Overview
- Symantec attributes a January–May 2025 intrusion at a Russian IT services firm to Jewelbug, assessing that access to code repositories and build servers created potential for downstream software supply-chain attacks.
- Researchers say the attackers exfiltrated data to Yandex Cloud, a tactic likely chosen to blend with trusted network traffic in Russia.
- The operation used a renamed Microsoft Console Debugger (cdb.exe as 7zup.exe) to run shellcode, bypass allowlisting, and disable security tools, alongside credential dumping, scheduled-task persistence, and event log clearing.
- Symantec also observed a new backdoor under development that uses Microsoft Graph API and OneDrive for command-and-control in activity against a South American government organization.
- The firm ties Jewelbug to clusters tracked as CL-STA-0049, Earth Alux, and REF7707, noting a preference for legitimate and cloud services to maintain stealth and highlighting that Russian targets are not off-limits.