The ‘Jewelbug’ Chinese Threat Group Silently Infiltrated the Russian
The ‘Jewelbug’ Chinese Threat Group Silently Infiltrated the Russian
A 5-month intrusion targeting a Russian IT service provider has been linked to a threat actor with ties to China, marking the hacking group’s entry into the nation outside of Southeast Asia and South America.
Symantec, owned by Broadcom, has linked the January–May 2025 activity to a threat actor it monitors as Jewelbug, claiming that it overlaps with clusters called CL-STA-0049 (Palo Alto Networks Unit 42), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs).
The results imply that even if Moscow and Beijing have developed “military, economic, and diplomatic” ties over the years, China is still able to conduct cyber espionage activities in Russia.
“Attackers had access to code repositories and software build systems that they could potentially leverage to carry out supply chain attacks targeting the company’s customers in Russia,” the Symantec Threat Hunter Team claimed in a report shared with The Hacker News. “Notably too, the attackers were exfiltrating data to Yandex Cloud.”
In order to distribute malware such as VARGEIT and COBEACON (also known as Cobalt Strike Beacon), Earth Alux is thought to have been active since at least the second quarter of 2023. Attacks mainly target government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions.
However, it has been noted that the attacks carried out by CL-STA-0049/REF7707 disseminate an advanced backdoor called FINALDRAFT (also known as Squidoor), which may infect Linux and Windows systems. These two activity clusters have never been linked together before, according to Symantec’s analysis.
Jewelbug allegedly utilized a modified version of Microsoft Console Debugger (“cdb.exe”) in the attack on the Russian IT service provider. This version can be used to launch executables, run DLLs, terminate security solutions, and run shellcode and bypass program allowlisting.
Additionally, the threat actor has been seen deleting Windows Event Logs in an effort to hide evidence of their actions, dumping credentials, and creating persistence through scheduled operations.
Targeting IT service providers is a calculated move since it creates the possibility of supply chain attacks, which would allow threat actors to use the compromise to infect several downstream consumers simultaneously with malicious software updates.
The group’s developing skills are further demonstrated by the fact that Jewelbug was connected to an attack at a major South American government agency in July 2025, where a backdoor that had not yet been published was allegedly being developed. The malware can gather system data, count files on targeted computers, and transfer the data to OneDrive by using Microsoft Graph API and OneDrive for command-and-control (C2).
By using the Microsoft Graph API, the threat actor can blend in with regular network traffic and leave behind few forensic artifacts, which makes post-event analysis more difficult and increases the threat actor’s dwell time.
Additional targets in October and November 2024 include a Taiwanese corporation and a South Asian IT provider. The latter was attacked using DLL side-loading techniques to release malicious payloads, such as ShadowPad, a backdoor that is only utilized by Chinese hacker groups.
As part of what seems to be a bring your own vulnerable driver (BYOVD) attack, the infection chain is further characterized by the use of the KillAV tool to disable security software and the publicly accessible tool EchoDrv, which allows abuse of the kernel read/write vulnerability in the ECHOAC anti-cheat driver.
Moreover, open-source tools like PrintNotifyPotato, Coerced Potato, and Sweet Potato for discovery and privilege escalation, LSASS and Mimikatz for credential dumping, and EarthWorm, a SOCKS tunneling tool used by Chinese hacking teams like Gelsemium, Lucky Mouse, and Velvet Ant, were utilized.
The Hacker News was informed by the Symantec Threat Hunter Team that they were unable to verify the infection vector that was utilized to compromise the organizations in each of the aforementioned events.
“Jewelbug’s preference to employ cloud services and other legitimate tools in its business activities suggests that remaining under the radar and establishing a stealthy and persistent presence on victim networks is of utmost importance to this group,” Symantec stated.
According to Reuters, the revelation comes as Taiwan’s National Security Bureau warned of an increase in Chinese cyberattacks against its government agencies and criticized Beijing’s “online troll army” for trying to spread false information on social media and erode public confidence in the government and the United States.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
CISA Points Out Adobe AEM Flaw Scoring a Perfect 10.0: Under Active Attack Alert
About Author
English