransomware attack a toolset previously attributed to espionage actors. Researchers from Symantec’s Threat Hunter Team observed the activity in late 2024 and highlight a potential overlap between state-backed cyber espionage actors and financially motivated cybercrime groups. A report in July 2024 from Palo Alto Networks’ Unit 42 also associated Emperor Dragonfly (a.k.a. Bronze Starlight) with RA World, albeit with low confidence. Based on the available evidence, the hypothesis is that the Chinese state-backed cyber operatives carrying out espionage attacks may “moonlight” as ransomware actors for personal profit. Between July 2024 to January 2025, the China-based espionaged actor targeted government ministries and telecom operators in Southeast Europe and Asia, the apparent goal being long-term persistence. The hackers deployed the RA World ransomware against an Asian software and services company and demanded an initial ransom payment of $2 million. The attacker allegedly exploited Palo Alto PAN-OS (CVE-2024-0012) to infiltrate the network and then followed the same sideloading technique involving the Toshiba executable and DLL file to deploy Korplug before encrypting the machines. Symantec's report lists the indicators of compromise (IoCs) associated with the observed activity to help defenders detect and block the attacks before damage is done. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 13 Feb 2025 14:35:04 +0000