Full Report
A threat actor with ties to China has been attributed to a five-month-long intrusion targeting a Russian IT service provider, marking the hacking group's expansion to the country beyond Southeast Asia and South America. The activity, which took place from January to May 2025, has been attributed by Broadcom-owned Symantec to a threat actor it tracks as Jewelbug, which it said overlaps with
Analysis Summary
# Threat Actor: Jewelbug
## Attribution & Identity
Attributed to a threat actor with ties to **China**.
**Known Aliases/Associations:**
* CL-STA-0049 (Palo Alto Networks Unit 42)
* Earth Alux (Trend Micro)
* REF7707 (Elastic Security Labs)
## Activity Summary
Jewelbug has been active for at least since Q2 2023, primarily focusing on cyber espionage. A notable campaign detailed in the article involves a **five-month-long intrusion (January to May 2025) targeting a Russian IT service provider**. This breach allowed access to code repositories and software build systems, posing a significant supply chain risk to the provider's customers. The actor also conducted an intrusion at a **large South American government organization in July 2025**. Other observed targets include an **IT provider based in South Asia** and a **Taiwanese company in October/November 2024**. The targeting of an IT service provider suggests an objective to facilitate downstream supply chain attacks.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Leveraged a renamed version of Microsoft Console Debugger (`cdb.exe`) to execute shellcode, bypass application allowlisting, launch executables, and terminate security solutions.
- **Persistence:** Established persistence via **scheduled tasks**.
- **Defense Evasion:** Used the **KillAV tool** to disable security software. Also attempted to conceal activity by **clearing Windows Event Logs**.
- **Credential Access:** Executed credential dumping using **LSASS and Mimikatz**.
- **Lateral Movement/Privilege Escalation:** Utilized publicly available tools like **EchoDrv** (via a Bring Your Own Vulnerable Driver - BYOVD attack) to abuse a kernel read/write vulnerability. Employed various "Potato" exploits for discovery and privilege escalation: **PrintNotifyPotato, Coerced Potato, and Sweet Potato**.
- **Command and Control (C2):** Utilized a newly developed backdoor that communicates via **Microsoft Graph API and OneDrive**.
- **Supply Chain:** Compromised an IT service provider to potentially inject malicious code into software updates targeting downstream customers.
- **Malware Used:** FINALDRAFT (aka Squidoor) (advanced backdoor for Windows/Linux), ShadowPad (backdoor exclusively used by Chinese groups), VARGEIT, COBEACON (Cobalt Strike Beacon).
## Targeting
- **Sectors:** IT Services, Government, Technology, Logistics, Manufacturing, Telecommunications, Retail.
- **Geography:** Russia (recent focus), Asia-Pacific (APAC), Latin American (LATAM), South Asia, Taiwan.
- **Victims:** A Russian IT service provider (Jan-May 2025), a large South American government organization (July 2025), an IT provider in South Asia, a Taiwanese company (Oct/Nov 2024).
## Tools & Infrastructure
- **Malware families used:** FINALDRAFT (aka Squidoor), ShadowPad, VARGEIT, COBEACON, KillAV, EchoDrv.
- **Infrastructure (C2, domains, IPs):**
- C2/Exfiltration: **Microsoft Graph API and OneDrive**.
- Exfiltration was also observed to **Yandex Cloud** in the Russian incident.
- Exploited vulnerable driver: **ECHOAC anti-cheat driver**.
- Used publicly available exploitation tools: PrintNotifyPotato, Coerced Potato, Sweet Potato.
## Implications
The infiltration of a Russian IT service provider by a Chinese state-nexus actor despite close bilateral relations suggests that cyber espionage remains a high priority, even against perceived allies. The focus on IT service providers indicates a clear strategic posture aimed at enabling large-scale **supply chain attacks** onto multiple Russian entities through compromised software builds. The actor is evolving, developing new backdoors utilizing legitimate cloud services (like Microsoft Graph API/OneDrive) for C2, which significantly increases dwell time and forensic difficulty.
## Mitigations
- Strictly vet third-party software build processes and code repositories, especially for IT service providers supplying critical Russian infrastructure.
- Monitor for the use of legitimate system tools (`cdb.exe`) for suspicious execution chains (running shellcode).
- Implement controls to monitor and restrict kernel driver interactions, especially public/vulnerable drivers, to prevent BYOVD attacks.
- Deploy advanced EDR/network monitoring to detect unusual file activity related to OneDrive or Microsoft Graph API being used for C2 communications rather than standard productivity tasks.
- Review scheduled tasks for persistence mechanisms that might circumvent standard security checks.