A toolset associated with China-linked espionage intrusions was employed in a ransomware attack, likely by a single individual.
February 13, 2025 By Ionut Arghire
Tools typically employed by Chinese cyberespionage groups have been used in a recent ransomware attack, likely by an individual hacker, Symantec notes in a fresh report.
The toolset includes a legitimate Toshiba executable deployed on the victims’ systems to sideload a malicious DLL that deploys a heavily obfuscated payload containing the PlugX (aka Korplug) backdoor.
According to Symantec, the custom backdoor was previously linked to Mustang Panda (aka Earth Preta), a Chinese espionage group, and has never been used by threat actors in other countries.