A threat actor with ties to China has been attributed to a five-month-long intrusion targeting a Russian IT service provider. The hacking group's expansion to the country beyond Southeast Asia and South America. The findings suggest Russia is not off-limits for Chinese cyber espionage operations despite increased "military, economic, and diplomatic" relations between Moscow and Beijing.
The threat actor has also been linked to an intrusion at a large South American government organization in July 2025, deploying a previously undocumented backdoor that's said to be under development. Other targets include an IT provider based in South Asia and a Taiwanese company in October and November 2024, with the attack on the latter leveraging DLL side-loading techniques to drop malicious payloads. The malware can gather system data, list files from targeted computers, and upload the data to OneDrive using the Microsoft Graph API and OneDrive for command-and-control (C2).
The revelation coincides with a warning from Taiwan's National Security Bureau about an increase in Chinese cyberattacks against its government agencies. "Jewelbug's preference for using cloud services and other legitimate tools in its operations indicates that remaining under the radar and establishing a stealthy and persistent presence on victim networks is of utmost importance to this group," Symantec wrote in a blog post on Monday, criticizing Beijing's "online troll army" for trying to spread fake content across social networks, erode public confidence in the government, and sow mistrust in the United States. The blog post claims that the group is thought to be based in China, but it's unclear if it is connected to the Chinese government or the People's Republic of China (PRC), which has previously been charged with cyberattacks on its own government agencies.
The charges have been refuted by the PRC.