- China’s APT Jewelbug infiltrated a Russian IT provider, undetected for five months.
- Attackers used renowned Microsoft debugger to bypass defenses and exfiltrate data via Yandex Cloud
- Symantec says China-based actors are now targeting Russia despite perceived geopolitical alignment
Chinese hackers have recently been seen targeting Russians, raising eyebrows in the Western cybersecurity community, which views the two countries as allies in cyberspace and beyond.
Earlier this week, security firm Symantec released a new report detailing the work of Jewelbug, a Chinese state-sponsored threat actor that has been “very active in recent months.” In the report, Symantec said Jewelbug was seen attacking targets in South America, South Asia, Taiwan and, most notably, Russia.
In early 2025, Jewelbug managed to sneak into the network of a Russian IT service provider, and remained there for no less than five months. During this time, they gained access to code repositories and software creation systems that they could exploit to launch supply chain attacks against the IT service provider’s customers.
7zup.exe and Yandex
The compromise was spotted when researchers found a file named 7zup.exe on the IT provider’s system. This is a renamed copy of a legitimate Microsoft binary, called CDB (Microsoft Console Debugger).
This tool can be used to execute shellcode, bypass application whitelisting, launch executables, run DLLs, and terminate security solutions, Symantec added.
“A hallmark of Jewelbug’s activity is the use of a renamed version of cbd.exe,” the report states. “Microsoft recommends that CDB execution be blocked by default and whitelisted for specific users only when explicitly necessary.”
With the help of CBD, Jewelbug successfully removed credentials, established persistence, and elevated privileges via scheduled tasks. They tried to cover their tracks by clearing Windows event logs and used Yandex Cloud to exfiltrate the data. Yandex is a Russian cloud service provider, which was likely chosen because it is commonly used in the country and generally does not raise any red flags.
“The targeting of a Russian organization by a Chinese APT group, however, shows that Russia is not left behind when it comes to operations carried out by actors based in China,” Symantec concluded.
Via The register
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
