A destructive tool that is primarily used by China-based digital espionage groups was the subject of a ransomware attack by RA World in November 2024 that targeted an unidentified Eastern software and services company, which raises the possibility that the threat actor may be working as a ransomware player in an personal capacity.
The Symantec Threat Hunter Team, a subsidiary of Broadcom, stated in a statement shared with The Hacker News that the intruder “deployed a unique tool that had previously been used by a China-linked actor in traditional spy attacks.”
In all the earlier tool incursions, the intruder appeared to be engaged in traditional spy, apparently only concerned with preserving a persistent presence on the precise organizations by installing backdoors.
This included a compromise in the Foreign Ministry of a nation in southeast Europe in July 2024 that involved the use of modern DLL side-loading techniques to install ( also known as Korplug), a malware that the actor Mustang Panda ( also known as Fireant and RedDelta ) has before.
Specifically, the assault bars entails the use of a genuine Toshiba file named” toshdpdb. pdf” to dietitians a destructive DLL named” toshdpapi. dll”, which, in turn, acts as a pipe to fill the encrypted PlugX load.
In addition to attacks targeting two various government entities in Southeastern Europe and Southeast Asia in August 2024, a telecoms operator in September 2024, and another federal government in a different Southeast Asian country in January 2025, another intrusions linked to the same toolset have been spotted.
But, Symantec made note of the PlugX variant being used in a legal bribery plot against a small software and services company in South Asia in November of that year.
It’s not exactly clear how the company’s network was compromised, although the attacker claimed to have done so by exploiting a known security flaw in Palo Alto Networks PAN-OS software ( ). The attack’s culmination was when the computers were made RA World-encrypted, but not before the Toshiba binaries was used to build PlugX malware.
It’s important to point out that prior analyses from Cisco Talos and Palo Alto Networks Unit 42 have discovered tradecraft ties between ( also known as Storm-401 and Emperor Dragonfly ) and a Chinese threat group with a history of using vengeful ransomware families.
Symantec theorized that a lone artist is likely to be behind the attack and that they were making some quick gains on the side, even though it’s unknown why an spying actor is also carrying out a financial attack. This analysis also aligns with Sygnia’s analysis of the” single threat actor” Emperor Dragonfly from October 2022.
This kind of freelancing, while rarely observed in the Chinese hackers habitat, is a lot more common from Iran and North Korea.
In a report released this week, the Google Threat Intelligence Group ( GTIG ) stated that” a further form of financially motivated activity supporting state goals are groups whose main mission may be state-sponsored espionage are, either tacitly or explicitly permitted to conduct financially motivated operations to supplement their income.
This can help the government cover direct expenses associated with maintaining organizations with robust capabilities.
Salt Typhoon Exploits Telcos Through Vulnerable Cisco Devices
The development comes as the , a Chinese nation-state hacking organization, is linked to a number of cyberattacks that use known security flaws in Cisco network devices ( and ) to sever multiple networks.
Based on communications detected between infected Cisco devices and the threat actor infrastructure, the malicious cyber activity is said to have identified a U.S. based affiliate of a significant U.K. based telecommunications provider, a South African telecommunications provider, and a large Thai telecommunications provider.
The took place between December 4, 2024, and January 23, 2025, Recorded Future’s Insikt Group said, adding the adversary, also tracked as Earth Estries, FamousSparrow, GhostEmperor, RedMike, and UNC2286, attempted to exploit more than 1, 000 Cisco devices globally during the timeframe.
More than half of the targeted Cisco appliances are located in the U. S., South America, and India. In what appears to be a broadening of the targeting focus, Salt Typhoon has also been observed devices associated with more than a dozen universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the U. S., and Vietnam.
” RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft”, the company .
The threat actor successfully compromises the Cisco devices and their infrastructure by adding a generic routing encapsulation ( GRE ) tunnel and changing the device’s configuration to support persistent access and data exfiltration using elevated privileges.
Due to the lack of security controls and endpoint detection and response ( EDR) solutions, using vulnerable network appliances as entry points for target victims has become a regular practice for Salt Typhoon and other hacking organizations like .
It’s advised that organizations prioritize applying the available security patches and updates to publicly accessible network devices in order to reduce the risk of such attacks, especially for those whose end-of-life ( EoL ) statuses. Additionally, it is advised that organizations avoid exposing administrative interfaces or non-essential services to the internet.