Symantec: Chinese Hack Group ‘Jewelbug’ Breached Russian IT Services Provider

A China-linked cyber-espionage group known as Jewelbug infiltrated the network of a Russian IT services provider, maintaining access for nearly five months, according to a report by the Symantec Threat Hunter Team.
The breach marks the first time the group has been observed operating outside Southeast Asia and South America, signaling a significant expansion of Chinese cyber activity into Russia.

Russia No Longer a “Forbidden Zone”

Symantec said the operation demonstrates that Russia is not a “forbidden zone” for Chinese espionage, despite recent cooperation between Moscow and Beijing across military and economic fronts.

Researchers believe the campaign was highly strategic, targeting the IT provider as a potential springboard for supply chain attacks against its downstream clients in Russia.

“The attackers gained access to code repositories and software build systems, which could potentially be used for supply chain attacks,” Symantec noted.
Investigators also found that data was exfiltrated to Yandex Cloud, an unusual choice that could help the attackers blend into Russian network traffic.

Timeline and Technical Details

The intrusion reportedly lasted from January through May 2025. During this period, Jewelbug used a renamed Microsoft Console Debugger (cdb.exe) to execute shellcode, bypass application whitelists, and disable security tools.
The group also harvested credentials, established persistence through scheduled tasks, and cleared Windows event logs to cover its tracks.

According to Symantec, the attack overlaps with several known Chinese threat clusters, including CL-STA-0049 (Palo Alto Networks), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs)—suggesting collaboration or shared tooling between these groups.

Linked Operations and Malware Families

Earth Alux has been active since mid-2023, targeting government, telecommunications, logistics, and technology sectors across the Asia-Pacific and Latin America regions. The group is known for deploying malware such as VARGEIT and COBEACON (a variant of Cobalt Strike Beacon).

Other overlapping operations, including CL-STA-0049/REF7707, have used the FINALDRAFT (Squidoor) backdoor—malware capable of compromising both Windows and Linux systems.
Symantec says this is the first time these activity clusters have been directly linked, marking a step toward unifying attribution of overlapping Chinese campaigns.

Graph API-Based Espionage

Jewelbug was also linked to a July 2025 breach of a South American government organization, where the group deployed a new backdoor still under active development.
This malware leverages the Microsoft Graph API and OneDrive for command-and-control (C2), allowing the attackers to collect system data, list files, and upload stolen content to OneDrive.

By abusing legitimate Microsoft services, the group effectively camouflages its activity as normal network traffic, leaving minimal forensic traces and extending its dwell time inside compromised environments.

Strategic Implications

Symantec’s findings suggest that Chinese cyber-espionage groups are increasingly targeting service providers—not just governments or critical infrastructure—to gain indirect access to broader ecosystems.
As the Jewelbug operation shows, supply chain infiltration remains one of the most effective methods for scaling espionage campaigns while maintaining plausible deniability.

“Jewelbug prefers to use cloud services and other legitimate tools to remain undetected and create a covert and persistent presence,” Symantec concluded. “That persistence is critical to the group’s long-term objectives.”