A recent attack on a South Asian software and services company suggests that a China-linked cyberespionage actor may be engaging in ransomware operations.
The attacker deployed a distinct toolset typically associated with Chinese state-sponsored espionage groups but used it in conjunction with RA World ransomware, raising questions about potential moonlighting or a shift in tactics.
The attack, which occurred in late November 2024, involved tools previously seen in cyberespionage operations targeting government agencies across Europe and Asia. The attacker leveraged a legitimate Toshiba executable, toshdpdb.exe, to sideload a malicious DLL, toshdpapi.dll, which in turn decrypted and loaded a PlugX (Korplug) backdoor variant. PlugX is a custom malware family exclusively associated with Chinese espionage actors and has no known use by cybercriminals outside of China.
This same PlugX variant had been observed in several espionage intrusions throughout 2024 and early 2025. In July 2024, it was used to compromise the Foreign Ministry of a Southeastern European country. Subsequent attacks targeted government ministries in Southeast Asia and a regional telecom provider, all suggesting a focus on intelligence gathering. The PlugX samples used in these attacks showed strong links to Fireant (aka Mustang Panda, Earth Preta), a well-documented China-based cyberespionage group.
However, the late 2024 attack against the South Asian software firm deviated from the typical espionage playbook. Instead of merely establishing persistent access, the attacker escalated to full-scale ransomware deployment. After allegedly exploiting a known vulnerability in Palo Alto Networks' PAN-OS firewall (CVE-2024-0012), the attacker obtained administrative credentials and exfiltrated Amazon S3 cloud data before encrypting the company's systems with RA World ransomware. The ransom demand started at $2 million but was reduced to $1 million for quick payment.
Chinese threat group or rogue insider?
While Chinese state-backed groups are known for cyberespionage, they rarely engage in financially motivated cybercrime. Unlike North Korean APTs, which use ransomware to fund state operations, China's hacking groups have historically been focused on intelligence gathering.
Some links between this attack and Bronze Starlight (aka Emperor Dragonfly) — a China-based group known for deploying various ransomware strains — suggest the possibility of an overlap. One of the tools used in the attack, the NPS proxy tool, was developed in China and had been used in prior Bronze Starlight operations involving LockFile, AtomSilo, NightSky, and LockBit ransomware.
However, several factors complicate this theory. The target — a mid-sized software company — was not strategically significant compared to previous espionage victims. Additionally, if the ransomware deployment was intended as a cover-up, it was poorly executed, as forensic evidence clearly linked the attack back to known espionage tools. The attacker also engaged in ransom negotiations, an unusual step if the ransomware was merely a diversion.
The most plausible explanation is that an individual or subgroup within a China-linked espionage unit engaged in ransomware for personal profit, leveraging state-sponsored tools for financial gain. This scenario would not be unprecedented, as moonlighting hackers within APT groups have been reported before.
To defend against such attacks, organizations should apply security updates promptly, deploy solutions capable of detecting DLL sideloading techniques and PlugX malware activity, restrict administrative privileges, and monitor access to critical systems.
This case highlights the blurred lines between state-sponsored cyber operations and financially motivated cybercrime, raising concerns about rogue actors within APT groups using nation-state tools for personal enrichment.
Zacks Investment Suffers Data Breach Impacting 12M Accounts
Leave a Reply