- Chinese APT Jewelbug infiltrated a Russian IT provider and lived undetected for five months
- Attackers used the renamed Microsoft debugger to bypass defenses and exfiltrate data via Yandex Cloud
- Symantec says China-based players are now targeting Russia despite the perceived geopolitical alignment
Chinese hackers were recently seen targeting Russians, raising eyebrows among the Western cybersecurity community, which views the two countries as allies in and out of cyberspace.
Earlier this week, security outfit Symantec released a new report detailing the work of Jewelbug, a Chinese state-sponsored threat actor that has been “highly active in recent months.” In the report, Symantec said that Jewelbug was seen going after targets in South America, South Asia, Taiwan and especially Russia.
In early 2025, Jewelbug managed to infiltrate the network of a Russian IT service provider and remain there for no less than five months. During that time, they gained access to code repositories and software build systems that they could exploit to run supply chain attacks against the IT service provider’s customers.
7zup.exe and Yandex
The compromise was discovered when researchers found a file named 7zup.exe on the IT provider’s system. This is a renamed copy of a legitimate Microsoft binary called CDB (Microsoft Console Debugger).
This tool can be used to run shellcode, bypass application whitelisting, launch executables, run DLLs and terminate security solutions, Symantec added.
“Using a renamed version of cbd.exe is a hallmark of Jewelbug activity,” the report reads. “Microsoft recommends that CDB should be blocked from running by default and only whitelisted for specific users when explicitly necessary.”
Using CBD, Jewelbug managed to dump credentials, establish persistence, and elevate privileges via scheduled tasks. They tried to cover their tracks by clearing Windows Event Logs and used Yandex Cloud to exfiltrate data. Yandex is a Russian cloud service provider, which was probably chosen as it is widely used in the country and usually does not raise any red flags.
“However, the targeting of a Russian organization by a Chinese APT group shows that Russia is not off limits when it comes to operations by China-based actors,” Symantec concluded.
Via The register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
