China’s Jewelbug APT Breaches Russian IT Provider for 5 Months, Using Yandex Cloud and Graph API C2

A new investigation by The Symantec Threat Hunter Team has revealed that the Chinese APT group “Jewelbug” (also tracked as REF7707, CL-STA-0049, and Earth Alux) has been conducting a series of global cyber-espionage campaigns, including an unprecedented intrusion into the network of a Russian IT service provider — a target rarely seen in China-linked operations.

“Chinese APT group Jewelbug has been highly active in recent months, targeting organizations in South America, South Asia, Taiwan and Russia,” the Symantec report stated.

The attackers maintained access to the Russian IT company’s network for the first five months of 2025, gaining entry to software build and code repository systems. Symantec’s researchers warn that this access “could potentially be leveraged to carry out supply chain attacks targeting the company’s customers in Russia.”

In a strategic move to avoid detection, Jewelbug exfiltrated stolen data to Yandex Cloud, a legitimate and widely used Russian platform.

“Yandex is a popular service in Russia, so the attackers likely chose to use it in order to avoid raising suspicions,” the researchers explained.

The report highlights this intrusion as part of a broader shift in China’s cyber-espionage calculus following the start of the Russia-Ukraine war.

“Chinese and Russian threat actors have, until recently, rarely been seen to be attacking each other… Jewelbug’s attack is the continuation of a trend that seems to have begun following Russia’s invasion of Ukraine,” Symantec noted.

The group’s activity on the Russian network began with the appearance of a suspicious file named 7zup.exe, which turned out to be a renamed copy of Microsoft’s Console Debugger (cdb.exe) — a hallmark of Jewelbug operations.

“Use of a renamed version of cdb.exe is a hallmark of Jewelbug activity,” the report said, noting that it can “run shellcode and bypass application whitelisting.”

Other observed tactics included:

• Credential dumping and privilege escalation via schtasks
• Log clearing to erase forensic traces
• Persistence through scheduled tasks
• Data exfiltration via a malicious binary named yandex2.exe

“The use of Yandex Cloud to exfiltrate data was also a probable attempt by the attackers to remain under the radar,” the researchers emphasized.

Symantec also uncovered a new Jewelbug backdoor still in development, deployed against a South American government organization in July 2025.

The malware uses Microsoft Graph API and OneDrive for command-and-control (C2) — a stealthy approach that blends malicious traffic with legitimate Microsoft cloud communications.

“The malware leverages Microsoft Graph API and OneDrive as its command and control servers,” the report explained, noting that its logging output suggested it was still being tested.

Activity included:

• Uploading file lists to OneDrive
• Gathering host metadata (IP, Windows version, hostname)
• Creating hidden directories such as C:\Users\Public\Libraries~
• Writing logs such as “Create Folder In OneDrive successfully!” and “HttpSendRequestWPtr Error Code:0”

“It is notable as it shows that Jewelbug is continuing to develop new malware… The use of Microsoft Graph API and OneDrive for C&C minimizes malicious indicators observable to traditional security software,” Symantec added.

Another campaign observed between October and November 2024 targeted a Taiwanese software company. Here, Jewelbug used a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique by abusing the ECHOAC anti-cheat driver, allowing kernel-level manipulation.

“The attackers also used the KillAV tool to disable security software, as well as deploying a publicly available tool called EchoDrv, which permits abuse of the Kernel read/write vulnerability,” the report stated.

The attackers also deployed:

• ShadowPad, a modular backdoor “exclusively used by Chinese threat actors”
• Mimikatz for credential theft
• SMBExec and Earthworm tunneling for lateral movement
• CDB debugger injected into mspaint.exe — another Jewelbug trademark

“Mspaint has previously been documented as being used by Jewelbug to inject malware,” Symantec confirmed.

Jewelbug’s arsenal includes several custom malware families:

• Finaldraft – A full-featured remote administration tool (RAT) with Microsoft Graph API C2 support
• Pathloader and Guidloader – Shellcode loaders used alongside Finaldraft
• Squidoor – Another name used by Palo Alto for the Finaldraft backdoor

“All indications point to Jewelbug being of Chinese origin, with its motivation most likely to be espionage and maintaining a long-term and stealthy presence on compromised networks,” Symantec concluded.

Perhaps the most striking revelation from the Symantec report is China’s willingness to target Russia — signaling a shift in regional cyber-espionage norms.

“The targeting of a Russian organization by a Chinese APT group shows that Russia is not out-of-bounds when it comes to operations by China-based actors,” the researchers wrote.

This attack, they note, had potential supply-chain implications, as the IT provider’s access could have enabled Jewelbug to infiltrate numerous Russian customers simultaneously.

“This attack had the potential to give the attackers access to a large number of companies in the country, which they could have used for cyber espionage or disruption,” Symantec warned.

Related Posts:

• Microsoft Graph API Exploited for Stealthy Attacks
• Android’s Secret Tracking: Meta & Yandex Abused Localhost for User Data
• Symantec Exposes Widespread Mobile App Privacy Risks: Popular Apps Leak Sensitive Data