- Chinese APT Jewelbug infiltrated a Russian IT provider, dwelling undetected for five months
- Attackers used renamed Microsoft debugger to bypass defenses and exfiltrate data via Yandex Cloud
- Symantec says China-based actors now target Russia despite perceived geopolitical alignment
Chinese hackers were recently seen targeting Russians, which raised eyebrows among the western cybersecurity community who perceive the two countries as allies in cyberspace and beyond.
Earlier this week, security outfit Symantec published a new report in which it detailed the work of Jewelbug, a Chinese state-sponsored threat actor that’s been “highly active in recent months.” In the report, Symantec said Jewelbug was seen going after targets in South America, South Asia, Taiwan and, most notably, Russia.
In early 2025, Jewelbug managed to sneak into the network of a Russian IT service provider, and remain there for no less than five months. During that time, they accessed code repositories and software build systems that they could leverage to run supply chain attacks against the IT service provider’s customers.
7zup.exe and Yandex
The compromise was spotted when researchers found a file named 7zup.exe on the IT provider’s system. This is a renamed copy of a legitimate, Microsoft binary, called CDB (Microsoft Console Debugger).
This tool can be used to run shellcode, bypass application whitelisting, launch executables, run DLLs, and terminate security solutions, Symantec added.
“Use of a renamed version of cbd.exe is a hallmark of Jewelbug activity,” the report reads. “Microsoft recommends that CDB should be blocked from running by default and whitelisted for specific users only when it’s explicitly needed.”
With the help of CBD, Jewelbug managed to dump credentials, establish persistence, and elevate privileges via scheduled tasks. They tried to cover their tracks by clearing Windows Event Logs, and used Yandex Cloud to exfiltrate data. Yandex is a Russian cloud service provider, which was probably chosen since it’s commonly used in the country and doesn’t usually raise any red flags.
“The targeting of a Russian organization by a Chinese APT group shows, however, that Russia is not out-of-bounds when it comes to operations by China-based actors,” Symantec concluded.
Via The Register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Add Comment