"According to Symantec, the intrusion stretched from early 2025 through to May, giving the adversaries months of undetected access to build servers, code repositories, and other sensitive infrastructure inside the victim's network. In effect, Jewelbug positioned itself to potentially mount a software supply chain assault on the provider's customers - a classic "break the door in from the inside" move that could ripple through a network of Russian firms."
"To stay hidden, the attackers used a renamed version of Microsoft's cdb.exe ("7zup.exe"), a tactic previously seen in Jewelbug operations, which can execute shellcode, spawn DLLs, or hijack processes. Credential dumps, scheduled-task persistence, and event log clearing were also part of their repertoire, and exfiltration was handled via Yandex Cloud - a tool Russian firms are unlikely to block or question, giving the attackers plausible deniability inside the country's cyber perimeter."
Symantec's Threat Hunter Team detected an intrusion by Chinese APT group Jewelbug (also tracked as REF7707, CL-STA-0049, or Earth Alux) into a Russian IT services firm. The compromise lasted from early 2025 through May, giving months of undetected access to build servers, code repositories, and other sensitive infrastructure. Attackers positioned themselves to potentially mount a software supply-chain assault on the provider's customers. The threat actors used a renamed Microsoft cdb.exe ('7zup.exe') capable of executing shellcode, spawning DLLs, and hijacking processes. Credential dumps, scheduled-task persistence, event-log clearing, and Yandex Cloud exfiltration aided stealth and plausible deniability.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]