China-based cyber threat group known as Emperor Dragonfly has implicated itself in a ransomware attack that uses tools typically associated with state-sponsored espionage. This incident involved the deployment of RA World ransomware against an Asian software and services firm, with the attackers demanding an initial ransom of $2 million.
Researchers from Symantec’s Threat Hunter Team observed this activity in late 2024, highlighting a concerning trend where state-backed cyber espionage increasingly overlaps with financially motivated cybercrime. “During the late 2024 attack, the adversary employed a unique toolset that had previously linked to espionage operations attributed to Chinese actors,” the researchers noted. They emphasized that while these espionage groups often share tools, many remain obscure and are not typically associated with criminal activities.
A report from Palo Alto Networks’ Unit 42 in July 2024 also tentatively connected Emperor Dragonfly, also known as Bronze Starlight, to the RA World ransomware, albeit with low confidence. The RA World ransomware has evolved from the RA Group, which emerged in 2023 as a variant of the Babuk ransomware family.
Transition from Espionage to Ransomware
Between July 2024 and January 2025, the Emperor Dragonfly group targeted various government ministries and telecommunications operators across Southeast Europe and Asia, seemingly aiming for long-term access to sensitive networks. In these operations, the group utilized a specific variant of the PlugX (Korplug) backdoor, delivering it through a Toshiba executable (toshdpdb.exe) via DLL sideloading, alongside a malicious DLL (toshdpapi.dll).
Additionally, Symantec identified the group’s use of NPS proxy, a covert communication tool developed in China, along with several payloads encrypted with RC4. In November 2024, the same Korplug payload struck a South Asian software company, which the attackers followed with an RA World ransomware attack.
The attackers exploited a vulnerability in Palo Alto PAN-OS (CVE-2024-0012) to gain access to the network, employing the same sideloading technique with the Toshiba executable and DLL file to install Korplug before encrypting the targeted systems.
The evidence suggests that Chinese state-sponsored cyber operatives may engage in ransomware activities for personal financial gain, effectively “moonlighting” as cybercriminals.
To assist organizations in defending against such threats, Symantec’s report includes a list of indicators of compromise (IoCs) related to the observed activities, enabling defenders to detect and mitigate potential attacks before significant damage occurs.
