A Chinese-linked cyber threat group, known as Jewelbug, has successfully infiltrated a Russian IT service provider for five months, marking the group’s expansion beyond its traditional targets in Southeast Asia and South America. This operation, running from January to May 2025, underscores the continued reach of Chinese cyber espionage.
Background on Jewelbug and Related Clusters
Broadcom-owned Symantec attributes this intrusion to Jewelbug, which overlaps with activity clusters tracked by other cybersecurity firms, including CL-STA-0049 (Palo Alto Networks Unit 42), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs). These findings suggest that Chinese cyber operations are not limited by political or military relationships, even with countries like Russia.
Attack Details
Jewelbug targeted critical code repositories and software build systems, potentially enabling supply chain attacks that could affect multiple downstream customers in Russia. Symantec noted that stolen data was exfiltrated to Yandex Cloud, highlighting the stealth and sophistication of the attack.
Earth Alux has been active since mid-2023, primarily targeting sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail, using malware like VARGEIT and COBEACON (Cobalt Strike Beacon).
Meanwhile, CL-STA-0049/REF7707 has deployed a sophisticated backdoor called FINALDRAFT (also known as Squidoor), which can infect both Windows and Linux systems. Symantec’s analysis is the first to connect these two clusters.
Tactics and Tools
During the Russian IT provider intrusion, Jewelbug used a renamed Microsoft Console Debugger (cdb.exe) to execute shellcode, bypass allowlisting, launch executables, run DLLs, and disable security solutions. They also dumped credentials, set up persistence via scheduled tasks, and attempted to cover tracks by clearing Windows Event Logs.
Targeting IT service providers is strategic, allowing the attackers to potentially compromise multiple downstream customers through malicious software updates.
Expanding Threats and New Malware
In July 2025, Jewelbug also targeted a large South American government organization, deploying a previously undocumented backdoor. This malware uses Microsoft Graph API and OneDrive for command-and-control, collects system data, enumerates files, and uploads information to OneDrive. By leveraging legitimate cloud services, the group avoids detection and leaves minimal forensic traces.
Other targets include an IT provider in South Asia and a Taiwanese company in late 2024. Techniques included DLL side-loading, ShadowPad backdoors, and KillAV for disabling security software. Tools like EchoDrv, LSASS, Mimikatz, and privilege escalation utilities (PrintNotifyPotato, Coerced Potato, Sweet Potato) were also used, along with SOCKS tunneling through EarthWorm, common in Chinese cyber campaigns.
