Cybersecurity experts at Symantec report that the Chinese threat actor Emperor Dragonfly has employed tools previously associated with espionage to carry out a ransomware attack. This incident, recorded in late 2024, saw the deployment of RA World ransomware against an Asian IT company.
Emperor Dragonfly (also known as Bronze Starlight) has historically been linked to cyber espionage; however, its recent activities now intersect with ransomware operations. Initial reports of the group’s connection to RA World surfaced in July 2024, though attribution at the time remained uncertain. Researchers now assert that RA World is a derivative of the RA Group, a ransomware family that emerged in 2023 following the leak of Babuk’s source code.
In July, an unidentified hacking collective targeted the Ministry of Foreign Affairs of a Southeast European nation, leveraging DLL Sideloading alongside a legitimate Toshiba executable. This technique facilitated the deployment of a heavily encrypted PlugX (Korplug) payload—malware almost exclusively attributed to Chinese cyber operations.
Subsequent attacks were observed in August 2024, striking government agencies in another Southeast European country, followed by an assault on a ministry in Southeast Asia. In September, attackers briefly infiltrated a telecommunications company in the region, and by January 2025, they had compromised a government ministry in yet another Southeast Asian nation.
Against this backdrop of cyber espionage, Emperor Dragonfly carried out a ransomware attack in November 2024, targeting an IT firm in South Asia. The breach is believed to have been facilitated by the exploitation of CVE-2024-0012 in Palo Alto PAN-OS. Once inside the network, the attackers exfiltrated Amazon S3 credentials before encrypting the victim’s systems with RA World ransomware.
The perpetrators initially demanded a $2 million ransom, offering a reduced sum of $1 million for swift payment. The attack also featured the use of Toshiba DLL sideloading with PlugX, reinforcing links to prior espionage campaigns.
There are competing theories regarding why a group historically associated with state-sponsored cyber espionage has adopted cybercriminal tactics. Some analysts suggest that the operation was intended as a diversionary maneuver to obscure other covert activities. However, the nature of the attack—coupled with active ransom negotiations—indicates a deliberate financial motive.
An alternative hypothesis posits that an insider within the group, having privileged access to an advanced arsenal of espionage tools, may have repurposed them for personal financial gain. While such behavior is common among North Korean-affiliated threat actors, it remains an unusual phenomenon among Chinese cyber-espionage groups.
Based on the available intelligence, researchers do not rule out the possibility that state-sponsored cyber operatives may be engaging in parallel criminal activities for personal profit.
Related Posts:
- RA World Ransomware: A Babuk Successor Targets Healthcare
- Research reveals that DragonFly malware is closely linked to attacks such as BlackEnergy and TeamSpy
- Dragos Report: Top 5 hacker groups have targeted Industrial Control System
