Chinese spies suspected of ‘moonlighting’ as tawdry ransomware crooks – Source: go.theregister.com

A crew identified as a Chinese government-backed espionage group appears to have started moonlighting as a ransomware player – further evidence that lines are blurring between nation-state cyberspies and financially motivated cybercriminals.

According to Symantec’s research team, miscreants broke into “a medium-sized software and services company in South Asia” in late November by compromising a critical Palo Alto Networks authentication bypass flaw (CVE-2024-0012). The attackers then swiped admin credentials from the company intranet and used them to access a Veeam server where they found AWS S3 credentials (data management tools like Veeam’s often need to access cloud storage accounts).

The intruders used the AWS credentials to grab sensitive info from the S3 buckets before encrypting the software company’s Windows computers with RA World ransomware and demanding a $2 million ransom. The extortionists said it would be reduced to $1 million if paid in three days.

Crucially, Symantec’s threat researchers observed the use of a custom version of the PlugX backdoor previously deployed by a Beijing-backed spying crew known in the West as Fireant aka Mustang Panda aka Earth Preta. Other malware used in the November attack has also been found in past incidents involving this Chinese espionage actor.

The security analysts at Symantec therefore concluded the “espionage actor may be moonlighting” as an extortionist inflicting RA World ransomware on victims.

“In all the prior intrusions involving the toolset, the attacker appeared to be engaged in classic espionage, seemingly solely interested in maintaining a persistent presence on the targeted organizations by installing backdoors,” Symantec noted in its Thursday report. Among the incidents attributed to the group are a July 2024 attack against the Foreign Ministry of a Southeastern European country, an August 2024 compromise of a government ministry in a Southeast Asian country, and a September 2024 intrusion of a telecommunications operator in the region.

It is unclear why an actor who appears to be linked to espionage operations is also mounting a ransomware attack

Later, after the lone ransomware incident, the PlugX-armed team was spotted picking back up with a snooping operation in January 2025 targeting a government ministry in a Southeast Asian country.

Taking that July 2024 attack on a foreign ministry in Europe as an example, Symantec said an intruder, once inside the victim’s network, ran a legitimate Toshiba executable, toshdpdb[.]exe, and made it sideload a malicious DLL file named toshdpapi[.]dll that acts as a loader for a separate obfuscated payload.

That payload, contained in a file named TosHdp[.]dat, is the custom PlugX variant that, according to Symantec, is “only associated with China-linked espionage actors” and has never been used by creeps from other nations. This PlugX variant is a classic Windows backdoor in that it allows those outside a network to connect in and run code and commands on infected systems, steal data, and so on.

Compilation timestamps in the malware were identical to those found in a PlugX variant used in the Microsoft Exchange Server attacks from March 2021, previously documented by Palo Alto Networks’ Unit 42 researchers and linked to China’s Mustang Panda group.

According to Symantec, it shares similarities to a PlugX variant documented by Trend Micro and also used by this same government spying group.

To summarize, there is mounting evidence that Mustang Panda, or someone using Mustang Panda’s backdoor somehow, is not only spying on governmental organizations, it’s also extorting victims with ransomware.

Sometimes a job is just a job

“It is unclear why an actor who appears to be linked to espionage operations is also mounting a ransomware attack,” Symantec’s researchers noted.

“While this is not unusual for North Korean threat actors to engage in financially motivated attacks to subsidize their operations, there is no similar history for China-based espionage threat actors, and there is no obvious reason why they would pursue this strategy,” the threat hunting team added.

• Ransomware isn’t always about the money: Government spies have objectives, too
• Crimelords and spies for rogue states are working together, says Google
• FBI wipes Chinese PlugX malware from thousands of Windows PCs in America
• Iran’s Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear

Chinese cyberspies sometimes use ransomware as a distraction that focuses victim orgs on decryption efforts, while the intruders then mount other nefarious activities. That’s not the case this time, we’re told, as the attacker or attackers made little effort to hide disguise their activities and the victim company wasn’t a “strategically significant organization.”

Further, the intruder “seemed to be serious” about collecting the extortion demand, which also wouldn’t have been the case if ransomware were being used as a diversion.

“The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit,” the security shop concluded.

Symantec’s report on an apparent government spy or spies using China’s toolkit to make an extra buck follows a Google report published earlier in the week that also highlights increasing crossover between criminal and state-sponsored cyber activity.

This all reinforces what multiple analysts have told The Register about government-backed crews moving in on the ransomware biz.

As one of them, ESET senior malware researcher Jakub Souček, told us for an earlier story: “Some threat actors operate at the intersection of cybercrime and state-sponsored espionage, leveraging their capabilities to achieve multiple objectives.” ®