Cybercriminals linked to China are going after Russian targets

Kaspersky said the initial compromise was done via phishing emails. The crooks would send emails with two attachments, one legitimate, and one malicious. The latter would communicate with DropBox, GitHub, Quora, LiveJournal, and Yandex.Disk, which the threat actors used as a command & control (C2) server of sorts.

Multiple payloads

Through these cloud services, the hackers would instruct the malware to download stage two payloads, including a trojan called GrewApacha, and a backdoor called CloudSorcerer.

The latter was also spotted in attacks against American organizations in late May 2024, The Register reports. Furthermore, CloudSorcerer was used to download a previously unseen implant dubbed PlugY, which can manipulate files, run shell commands, log keystrokes, monitor screens, edit clipboard contents, and more.

"Analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code of the DRBControl (aka Clambling) backdoor was used to develop it," Kaspersky said in its report. DRBControl was apparently developed by APT27. Since the malware used in the EastWind campaign was similar to variants used by both APT27 and APT29, Kaspersky believes this “clearly shows” how Chinese state-sponsored actors "very often team up, actively sharing knowledge and tools."

On the surface, China and Russia often act as allies, supporting each other’s political and military aspirations. China, for example, supports Russia’s invasion of Ukraine, while Russia repeats China’s statements of “one China” - a term used to deny Taiwan’s sovereignty and territorial integrity. However, when it comes to the fight for information, it would seem that there are no alliances.

More from TechRadar Pro

• Sellafield nuclear site compromised by Russian and Chinese hackers
• Here's a list of the best malware removal tools around today
• These are the best endpoint security tools right now