Chinese Espionage Group Suspected of Ransomware Activity

Researchers find evidence suggesting a Chinese state-linked cyberespionage group may be engaging in ransomware attacks for financial gain.

Symantec researchers observed a November 2024 ransomware attack on a South Asian software company using tools linked to the Chinese espionage group Mustang Panda.
The attackers exploited a Palo Alto Networks vulnerability to gain access, deployed a PlugX backdoor, and encrypted systems with RA World ransomware, demanding up to $2 million in ransom.
This marks a departure from typical Chinese espionage operations, which have historically focused on data theft and long-term network persistence rather than financial extortion.
While some speculate the attackers may be using ransomware for personal profit, others suggest it could signal a broader blending of cybercrime and state-sponsored espionage activities.
The PlugX variant used in the attack has been tied to prior espionage campaigns targeting government ministries and telecom operators in Europe and Asia between mid-2024 and early 2025.