Jewelbug: Chinese APT Group Widens Reach to Russia

SUMMARY :

A Chinese APT group named Jewelbug has expanded its operations to target organizations in South America, South Asia, Taiwan, and Russia. The group's recent intrusion into a Russian IT service provider lasted for five months in 2025, potentially aiming for a supply chain attack. Jewelbug has deployed new backdoors, including one leveraging Microsoft Graph API and OneDrive for command and control. The group's tactics include using legitimate tools, DLL sideloading, and the bring-your-own-vulnerable-driver technique. Notably, Jewelbug's targeting of Russian organizations marks a shift in Chinese cyber operations, previously considered to be allied with Russia.

OPENCTI LABELS :

byovd,dll sideloading,squidoor


AI COMMENTARY :

1. In recent months, cybersecurity researchers have shone a spotlight on Jewelbug, a sophisticated Chinese APT group whose expanding geopolitical reach is causing alarm across the global security community. Originally known for targeting organizations in South America, South Asia, and Taiwan, Jewelbugs latest campaign signals a notable pivot as it infiltrated a Russian IT service provider for five months in 2025. Security teams now recognize that this operation may have sought to establish a foothold for a broader supply chain attack, raising questions about the integrity of critical digital infrastructure in allied and adversary states alike.

2. Jewelbugs geographic footprint has grown steadily since its emergence, but its venture into Russia represents a strategic departure from expected patterns of Chinese cyber activity. While South American and South Asian victims endured espionage and data theft, the Russian intrusion underscores a potential shift toward disrupting or surveilling supply chains linked to defense and government services. The prolonged dwell time within the IT service providers network offered the adversary ample opportunity to map the environment, harvest credentials, and embed new backdoors—laying the groundwork for future operations that could ripple through numerous downstream customers.

3. At the heart of Jewelbugs arsenal are several advanced techniques that blur the line between legitimate software use and malicious exploitation. The group has deployed a BYOVD (bring-your-own-vulnerable-driver) strategy to bypass kernel protections, while DLL sideloading enables them to infiltrate trusted processes undetected. Their latest implant, codenamed SquidDoor, leverages Microsoft Graph API and OneDrive for command-and-control traffic, making it exceedingly difficult to distinguish routine cloud service calls from stealthy data exfiltration. These innovations allow Jewelbug to evade signature-based detection and maintain persistent access without triggering conventional alarms.

4. Jewelbugs decision to target Russian organizations marks a profound evolution in Chinese cyber operations, once presumed to favor states outside of Moscows sphere of influence. This offensive turn not only complicates the cyber threat landscape but also raises geopolitical stakes, as Russia grapples with incursions from an unexpected adversary. The groups focus on IT service providers amplifies the risk of cascading impacts, potentially compromising clients across multiple sectors. As state-aligned actors escalate such campaigns, multinational enterprises must reassess trust boundaries and reevaluate reliance on any single service provider.

5. To defend against Jewelbug and similar APT groups, organizations should adopt a multilayered security posture. Continuous monitoring of cloud API activity can help detect anomalous Microsoft Graph and OneDrive calls. Strict driver whitelisting and kernel integrity measurements mitigate BYOVD attacks, while code signing enforcement and application allowlisting thwart DLL sideloading. Finally, rigorous third-party risk assessments and supply chain audits are essential to identify hidden dependencies and prevent adversaries from exploiting trusted intermediaries. In an era of agile threats like Jewelbug, proactive threat hunting and collaboration with intelligence-sharing communities remain vital to staying one step ahead.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Jewelbug: Chinese APT Group Widens Reach to Russia