China-Linked Espionage Tools Used in Recent Ransomware Attack – Source: www.infosecurity-magazine.com

Chinese-linked espionage tools have been deployed in a ransomware attack, highlighting possible new links between China nation-state activity and cybercrime.

Symantec researchers observed the connection while analyzing a ransomware attack against an Asian software and services company in November 2024. This attack resulted in the network’s machines being encrypted with the RA World ransomware, with the threat actors demanding a $2m ransom.

During the incident, the attacker deployed a “distinct toolset” that is only associated with China-linked espionage actors, particularly Mustang Panda.

The researchers noted that it is not unusual for nation-state espionage actors, including from Russia and North Korea, to collaborate with ransomware groups. This is motivated by raising revenue and sharing tools and expertise to compromise targets.

However, this is not a strategy that has previously been linked to Chinese espionage threat actors.

“While tools associated with China-based espionage groups are often shared resources, many aren’t publicly available and aren’t usually associated with cybercrime activity,” the researchers wrote.

Read now: Microsoft – Nation-States Team Up with Cybercriminals for Attacks

Chinese Espionage Tools Deployed Alongside Ransomware

The toolset used in the ransomware attack is designed to maintain a persistent presence on the targeted organizations by installing backdoors.

The threat actor gained initial access by exploiting a known vulnerability in Palo Alto’s PAN-OS firewall software.

Then they leveraged a legitimate Toshiba executable named toshdpdb.exe to sideload a malicious DLL named toshdpapi.dll. This DLL acts as a loader for a heavily obfuscated payload that is contained in a file called TosHdp.dat. 

When executed, the payload searched for a file named toshdp.dat in the current folder and decrypted it, before the ransomware was deployed.

An analysis of the decrypted payload revealed that it is a variant of a custom backdoor named PlugX. Notable features of this variant include encrypted strings, dynamic API resolution, and control flow flattening.

This malware is not publicly available and is only associated with China-linked espionage actors.

It has also never been used by actors based in other countries.

The same post-compromise tools and techniques were used in several Chinese espionage attacks in the months before and after the ransomware incident.

These included the compromise of a Foreign Ministry of a country in southeastern Europe in July 2024 and a government ministry in a Southeast Asian country in January 2025.

Explaining the Ransomware-Espionage Overlap

Symantec said there is evidence to suggest the ransomware attacker may have been involved in ransomware for some time. For example, one of the tools used in this ransomware attack was a proxy tool called NPS, which has been linked to Bronze Starlight, a China-based actor that deploys different ransomware payloads.

The most likely explanation for the overlap is that an actor employed in an espionage group was attempting to make some money on the side using their employer’s toolkit, the researchers believe.

They noted that the ransomware victim was not a strategically significant organization and something of an outlier compared to the espionage targets.

Additionally, it is unlikely the ransomware was used to cover up evidence of the intrusion or act as a decoy for espionage incursions as the attacker seemed to be serious about collecting a ransom from the victim and spent time corresponding with them.

“This usually wouldn’t be the case if the ransomware attack was simply a diversion,” the researchers noted.