Chinese-linked attackers have been implicated in a five-month intrusion targeting IT service providers in Russia, marking the hacker group’s expansion into the country beyond Southeast Asia and South America.
This activity took place between January and May 2025 and is attributed to the following threat actors that Broadcom-owned Symantec tracks: jewel bugIt says it overlaps with clusters known as CL-STA-0049 (Palo Alto Networks Unit 42), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs).
The findings suggest that Russia has not banned Chinese cyber espionage, even though “military, economic and diplomatic” ties between Russia and China have strengthened over the years.
“An attacker gained access to code repositories and software construction systems that could be exploited to carry out supply chain attacks targeting the company’s customers in Russia,” the Symantec Threat Hunters team said in a report shared with Hacker News. “It is also worth noting that the attackers were exfiltrating data to Yandex Cloud.”
Earth Alux is believed to have been active since at least the second quarter of 2023, primarily targeting government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia Pacific (APAC) and Latin America (LATAM) regions, delivering malware such as VARGEIT and COBEACON (also known as Cobalt Strike Beacon).
Meanwhile, the attack launched by CL-STA-0049/REF7707 has been observed to distribute an advanced backdoor named FINALDRAFT (also known as Squidoor) that can infect both Windows and Linux systems. Symantec’s findings mark the first time these two clusters of activity have been linked.
In its attacks targeting Russian IT service providers, Jewelbug allegedly exploited a renamed version of the Microsoft Console Debugger (“cdb.exe”). This debugger can be used to run shellcode and bypass application allow lists, as well as launch executables, run DLLs, and terminate security solutions.
The attacker has also been observed attempting to hide traces of its activity by dumping credentials, establishing persistence through scheduled tasks, and clearing Windows event logs.
Targeting IT service providers is strategic because it opens the door to potential supply chain attacks and allows threat actors to leverage a breach to compromise multiple downstream customers at once through malicious software updates.
Additionally, Jewelbug was also involved in a large-scale government intrusion in South America in July 2025, deploying a previously undocumented backdoor said to be in development, highlighting the group’s evolving capabilities. The malware uses the Microsoft Graph API and OneDrive for command and control (C2) and can collect system information, enumerate files from the targeted machine, and upload the information to OneDrive.
Using the Microsoft Graph API allows threat actors to blend into normal network traffic and minimizes forensic artifacts that complicate post-incident analysis and increase threat actor dwell time.
Other targets included a South Asia-based IT provider and a Taiwanese company in October and November 2024, with attacks on the latter leveraging DLL sideloading techniques to drop malicious payloads including ShadowPad, a backdoor used exclusively by Chinese hacking groups.
This infection chain is also characterized by the deployment of a KillAV tool that disables security software and a publicly available tool named EchoDrv. This tool allows the exploitation of kernel read/write vulnerabilities in the ECHOAC anti-cheat driver as part of what appears to be a Bring Your Own Vulnerable Driver (BYOVD) attack.
It also leveraged freely available tools such as LSASS and Mimikatz for credential dumping, PrintNotifyPotato, Coerced Potato, and Sweet Potato for detection and privilege escalation, and a SOCKS tunneling utility called EarthWorm used by Chinese hacking groups such as Gelsemium and Lucky Mouse.
“Jewelbug’s preference for using cloud services and other legitimate tools in its operations indicates that staying low-profile and establishing a stealthy, persistent presence on victims’ networks is of paramount importance to this group,” Symantec said.
The revelations came as Taiwan’s National Security Bureau warned of an increase in Chinese cyberattacks targeting government departments and accused Beijing’s “army of online trolls” of spreading fabricated content on social networks, undermining people’s trust in the government, and trying to sow distrust in the United States, Reuters reported.
