- The Chinese Jewelbug APT infiltrated a Russian IT provider and remained undetected for five months.
- Attackers used rebranded Microsoft debugger to bypass defenses and leak data through Yandex Cloud
- Symantec Says China-Based Actors Now Targeting Russia Despite Perceived Geopolitical Alignment
Chinese hackers were recently seen attacking Russians, raising eyebrows among the Western cybersecurity community that perceives the two countries as allies in cyberspace and beyond.
Earlier this week, security team Symantec released a new report detailing the work of Jewelbug, a Chinese state-sponsored threat actor that has been “very active in recent months.” In the report, Symantec said Jewelbug was seen pursuing targets in South America, South Asia, Taiwan and, most notably, Russia.
In early 2025, Jewelbug managed to sneak into the network of a Russian IT service provider, and remained there for no less than five months. During that time, they accessed code repositories and software creation systems that they could leverage to execute supply chain attacks against the IT service provider’s customers.
7zup.exe and Yandex
The compromise was detected when researchers found a file called 7zup.exe on the IT provider’s system. This is a renamed copy of a legitimate Microsoft binary, called CDB (Microsoft Console Debugger).
This tool can be used to run shellcode, bypass application whitelisting, launch executables, run DLLs, and terminate security fixes, Symantec added.
“The use of a renamed version of cbd.exe is a hallmark of Jewelbug’s activity,” the report reads. “Microsoft recommends that CDB be blocked from running by default and whitelisted for specific users only when explicitly required.”
With the help of CBD, Jewelbug managed to get rid of credentials, establish persistence, and elevate privileges using scheduled tasks. They tried to cover their tracks by deleting Windows event logs and used Yandex Cloud to exfiltrate data. Yandex is a Russian cloud service provider, which was probably chosen because it is commonly used in the country and does not usually raise any red flags.
“However, the fact that a Chinese APT group attacked a Russian organization demonstrates that Russia is not off limits when it comes to the operations of actors based in China,” Symantec concluded.
Through The Registry
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
