Chinese espionage tools deployed in RA World ransomware attack

A China-based threat actor, tracked as Emperor Dragonfly and commonly associated with cybercriminal endeavors, has been observed using in a ransomware attack a toolset previously attributed to espionage actors.

The hackers deployed the RA World ransomware against an Asian software and services company and demanded an initial ransom payment of $2 million.

Researchers from Symantec’s Threat Hunter Team observed the activity in late 2024 and highlight a potential overlap between state-backed cyber espionage actors and financially motivated cybercrime groups.

“During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks,” the researchers say, adding that "tools associated with China-based espionage groups are often shared resources" but "many aren’t publicly available and aren’t usually associated with cybercrime activity.”

A report in July 2024 from Palo Alto Networks’ Unit 42 also associated  Emperor Dragonfly (a.k.a. Bronze Starlight) with RA World, albeit with low confidence. According to the researchers, the RA World spun from RA Group, which launched in 2023 as a Babuk-based family.

From espionage to ransomware

Between July 2024 to January 2025, the China-based espionaged actor targeted government ministries and telecom operators in Southeast Europe and Asia, the apparent goal being long-term persistence.

In these attacks, a specific variant of the PlugX (Korplug) backdoor was deployed with a Toshiba executable (toshdpdb.exe) via DLL sideloading, along with a malicious DLL (toshdpapi.dll).

Moreover, Symantec observed the use of NPS proxy, a China-developed tool used for covert network communication, and various RC4-encrypted payloads.

In November 2024, the same Korplug payload was used against a South Asian software company. This time, it was followed by an RA World ransomware attack.

The attacker allegedly exploited Palo Alto PAN-OS (CVE-2024-0012) to infiltrate the network and then followed the same sideloading technique involving the Toshiba executable and DLL file to deploy Korplug before encrypting the machines.

Based on the available evidence, the hypothesis is that the Chinese state-backed cyber operatives carrying out espionage attacks may “moonlight” as ransomware actors for personal profit.

Symantec's report lists the indicators of compromise (IoCs) associated with the observed activity to help defenders detect and block the attacks before damage is done.