$2 Million Ransom Demand Highlights Blurred Lines Between Espionage and Cybercrime
A significant ransomware attack has exposed a concerning intersection between Chinese state-sponsored cyber espionage and financially motivated cybercrime.
The RA World ransomware, deployed by a threat actor known as Emperor Dragonfly (also linked to Bronze Starlight), targeted an Asian software and services company. The attackers demanded an initial ransom payment of $2 million.
Symantec’s Threat Hunter Team investigated the late 2024 incident. Their findings highlight a potential overlap between state-backed cyber espionage actors and financially motivated cybercrime groups.
“During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks,” the researchers stated.
They added that “tools associated with China-based espionage groups are often shared resources,” but “many aren’t publicly available and aren’t usually associated with cybercrime activity.”
This ransomware attack is not an isolated incident. A July 2024 report from Palo Alto Networks’ Unit 42 also linked Emperor Dragonfly to RA World, although with low confidence. The report noted that RA World originated from RA Group, a Babuk-based family launched in 2023.
Technical Analysis: The Tools and Techniques Behind the RA World Attack
The Chinese espionage campaign, spanning July 2024 to January 2025, targeted government ministries and telecom operators in Southeast Europe and Asia. The primary goal appeared to be establishing long-term network persistence.
The attackers used a specific PlugX (Korplug) backdoor variant deployed via DLL sideloading with a Toshiba executable (toshdpdb.exe) and a malicious DLL (toshdpapi.dll). Symantec also observed the use of NPS proxy, a Chinese-developed tool for covert network communication, and various RC4-encrypted payloads.
In November 2024, the same Korplug payload was used against a South Asian software company, followed by an RA World ransomware attack. The attackers exploited a Palo Alto Networks PAN-OS vulnerability (CVE-2024-0012) to gain initial access.
They then used the same sideloading technique to deploy Korplug before encrypting the victim’s systems.
The evidence suggests a concerning possibility: Chinese state-backed cyber operatives involved in espionage may be engaging in ransomware attacks for personal profit.
Symantec’s report provides indicators of compromise (IoCs) to help organizations detect and prevent similar attacks. The use of Chinese espionage tools in this ransomware attack underscores the evolving and increasingly blurred lines between state-sponsored cyber activity and financially driven cybercrime.
