An RA World ransomware attack in November 2024 targeting an unnamed Asian software and services company involved the use of a malicious tool exclusively used by China-based cyber espionage groups, raising the possibility that the threat actor may be moonlighting as a ransomware player in an individual capacity.
“During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.
“In all the prior intrusions involving the toolset, the attacker appeared to be engaged in classic espionage, seemingly solely interested in maintaining a persistent presence on the targeted organizations by installing backdoors.”
This included a July 2024 compromise of the Foreign Ministry of a country in southeastern Europe that involved the use of classic DLL side-loading techniques to deploy PlugX (aka Korplug), a malware repeatedly used by the Mustang Panda (aka Fireant and RedDelta) actor.
Specifically, the attack chains entails the use of a legitimate Toshiba executable named “toshdpdb.exe” to sideload a malicious DLL named “toshdpapi.dll,” which, in turn, acts as a conduit to load the encrypted PlugX payload.
Other intrusions linked to the same toolset have been observed in connection with attacks targeting two different government entities in Southeastern Europe and Southeast Asia in August 2024, a telecom operator in September 2024, and another government ministry in a different Southeast Asian country in January 2025.
However, Symantec noted that it observed the PlugX variant being deployed in November 2024 as part of a criminal extortion campaign against a medium-sized software and services company in South Asia.
It’s not exactly clear how the company’s network was compromised, although the attacker claimed to have done so by exploiting a known security flaw in Palo Alto Networks PAN-OS software (CVE-2024-0012). The attack culminated with the machines getting encrypted with the RA World ransomware, but not before the Toshiba binary was used to launch the PlugX malware.
At this point, it’s worth noting that prior analyses from Cisco Talos and Palo Alto Networks Unit 42 have uncovered tradecraft overlaps between RA World (formerly called RA Group) and a Chinese threat group known as Bronze Starlight (aka Storm-401 and Emperor Dragonfly) that has a history of using short-lived ransomware families.
While it’s not known why an espionage actor is also conducting a financially motivated attack, Symantec theorized that a lone actor is likely behind the effort and that they were attempting to make some quick gains on the side. This assessment also lines up with Sygnia’s analysis of Emperor Dragonfly in October 2022, which it described as a “single threat actor.”
This form of moonlighting, while rarely observed in the Chinese hacking ecosystem, is a lot more prevalent among threat actors from Iran and North Korea.
“Another form of financially motivated activity supporting state goals are groups whose main mission may be state-sponsored espionage are, either tacitly or explicitly, allowed to conduct financially motivated operations to supplement their income,” the Google Threat Intelligence Group (GTIG) said in a report published this week.
“This can allow a government to offset direct costs that would be required to maintain groups with robust capabilities.”
Salt Typhoon Exploits Vulnerable Cisco Devices to Breach Telcos
The development comes as the Chinese nation-state hacking group known as Salt Typhoon has been linked to a set of cyber attacks that leverage known security flaws in Cisco network devices (CVE-2023-20198 and CVE-2023-20273) to penetrate multiple networks.
The malicious cyber activity is assessed to have singled out a U.S.-based affiliate of a significant U.K.-based telecommunications provider, a South African telecommunications provider, and an Italian internet service, and a large Thailand telecommunications provider based on communications detected between infected Cisco devices and the threat actor infrastructure.
The attacks took place between December 4, 2024, and January 23, 2025, Recorded Future’s Insikt Group said, adding the adversary, also tracked as Earth Estries, FamousSparrow, GhostEmperor, RedMike, and UNC2286, attempted to exploit more than 1,000 Cisco devices globally during the timeframe.
More than half of the targeted Cisco appliances are located in the U.S., South America, and India. In what appears to be a broadening of the targeting focus, Salt Typhoon has also been observed devices associated with more than a dozen universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the U.S., and Vietnam.
“RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft,” the company said.
A successful compromise is followed by the threat actor using the elevated privileges to change the device’s configuration and add a generic routing encapsulation (GRE) tunnel for persistent access and data exfiltration between the compromised Cisco devices and their infrastructure.
Using vulnerable network appliances as entry points to target victims has become something of a standard playbook for Salt Typhoon and other Chinese hacking groups such as Volt Typhoon, in part owing to the fact that they lack security controls and are not supported by Endpoint Detection and Response (EDR) solutions.
To mitigate the risk posed by such attacks, it’s recommended that organizations prioritize applying available security patches and updates to publicly-accessible network devices and avoid exposing administrative interfaces or non-essential services to the internet, particularly for those that have reached end-of-life (EoL).
