A Chinese-linked cyber espionage group, known as ‘Jewelbug,’ has been implicated in a prolonged intrusion into a Russian IT service provider’s network, spanning from January to May 2025. This incident signifies the group’s expansion beyond its traditional targets in Southeast Asia and South America.
Symantec, a cybersecurity firm owned by Broadcom, has identified Jewelbug’s activities as overlapping with other known threat clusters, including CL-STA-0049 (Palo Alto Networks Unit 42), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs). This convergence suggests a coordinated effort among these groups.
Despite the strengthening military, economic, and diplomatic ties between Moscow and Beijing, this breach indicates that Russian entities are not exempt from Chinese cyber espionage operations. The attackers gained access to code repositories and software build systems, potentially setting the stage for supply chain attacks targeting the company’s clientele in Russia. Notably, the exfiltrated data was transferred to Yandex Cloud, a Russian cloud service, likely as a tactic to evade detection.
Jewelbug’s Tactics and Techniques
Jewelbug’s operations are characterized by sophisticated methods to infiltrate and maintain access to targeted networks:
– Initial Access: The group utilized a renamed version of the Microsoft Console Debugger (cdb.exe) to execute shellcode, effectively bypassing application allowlisting mechanisms. This approach enabled the execution of arbitrary code, including launching executables, running DLLs, and terminating security processes.
– Credential Dumping: Post-infiltration, Jewelbug employed tools like Mimikatz to extract credentials, facilitating lateral movement within the network.
– Persistence Mechanisms: The attackers established scheduled tasks to maintain their foothold, ensuring continued access even after system reboots.
– Log Manipulation: To conceal their activities, the group cleared Windows Event Logs, complicating forensic investigations and prolonging their undetected presence.
Strategic Targeting of IT Service Providers
By compromising IT service providers, Jewelbug positions itself to conduct supply chain attacks. Access to these providers’ systems allows the group to infiltrate multiple downstream customers through malicious software updates, amplifying the impact of their operations.
Global Reach and Evolving Capabilities
Jewelbug’s activities are not confined to Russia. In July 2025, the group targeted a significant South American government organization, deploying a previously undocumented backdoor. This malware leverages the Microsoft Graph API and OneDrive for command-and-control (C2) communications, enabling the collection of system information and file enumeration, with data uploaded to OneDrive. The use of legitimate services like Microsoft Graph API allows the malware to blend with normal network traffic, reducing detectable anomalies and leaving minimal forensic evidence.
Earlier, in October and November 2024, Jewelbug attacked a Taiwanese company, employing DLL side-loading techniques to deploy malicious payloads, including ShadowPad—a backdoor exclusively used by Chinese hacking groups. The infection chain involved:
– Security Software Disabling: Deployment of the KillAV tool to disable security defenses.
– Kernel Exploitation: Utilization of EchoDrv, a tool that exploits vulnerabilities in the ECHOAC anti-cheat driver, as part of a bring your own vulnerable driver (BYOVD) attack.
– Credential Theft: Use of LSASS and Mimikatz for credential dumping.
– Privilege Escalation: Employment of tools like PrintNotifyPotato, Coerced Potato, and Sweet Potato for discovery and privilege escalation.
– Network Tunneling: Deployment of EarthWorm, a SOCKS tunneling utility previously used by Chinese hacking groups such as Gelsemium, Lucky Mouse, and Velvet Ant.
Implications and Recommendations
Jewelbug’s activities underscore the persistent and evolving nature of Chinese cyber espionage efforts. The group’s ability to infiltrate diverse targets across different regions highlights the need for robust cybersecurity measures.
Organizations, especially those in critical sectors like IT services, government, and manufacturing, should:
– Enhance Monitoring: Implement advanced monitoring solutions to detect anomalous activities indicative of sophisticated threats.
– Regularly Update Systems: Ensure all software and systems are up-to-date to mitigate vulnerabilities exploited by attackers.
– Conduct Security Training: Educate employees on recognizing phishing attempts and other common attack vectors.
– Implement Multi-Factor Authentication (MFA): Strengthen access controls to reduce the risk of unauthorized access.
– Develop Incident Response Plans: Establish and regularly update incident response protocols to swiftly address potential breaches.
By adopting these measures, organizations can bolster their defenses against advanced persistent threats like Jewelbug and mitigate the risks associated with such sophisticated cyber espionage campaigns.
