The attack in late 2024 targeted a medium-sized software and services company in South Asia. What makes this incident particularly noteworthy is the use of PlugX (also known as Korplug), a sophisticated backdoor exclusively linked to Chinese espionage actors that is not publicly available.
The threat actor employed a distinctive technique involving a legitimate Toshiba executable (toshdpdb.exe) to sideload a malicious DLL, which then loaded an encrypted payload. Analysis revealed that this PlugX variant shared identical compilation timestamps with a version previously documented by Palo Alto Networks and linked to Fireant, a known China-based espionage group.
The attackers claimed to have initially compromised the target's network by exploiting a vulnerability in Palo Alto's PAN-OS firewall software (CVE-2024-0012). They subsequently acquired administrative credentials and Amazon S3 cloud credentials, leading to data theft and deployment of RA World ransomware. The demand was set at $2 million, with a reduction to $1 million if paid within three days.
"While tools associated with China-based espionage groups are often shared resources, many aren't publicly available and aren't usually associated with cybercrime activity," the researchers noted.
According to Symantec's analysis, the most plausible explanation is that an individual actor might be attempting to monetize their access to state-sponsored hacking tools. This represents a significant departure from typical Chinese cyber espionage operations, which historically have not engaged in financial cybercrime, unlike their North Korean counterparts, who regularly conduct such activities to fund state operations.