Jewelbug: Chinese APT Group Widens Reach to Russia

Oct. 24, 2025, 10:05 a.m.

Description

A Chinese APT group named Jewelbug has expanded its operations to target organizations in South America, South Asia, Taiwan, and Russia. The group's recent intrusion into a Russian IT service provider lasted for five months in 2025, potentially aiming for a supply chain attack. Jewelbug has deployed new backdoors, including one leveraging Microsoft Graph API and OneDrive for command and control. The group's tactics include using legitimate tools, DLL sideloading, and the bring-your-own-vulnerable-driver technique. Notably, Jewelbug's targeting of Russian organizations marks a shift in Chinese cyber operations, previously considered to be allied with Russia.

External References

https://www.security.com/threat-intelligence/jewelbug-apt-russia
https://otx.alienvault.com/pulse/68fb43f09453e7a12ad2dab2
Tags
dll sideloading
byovd
squidoor
2025-10-24

Date

  • Created: Oct. 24, 2025, 9:16 a.m.
  • Published: Oct. 24, 2025, 9:16 a.m.
  • Modified: Oct. 24, 2025, 10:05 a.m.

Indicators

  • d5147787d52636a3c6c2a0c84b351633ad7f45ce4ae5c2007e568f715fec3e49
  • bfe1538445e3f74ef7f41699482b40cf6f3b0a084e188f4c4b786b15eeb3601c
  • cc87dee890641bd015a04e46a881eb844c774519d55b986fb216c4c2141479e8
  • bc270539c6a057791fba4793dc7e2d2567070e50ea089cc6fa032b3285576c64
  • ba0dbee9538073fd81953a37218f200988ad91a8380e68118ea83e146e1d986d
  • b49e142b89c47757a0afb786bf0e6c11c9548f626c4127d4d16d30e3004bdfb1
  • a1e45ec8639f55290a5eb47e9f75e6413b12eaa6f9e3834af600e00fe529a637
  • 87ead55ff94b6cd9d80f590793d0dc17d9f5d442b6c827dcfb8db0c078918bd1
  • 9f4b046e9f9dbc36b8df011a69490948dce5b9645fc5209b0b3a60dad5a493e6
  • 872045fe5bea78e4daac4f0352028060b0fadccfbf0a40b57d405579821850bb
  • 6d4d9b68d02e93e721943a6943cda6544bf4d31d109415774565b544b512ed25
  • 67bb887a0f34543a32b845029be308f436704207a1964a2a3582f42fe6de4176
  • 5c3f0420c00e6ca123790403b6ed1f53f493357dfdd54ed9460d615d57f6bcd4
  • 5525c51063d40e12029d9ef4b646e261c853c655b9b2acc74a411428e873a8a1
  • 5c396da8b64faf6e29ee38cdf0a4b9a652e01236d2b981c2ca806aa14d94c956
  • 3f49bd1f3b0999096511757e0fbc2e4e2c18176fd1773f71baf2d7a15dbbcfbf
  • 259f65bcdd367e6d84a4cba75375744e85fbe58293c88b1ad5a1bee4add63b9d
  • 267ae4d7767d9980b3fbbfd5063bd28d5e05d22d64615fe7532d55a6063dfeb3
  • 37e83ffde09a83273a4cea7fe24d3fda63fb342e6a3512de4541d62ab43aadd0
  • 15eaa601b1bfb8cd7cd5513c692eea4ed4302f6fcbee4722433e0c85388de35d
  • 078a3a2c4f24d8811bb1aa673790c16ad5ea563127af1a5d4a41c893b215c372
  • 0642ada1f7c8b3cc43a1d69d6aa86fc1970e257271811e637b0e4349aa880fa8
  • 015e424dc798bc4ef39f5237062d2402f5207fbf912a22ce6fb46ef9e42fd6ca
  • 010f76b21251eb5d8bc77bcfdb47d5f13009aa985e744b843fc2e35b23fb2a44
  • cffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9
  • 95.164.5.209
  • cdn.kindylib.info
Download all indicators here!

Attack Patterns

  • Squidoor
  • Guidloader
  • Finaldraft
  • Pathloader
  • POISONPLUG.SHADOW
  • ShadowPad - S0596
  • Jewelbug

Additional Informations

  • Technology
  • Government
  • Taiwan
  • Russian Federation