{ "id": "e95cdbea-c967-42d5-9a83-30035c0e2e13", "created_at": "2026-04-06T00:21:52.610524Z", "updated_at": "2026-04-10T13:11:58.55554Z", "deleted_at": null, "sha1_hash": "2fd0027a1e88539a1e612c44ea3f0248e3ad86b1", "title": "China-linked Espionage Tools Used in Ransomware Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43511, "plain_text": "China-linked Espionage Tools Used in Ransomware Attacks\r\nBy About the Author\r\nArchived: 2026-04-05 12:50:37 UTC\r\nTools that are usually associated with China-based espionage actors were recently deployed in an attack involving\r\nthe RA World ransomware against an Asian software and services company. \r\nDuring the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks. \r\nWhile tools associated with China-based espionage groups are often shared resources, many aren’t publicly\r\navailable and aren’t usually associated with cybercrime activity. \r\nIn all the prior intrusions involving the toolset, the attacker appeared to be engaged in classic espionage,\r\nseemingly solely interested in maintaining a persistent presence on the targeted organizations by installing\r\nbackdoors. \r\nIn July 2024, an attacker compromised the Foreign Ministry of a country in southeastern Europe. The attacker\r\nleveraged a legitimate Toshiba executable named toshdpdb.exe to sideload a malicious DLL named toshdpapi.dll.\r\nThis DLL acts as a loader for a heavily obfuscated payload that is contained in a file called TosHdp.dat.  \r\nThe payload is encrypted with the RC4 decryption key: 20240120@@@. Analysis of the decrypted payload\r\nrevealed that it is a variant of PlugX (aka Korplug), a custom backdoor that is not publicly available malware and\r\nis only associated with China-linked espionage actors. To date, it has never been used by actors based in other\r\ncountries. Features of this variant included encrypted strings, dynamic API resolution, and control flow flattening.\r\nIts configuration was encrypted using the RC4 key qwedfgx202211. \r\nThe PlugX plugins compilation timestamps for this variant were identical to those in the Thor PlugX variant,\r\ndocumented by Palo Alto, which was linked to Fireant (aka Mustang Panda, Earth Preta), a China-based espionage\r\ngroup.\r\nThe variant also has some similarities to the PlugX type 2 variant documented by Trend Micro, which has also\r\nbeen linked to Fireant. The configuration was encrypted using the same RC4 key (qwedfgx202211), and both\r\nvariants had similar configuration structures.\r\nFurther espionage attacks involving the same PlugX variant followed. In August 2024, the attacker compromised\r\nthe government of another southeastern European country. Also in August 2024, the attacker compromised a\r\ngovernment ministry in a Southeast Asian country. In September 2024, they briefly compromised a telecoms\r\noperator in the region, and in January 2025, the attacker targeted a government ministry in another Southeast\r\nAsian country.\r\nRansomware Attack\r\nhttps://www.security.com/threat-intelligence/chinese-espionage-ransomware\r\nPage 1 of 3\n\nIn the midst of these apparent espionage attacks, in late November 2024, the same toolset was used in connection\r\nwith a criminal extortion campaign against a medium-sized software and services company in South Asia. \r\nWhile no infection vector was found, the attacker later claimed that the target’s network was compromised by\r\nexploiting a known vulnerability in Palo Alto’s PAN-OS (CVE-2024-0012) firewall software. The attacker then\r\nsaid administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud\r\ncredentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers.