China government-linked hackers caught running a seriously dangerous ransomware scam

Symantec researchers observed Chinese state-sponsored threat actors running ransomware against an Asian software and services firm
They claim it’s highly unusual activity for state attackers
The attackers demanded $2 million in ransom

Emperor Dragonfly, a known Chinese state-sponsored threat actor, recently did something unusual – it deployed a ransomware encryptor on a target’s network.

A report from Symantec’s Threat Hunter Team, which observed the attack in late 2024, noted how they had observed, on multiple occasions, the group doing what it usually does – side-loading malicious DLL files (via a legitimate Toshiba executable) to drop backdoors and establish persistence. The goal was, as it’s usual with state-sponsored attackers, cyber-espionage.

The victims were mostly foreign ministries of eastern European countries, and similar state agencies. But then, in late 2024, Emperor Dragonfly was seen using the same method to establish persistence – and then drop a ransomware payload – against an Asian software and services company. The group used the RA World ransomware variant, and demanded $2 million in ransom ($1 million if paid within three days).

A distraction

For Chinese state-sponsored threat actors, this is highly unusual, Symantec says. North Korean actors are often engaged in ransomware and are using the stolen money to fund their state agencies and weapons programs. The Chinese, however, are more interested in cyber-espionage. That being said, Symantec suspects that the ransomware attack, in this case, may have been a distraction, to hide the tracks of a larger operation – most likely an espionage one.

The initial attack vector was not disclosed, but the hackers did state that they abused a known Palo Alto PAN-OS vulnerability (CVE-2024-0012) to breach the infrastructure. “The attacker then said administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers,” the researchers explained.

The final step was using the same DLL side-loading methodology.

https://cdn.mos.cms.futurecdn.net/EEXAxCUDKAq3frELz3rVYY-1200-80.jpg

Source link

EU cyberattack may have been worse than we thought – 90GB of data published online as 30 entities hit

I’m TechRadar’s 4K Blu-ray tester — here are the 4 new discs I’m most excited about reviewing in April 2026

‘I think EmDash was created to sell more Cloudflare services’: WordPress co-founder Matt Mullenweg gives his verdict on Cloudflare’s EmDash

The leadership dilemma: Governing the “Agentic AI” workforce

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

2026 Far East Film Festival Lineup

Dennis Quaid to Receive Patriot Ally Award at 2026 MV Awards Gala

Gucci Mane Allegedly Kidnapped, Robbed by Pooh Shiesty, Big30

Cynthia Erivo Is Bright and Early for Morning TV While in London, Plus Joshua Jackson, Barbie Ferreira, Kit Harington and More

United Homes Group amends credit agreements, waives certain covenants amid pending merger

Dell’s CFO built a 27-year career without leaving the company. Here’s how he kept moving up

US targets Chinese chipmaking with proposed export restrictions on ASML and others

JPMorgan surveyed 100+ billionaires worth $500 billion—the No. 1 habit they share might surprise you

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

China government-linked hackers caught running a seriously dangerous ransomware scam

2026 Far East Film Festival Lineup

United Homes Group amends credit agreements, waives certain covenants amid pending merger

EU cyberattack may have been worse than we thought – 90GB of data published online as 30 entities hit

Dennis Quaid to Receive Patriot Ally Award at 2026 MV Awards Gala