{ "id": "d124e5d9-06a5-4574-a850-48d7d98be5c9", "created_at": "2026-04-06T00:09:22.26802Z", "updated_at": "2026-04-10T03:37:21.675631Z", "deleted_at": null, "sha1_hash": "2483e82a22ac9f871cd62ad39f7b83c99371d517", "title": "China's APT hackers move to ransomware attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2132859, "plain_text": "China's APT hackers move to ransomware attacks\r\nBy Ionut Ilascu\r\nPublished: 2021-01-04 · Archived: 2026-04-05 15:01:14 UTC\r\nSecurity researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that\r\nthe attacks may be the work of a hacker group believed to operate on behalf of China.\r\nAlthough the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them\r\nto APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE\r\nUNION, Iron Tiger, and LuckyMouse.\r\nAbusing Windows BitLocker\r\nThe attacks happened in 2020 and directly targeted at least five companies in the online gambling sector that operate\r\nglobally and successfully encrypted several core servers.\r\nhttps://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile these were ransomware incidents in earnest, the threat actor relied on BitLocker, the drive encryption tool in\r\nWindows, to lock the servers.\r\nThe researchers from cybersecurity firms Profero and Security Joes responded to these incidents and found that the hackers\r\nreached their targets through a third-party service provider, which had been infected through another third-party provider.\r\nAnalyzing the attacks revealed malware samples linked to DRBControl, a campaign described earlier this year in a report\r\nfrom Trend Micro and attributed to APT27 and Winnti, both groups active since at least 2010 and associate with Chinese\r\nhackers. If APT27 focuses on cyberespionage, Winnti is known for its financial motivation.\r\nIn a joint report shared with BleepingComputer, Profero and Security Joes share evidence pointing to these two groups\r\nsaying that they found a sample of the Clambling backdoor similar to the one used in the DRBControl campaign.\r\nThey also uncovered the ASPXSpy webshell. A modified version of this malware has been seen previously in attacks\r\nattributed to APT27.\r\nOther malware found on infected computers includes the PlugX remote access trojan, regularly mentioned in cybersecurity\r\nreports about campaigns linked to China.\r\n\"With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in\r\nterms of code similarities, and TTPs [tactics, techniques, and procedures],\" the report reads.\r\nAlthough a cyberespionage group engaging in a financially-motivated campaign is unusual, this attack would not be the first\r\ntime APT27 deploys ransomware on victim systems.\r\nResearchers at Positive Technologies attributed a Polar ransomware attack from April 2020 to APT27, based on the use of\r\nmalware normally used by this group.\r\nhttps://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/\r\nPage 3 of 5\n\nThe attacks against the five companies in the gambling sector were not particularly sophisticated and relied on known\r\nmethods to evade detection and move laterally.\r\nThe report from Profero and Security Joes says that the actor deployed PlugX and Clambling malware in the system\r\nmemory using an older Google Updater executable that was vulnerable to DLL side-loading.\r\n\"For each of the two samples, there was a legitimate executable, a malicious DLL, and a binary file consisting of shellcode\r\nresponsible for extracting the payload from itself and running it in memory. Both samples used the signed Google Updater,\r\nand both DLLs were labeled goopdate.dll, however the PlugX binary file was named license.rtf, and the Clambling binary\r\nfile was named English.rtf.\"\r\nAdditionally, the attacker leveraged a vulnerability from 2017 (CVE-2017-0213) to escalate privileges on the machine.\r\nExploit code for this bug is publicly available.\r\nDaniel Bunce, Principal Security Analyst at Security Joes, told BleepingComputer that the key takeaway from these attacks\r\nis the involvement of a cyberespionage group in a financially-driven campaign.\r\nOmri Segev Moyal, CEO at Profero, says that the audacity of such a malicious group is another signal that governments\r\nshould have a unified approach in the fight against these threats.\r\nRecently, another hacker group believed to work for a government has been linked to ransomware attacks. According to\r\nClearSky, the Iranian-backed hacking group Fox Kitten has been involved in Pay2Key ransomware operations against\r\norganizations in Israel and Brazil.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/" ], "report_names": [ "chinas-apt-hackers-move-to-ransomware-attacks" ], "threat_actors": [ { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2483e82a22ac9f871cd62ad39f7b83c99371d517.pdf", "text": "https://archive.orkl.eu/2483e82a22ac9f871cd62ad39f7b83c99371d517.txt", "img": "https://archive.orkl.eu/2483e82a22ac9f871cd62ad39f7b83c99371d517.jpg" } }