\r\nThe attacker leveraged the same Toshiba executable (toshdpdb.exe) to sideload the malicious DLL named\r\ntoshdpapi.dll. This DLL acts as a loader, and when executed, it searches for a file named toshdp.dat in the current\r\nfolder and decrypts it. The decrypted payload from the toshdp.dat file is the same PlugX variant observed in the\r\nprior espionage attacks. \r\nMachines on the target’s network were encrypted with the RA World ransomware. The attacker demanded a $2\r\nmillion ransom, which would be reduced to $1 million if paid within three days. \r\nHypotheses\r\nThere is evidence to suggest that this attacker may have been involved in ransomware for some time. In a report\r\non RA World attacks, Palo Alto said that it had found some links to Bronze Starlight (aka Emperor Dragonfly), a\r\nChina-based actor that deploys different ransomware payloads. One of the tools used in this ransomware attack\r\nwas a proxy tool called NPS, which was created by a China-based developer. This has previously been used by\r\nBronze Starlight. SentinelOne, meanwhile, reported that Bronze Starlight had been involved in attacks involving\r\nthe LockFile, AtomSilo, NightSky, and LockBit ransomware families. \r\nIt is unclear why an actor who appears to be linked to espionage operations is also mounting a ransomware attack.\r\nWhile this is not unusual for North Korean threat actors to engage in financially motivated attacks to subsidize\r\ntheir operations, there is no similar history for China-based espionage threat actors, and there is no obvious reason\r\nwhy they would pursue this strategy. \r\nAnother possibility is that the ransomware was used to cover up evidence of the intrusion or act as a decoy to\r\ndraw attention away from the true nature of the espionage attacks. However, the ransomware deployment was not\r\nvery effective at covering up the tools used in the intrusion, particularly those linking it back to prior espionage\r\nattacks. Secondly, the ransomware target was not a strategically significant organization and was something of an\r\noutlier compared to the espionage targets. It seems unusual that the attacker would go to such lengths to cover up\r\nthe nature of their campaign. Finally, the attacker seemed to be serious about collecting a ransom from the victim\r\nand appeared to have spent time corresponding with them. This usually wouldn’t be the case if the ransomware\r\nattack was simply a diversion. \r\nThe most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side\r\nusing their employer’s toolkit.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nhttps://www.security.com/threat-intelligence/chinese-espionage-ransomware\r\nPage 2 of 3\n\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\n7bae7f21bd4adf84eb3cc281fcc3d5fc3d1e47edd0dadd86587ce8ec63df1b8f — toshdpdb.exe (benign)\r\nc1e6955acdefa9769a7ae0c1abf54a26e2158154dd6ec07cc71eb06c575193d5 — toshdpapi.dll\r\n18127cfd08cc49be08714d29e09ec130dcc0b19b7fcddc22c71d28fd245eb1b1 — toshdpapi.dll\r\ne177eb358f93ccc1ac4694feb0139e82c62d767388872d359d7c2ed0a05c2726 — toshdpapi.dll\r\n6ac81aa8d3f9d86ad5a18ea42fa1829b055dd25f123f9ee90002d64d4ef7a394 — toshdp.dat\r\n2707612939677e8ea4709ecb4f45953d4a136a9934b6d0c256917383cdaef813 — RA World\r\n38a26fffbab5297e4229897654d2f67c6ee52b316c7ac4d4a1493d187b49ec25 — RA World\r\nbb5740d2129663ae1c46b1ea1bdd0b8c423b6eb8f6e6f2b0b158a9e833496a01 — NPS Proxy Tool\r\nplugins.jetbrians[.]net — NPS Proxy C\u0026C\r\npolice.tracksyscloud[.]com — PlugX C\u0026C\r\ncaco.blueskyanalytics[.]net — PlugX download server\r\n158.247.213[.]167 — NPS Proxy C\u0026C\r\n154.223.18[.]123 — PlugX download server\r\nSource: https://www.security.com/threat-intelligence/chinese-espionage-ransomware\r\nhttps://www.security.com/threat-intelligence/chinese-espionage-ransomware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.security.com/threat-intelligence/chinese-espionage-ransomware" ], "report_names": [ "chinese-espionage-ransomware" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434912, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2fd0027a1e88539a1e612c44ea3f0248e3ad86b1.pdf", "text": "https://archive.orkl.eu/2fd0027a1e88539a1e612c44ea3f0248e3ad86b1.txt", "img": "https://archive.orkl.eu/2fd0027a1e88539a1e612c44ea3f0248e3ad86b1.jpg" } }