China-linked APT Jewelbug targeted a Russian IT provider for five months in 2025, showing Russia remains exposed to Chinese cyber espionage.
China-linked threat actor Jewelbug (aka CL-STA-0049, Earth Alux, and REF7707) carried out a five-month intrusion on a Russian IT service provider, marking its expansion beyond Southeast Asia and South America. The campaign, reported by Symantec, shows that Russia remains a target of Chinese cyber espionage despite growing military, economic, and diplomatic ties between the two nations.
The Chinese APT breached multiple targets, including a Russian company, a South American government, and IT firms in Taiwan and South Asia. The attackers accessed code repositories and build systems, potentially enabling supply chain attacks, and exfiltrated data to Yandex Cloud to evade detection.
Symantec Threat Hunter Team researchers warn that the targeting of a Russian firm marks a shift, as Chinese and Russian actors rarely attack each other, a trend emerging after Russia invaded Ukraine.
The intrusion of the Russian IT provider began with a renamed Microsoft debugger file, 7zup.exe (actually cdb.exe), a known Jewelbug hallmark used to execute shellcode, bypass whitelisting, and disable security tools.
The attackers performed credential dumping, established persistence via scheduled tasks, and cleared Windows Event Logs to hide traces. Attackers exfiltrated data to Yandex Cloud using a malicious file named yandex2.exe, likely chosen to avoid detection in Russian networks. Jewelbug also accessed build systems and code repositories, indicating a possible supply chain attack targeting Russian customers.
“the attackers were also targeting machines with build systems and code repository systems, potentially seeking to leverage access to the source code to carry out a supply chain attack targeting the company’s customers in Russia.” states the report published by Symantec. “IT service providers are popular targets for attackers seeking to carry out supply chain attacks as they often have extensive access to their customers’ systems and may be able to automatically deploy updates or software across a large number of networks simultaneously, potentially giving the attackers access to, or allowing them to infect, a huge number of organizations at the same time. “
The group remained in the victim’s network from January to May 2025, showing a prolonged, stealthy operation.
Jewelbug also compromised a South American government department repeatedly or for an extended period. The researchers observed a suspicious activity from Sept 2024 to July 2025. Early activity included adding users, deploying AnyDesk and 7-zip, and attempting remote access. Recent activity used DLL sideloading via a legitimate executable, SMBExec for lateral movement, scheduled tasks for persistence, and BITSAdmin/curl for likely exfiltration. The group also deployed a new backdoor that uses Microsoft Graph API and OneDrive as C2: it enumerates and uploads file lists, logs actions to C:\ProgramData\application.ini, creates a hidden C:\Users\Public\Libraries~ directory, and collects IP, Windows version, hostname and sometimes machine IDs. The malware appears to be a work in progress, but its use of cloud services for C2 reduces observable indicators and complicates detection.
Jewelbug also targeted an IT provider in South Asia and a Taiwanese company in October and November 2024. The attackers used DLL side-loading techniques to deliver multiple payloads, including the ShadowPad backdoor, which is malware exclusively used by China-linked APT groups.
“The attackers also used the KillAV tool to disable security software, as well as deploying a publicly available tool called EchoDrv, which permits abuse of the Kernel read/write vulnerability in the ECHOAC anti-cheat driver.” continues the report. “This is likely an example of the attackers using the bring-your-own-vulnerable-driver (BYOVD) technique as an attempt to avoid their malicious activity being detected. They also created scheduled tasks for persistence.”
Attackers dumped credentials using tools like LSASS and Mimikatz, and used Fast Reverse Proxy and Earthworm for tunneling. The Chinese cyberspies relied on tools like PrintNotifyPotato and Sweet Potato for privilege escalation, then renamed and injected cdb.exe for stealth and favored cloud/legitimate services to stay persistent and covert.
“The targeting of a Russian organization by a Chinese APT group shows, however, that Russia is not out-of-bounds when it comes to operations by China-based actors. The fact that there are indications the IT service provider may have been targeted for the purposes of a software supply chain attack on the company’s customers in Russia is also notable as it means this attack had the potential to give the attackers access to a large number of companies in the country, which they could have used for cyber espionage or disruption.” concludes the report. “Jewelbug’s use of a new backdoor-in-development in this set of activity is also important as it shows that the group is continuing to actively develop its toolset and capabilities. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
