Chinese hackers targeting Russia — once almost unthinkable given the “no-limits” partnership — are now a reality. A new report from Check Point Research’s Symantec Threat Hunter Team reveals that Jewelbug, a sophisticated Chinese state-linked APT group, quietly infiltrated a major Russian IT service provider and maintained access for five full months in 2025. This breach exposes potential supply chain risks across Russia’s tech ecosystem and raises serious questions about trust between Beijing and Moscow in cyberspace.
The Stealthy Rise of Jewelbug
Jewelbug isn’t your run-of-the-mill ransomware crew. This threat actor, with strong ties to Chinese state interests, operates like a ghost in the machine—prioritizing long-term access over flashy destruction. According to the report, Jewelbug’s toolkit is a masterclass in evasion, blending legitimate tools with custom malware to blend into the noise of everyday network traffic. The fact that Chinese hackers targeting Russia now include such a sophisticated APT marks a significant shift in the threat landscape.
Their tactics, techniques, and procedures (TTPs) read like a cyber spy novel:
- Credential Theft and Escalation: They dump credentials using tools like LSASS and Mimikatz, then escalate privileges with public exploits such as PrintNotifyPotato, Coerced Potato, and Sweet Potato.
- Persistence and Cleanup: Scheduled tasks ensure they stick around, while clearing Windows Event Logs erases their footprints.
- Bring-Your-Own-Vulnerable-Driver (BYOVD): By abusing kernel flaws in drivers like ECHOAC via EchoDrv, they sidestep endpoint detection.
- Proxying and Tunneling: SOCKS proxies like EarthWorm route traffic through compromised systems, making it hard to trace.
What sets Jewelbug apart is their heavy reliance on cloud services. In one case, they exfiltrated data to Yandex Cloud—a Russian service, ironically—while using Microsoft Graph API and OneDrive for command-and-control (C2).
Chinese Hackers Targeting Russia: A Five-Month Shadow
The crown jewel (pun intended) of the report is Jewelbug’s operation against a prominent Russian IT firm. From January to May 2025, attackers burrowed deep into the company’s network, gaining access to sensitive code repositories and software build systems. This isn’t mere reconnaissance; it’s positioning for a supply chain attack. Imagine malicious code slipping into updates pushed out to the firm’s Russian clients—potentially compromising government contractors, telecoms, or financial services overnight.
This marks a bold pivot for Jewelbug, who previously focused on Southeast Asia, South America, and Taiwan. The Russian target stands out because Chinese hackers targeting Russia directly contradicts the public narrative of unbreakable Sino-Russian unity.
Tools of the Trade: From Cobalt Strike to Custom Nightmares
Jewelbug doesn’t reinvent the wheel—they hot-wire it. Their arsenal includes:
- FINALDRAFT (aka Squidoor): A cross-platform backdoor infecting Windows and Linux, linked to clusters like CL-STA-0049 and REF7707.
- VARGEIT and COBEACON (Cobalt Strike Beacon): Used by the related Earth Alux cluster for targeting APAC and LATAM.
- KillAV and Renamed Legit Tools: They repurpose Microsoft Console Debugger (cdb.exe) to execute shellcode and disable defenses.
This overlap with other Chinese operations suggests a coordinated ecosystem that is now clearly willing to conduct Chinese hackers targeting Russia operations when it serves Beijing’s interests.
Geopolitical Ripples and Cybersecurity Wake-Up Call
On the surface, China-Russia ties are tighter than ever: joint hypersonic missile tests, energy deals, and UN vetoes galore. Yet, this intrusion by Chinese hackers targeting Russia whispers of realpolitik. If Jewelbug is testing Russian defenses, it could signal broader ambitions in a multipolar world where even “friends” spy on each other.
For cybersecurity pros, the lessons are urgent:
- Monitor Cloud Integrations: APIs like Graph and OneDrive are double-edged swords—audit for anomalous uploads.
- Harden Supply Chains: IT providers, segment code repos and enforce zero-trust for builds.
- Hunt for Living-Off-the-Land: Tools like cdb.exe or EarthWorm aren’t inherently malicious; behavioral analytics are key.
- Patch Kernel Vulns: BYOVD attacks exploit old drivers—regular scans save headaches.
As Symantec warns, “Attackers had access to code repositories… that they could potentially leverage to carry out supply chain attacks targeting the company’s customers in Russia.”
Final Thoughts: Eyes Wide Open
The Jewelbug saga reminds us that in cyber space, no alliance is ironclad. Chinese hackers targeting Russia doesn’t shatter the Beijing-Moscow axis overnight, but it does expose its fragility. For businesses and governments alike, the message is simple: Assume breach, verify alliances, and fortify your perimeter. The tables may not have fully turned yet, but the spin has begun.
What do you think—paranoia or prudent preparation? If you’re in cybersecurity, let’s connect on LinkedIn.
Sources: Check Point Research (Symantec Threat Hunter Team) report, as detailed in The Hacker News.
Click here for more blog articles!