HQ/EMEAFind out how we can help your business
The alleged Chinese-speaking cybercriminal organisation dubbed Emperor Dragonfly has recently used a toolkit that espionage attackers commonly employ in ransomware campaigns.
Reports revealed that a group of hackers leveraged the RA World ransomware to target an Asian software and services company, demanding a $2 million initial ransom payment. Researchers discovered the activity in late 2024, indicating a possible overlap between state-backed cyber espionage actors and financially motivated cybercrime groups.
During last year’s attack, the attacker used a distinct toolset previously used by a China-linked actor in classic espionage attacks. The investigators also add that tools associated with China-based espionage groups are frequently shared resources, but many are not publicly available and are not usually associated with cybercrime activity.
In July 2024, separate research reported that Emperor Dragonfly was also related to RA World, albeit with low confidence. These researchers claimed that RA World evolved from the RA Group, which debuted in 2023 as a Babuk-based family.
Emperor Dragonfly morphed from an espionage to a ransomware group.
Between July 2024 and January 2025, the Chinese-based Emperor Dragonfly espionage actor targeted government departments and telecom carriers throughout Southeast Europe and Asia with the long-term objective of persistence.
In these attacks, a specific variant of the PlugX backdoor was distributed through DLL sideloading alongside a Toshiba application (toshdpdb.exe) and a malicious DLL (toshdpapi.dll).
Further investigations into the campaigns discovered the use of NPS proxy, a China-developed technology for covert network communication, as well as various RC4-encrypted payloads. In November last year, the same payload was employed by a South Asian software company. This time, it was followed by the RA World ransomware attack.
The attacker allegedly infiltrated the network via the CVE-2024-0012 flaw and used the same sideloading approach with the Toshiba executable and DLL file to deploy the PlugX variant before encrypting the workstations.
Based on the available information, the argument is that Chinese state-backed cyber operatives conducting espionage assaults may disguise themselves as ransomware actors for personal gain. Therefore, the true nature of this hacking group might not be accurate as they can still execute either ransomware or cyberespionage operations.
