Symantec has reported that the Chinese hacking group Emperor Dragonfly, also known as Bronze Starlight, recently utilized espionage tools for a ransomware attack. The group, previously associated with spying activities, launched an extortion campaign against an Asian IT company using the Mount program towards the end of 2024.
Emperor Dragonfly, initially linked to cyber espionage, has now been observed engaging in activities involving extortion software. The group’s connection with Ra World, a branch of Ra Group, was first reported in July 2024, with experts pointing to a family that emerged in 2023 based on leaked Babuk code.
In July, an unidentified group targeted the Ministry of Foreign Affairs in a southeastern European country by exploiting the Dll Sideloading method alongside a legitimate Toshiba file. The attackers used this mechanism to execute the encrypted Plugx (Korplug) module, typically associated with Chinese hackers.
Throughout August 2024, government structures in southeastern European countries and the Ministry of Southeast Asia were under attack. In September, a brief breach occurred at a regional telecommunications company, followed by a January 2025 assault on another Southeast Asian ministry.
In November 2024, amid cyber espionage activities, hackers conducted an extortion scheme against an IT firm in South Asia. They infiltrated the company’s network through the CVE-2024-0012 exploit in Palo Alto Pan-Sos, stealing Amazon S3 accounting data and encrypting devices using Ra World.
The hackers demanded a $2 million ransom, offering a reduction to $1 million for prompt payment. The attack employed the Tosiba DLL-Biblioteum combination with Plugx, indicative of previous spy operations.
Various theories speculate on the motives behind the cyberspies’ adoption of cybercriminal methods. While some suggest it aims at covering their tracks or causing distractions, negotiations for ransom payments imply serious intentions behind the attack.
Alternatively, it is proposed that a group member, with access to restricted toolsets, utilized them for personal gain through encryption. This behavior is more commonly associated with North Korean groups, making it an unusual occurrence for Chinese cyberspies.
Researchers believe that hackers conducting espionage for state interests may also engage in criminal endeavors for personal profit, highlighting the complex nature of these cyber threats.