Full Report
Espionage actor may be moonlighting as RA World attacker.
Analysis Summary
# Threat Actor: Unidentified Actor linked to China-linked Espionage Toolset (Potentially Bronze Starlight/Emperor Dragonfly Overlap)
## Attribution & Identity
The actor is linked to a distinct toolset previously used exclusively by China-based espionage threat actors. While the tools are associated with China-linked espionage activity, the specific actor conducting the mixing of espionage tools with ransomware extortion is currently unidentified, though potential links to **Bronze Starlight (aka Emperor Dragonfly)** are noted due to malware overlap (NPS proxy tool).
## Activity Summary
The actor engaged in a campaign blending confirmed espionage activity with a financially motivated ransomware operation in late 2024.
**Espionage Campaigns (July - January 2025):**
* Compromised the Foreign Ministry of a southeastern European country (July 2024).
* Compromised a government entity in another southeastern European country (August 2024).
* Compromised a government ministry in a Southeast Asian country (August 2024).
* Briefly compromised a telecoms operator in Southeast Asia (September 2024).
* Targeted a government ministry in another Southeast Asian country (January 2025).
**Ransomware Campaign (Late November 2024):**
* Attacked a medium-sized software and services company in South Asia.
* Claimed to have initially exploited a **CVE-2024-0012 (PAN-OS vulnerability)**.
* Stole administrative credentials from the intranet and subsequently cloud credentials (Amazon S3) from a Veeam server.
* Exfiltrated data before encrypting machines using **RA World ransomware**.
* Demanded a $2 million ransom.
## Tactics, Techniques & Procedures
- **DLL Sideloading:** Leveraged a legitimate, signed Toshiba executable (`toshdpdb.exe`) to load a malicious DLL (`toshdpapi.dll`).
- **Custom Backdoor Use:** Deployed a variant of **PlugX (aka Korplug)**.
- Features included encrypted strings, dynamic API resolution, and control flow flattening.
- Configuration encrypted using RC4 key `qwedfgx202211`.
- PlugX plugins compilation timestamps matched those of the PlugX variant linked to Fireant (Mustang Panda).
- **Infrastructure Reuse:** Used the same PlugX variant in both espionage and the ransomware activity.
- **Privilege Escalation/Data Theft (Ransomware phase):** Obtained internal administrative credentials, accessed a Veeam server, and stole AWS S3 cloud credentials for data exfiltration.
- **Proxy Tool Usage:** Utilized the **NPS proxy tool** (associated with China-based developers and previously Bronze Starlight).
- **Ransomware Execution:** Deployed RA World ransomware.
- **MITRE ATT&CK Mapping (Implied via TTP description):** Technique overlap with Fireant/Mustang Panda implies espionage techniques.
## Targeting
- **Sectors:** Government (Foreign Ministry, Government Ministries), Software and Services.
- **Geography:** Southeastern Europe, Southeast Asia, South Asia (Ransomware victim).
- **Victims:** Foreign Ministry of a southeastern European country, government entities in SE Europe and Southeast Asia, a telecoms operator, and a South Asian software/services company.
## Tools & Infrastructure
- **Malware Families Used:** PlugX variant (Korplug), RA World ransomware.
- **Infrastructure/Tools:**
- Legitimate executable used for sideloading: `toshdpdb.exe`
- Malicious components: `toshdpapi.dll`, `TosHdp.dat`
- Decryption Key (Payload): `20240120@@@` (RC4)
- Configuration Key: `qwedfgx202211` (RC4)
- Proxy Tool: NPS proxy tool
- C2/Download Servers (PlugX):
- `police.tracksyscloud[.]com`
- `caco.blueskyanalytics[.]net`
- `154.223.18[.]123` (NPS Proxy C&C)
- `158.247.213[.]167` (PlugX download server)
- C&C (NPS): `plugins.jetbrians[.]net`
## Implications
The primary implication of this activity is the observed blending of highly sophisticated, state-sponsored espionage tooling (PlugX variant associated with China-linked actors) with financially motivated cybercrime (RA World ransomware). This suggests several possibilities:
1. **Insider Threat/Tool Misuse:** A possible scenario where an individual uses their access to an espionage toolset for secondary, financial gain.
2. **Evasion/Cover Story:** The ransomware may have been deployed as a decoy to obscure the true purpose (espionage/data collection), though the execution was inconsistent with a pure cover-up strategy.
3. **Evolving Actor:** A China-linked espionage group (potentially Bronze Starlight) is diversifying its objectives to include significant extortion, which is atypical for established Chinese espionage units.
## Mitigations
- Organizations should prioritize defense against DLL sideloading attacks utilizing legitimate executables.
- Implement strong monitoring or protections targeting the known malicious components or behaviors associated with the PlugX variant described.
- Ensure timely patching of critical networking devices, specifically addressing vulnerabilities like CVE-2024-0012 (PAN-OS).
- Enhance credential hygiene, particularly for cloud access keys stored on internal servers (like Veeam backup systems).
- Monitor for the deployment of reconnaissance and proxy tools like NPS in environments not explicitly authorized to run them.