A China-linked espionage actor may be moonlighting as a ransomware attacker, raising questions about their motives.
A recent cyberattack has raised questions about the intersection of espionage and cybercrime after tools typically associated with China-based intelligence operations were used in a ransomware attack.
In late 2024, an unknown attacker deployed a distinct toolset – previously linked to Chinese espionage groups – against a software and services company in South Asia.
While such tools, often used in espionage attacks, are shared among threat actors, many are not publicly available and have historically been used for covert intelligence-gathering rather than financial extortion.
However, this espionage-linked attacker shifted from spy tactics to ransomware, launching an extortion campaign in November 2024. The case was documented by the Symantec threat intelligence team,
The intruder allegedly exploited a critical vulnerability in Palo Alto’s PAN-OS firewall software (CVE-2024-0012) to gain initial access. They then stole administrative credentials from the company’s intranet and obtained Amazon S3 cloud credentials from a Veeam server, ultimately exfiltrating data before encrypting systems.
To execute the attack, threat actors utilized a known espionage tool – a Toshiba executable (toshdpdb.exe) used to sideload a malicious DLL named toshdpapi.dll. This component decrypted and loaded a variant of the PlugX backdoor, a tool exclusively linked to Chinese state-affiliated hackers.
After creating a backdoor, the attacker deployed RA World ransomware across the network, demanding a $2 million ransom with a discounted offer of $1 million for quick payment.
Espionage turns to ransomware
Prior to the ransomware incident, the attacker appeared focused solely on espionage, aiming to establish long-term access to targeted organizations through backdoors.
Their activities spanned multiple regions, beginning in July 2024 with the compromise of a foreign ministry in southeastern Europe. In the following months, they breached another government in the same region, a Southeast Asian ministry, as well as a telecom operator. This culminated in a January 2025 attack on another Southeast Asian government ministry.
While financially motivated attacks are common among North Korean state-affiliated hackers, China-linked espionage actors have not historically pursued this strategy, making the attack an unusual case.
Researchers theorize that the current ransomware could have been a diversion or an attempt to cover up evidence of espionage.
However, the attack did little to obscure its links to prior operations, and the attacker appeared serious about extorting a ransom. The most plausible explanation is that an individual within an espionage operation was using state-sponsored tools for personal financial gain.
“The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit,” Symantec researchers concluded.
Your email address will not be published. Required fields are markedmarked