A sophisticated China-based threat actor, Emperor Dragonfly, has been detected utilizing espionage tools in a significant ransomware operation. The group targeted an Asian software company with RA World ransomware, demanding $2 million in ransom.

Symantec’s Threat Hunter Team identified this activity in late 2024, noting an unprecedented convergence between state-sponsored cyber espionage and criminal ransomware operations. The attack employed specialized tools typically associated with Chinese state-backed espionage groups, which are rarely seen in cybercrime activities.

Between July 2024 and January 2025, the group targeted government ministries and telecom operators across Southeast Europe and Asia, focusing on maintaining long-term network access. Their toolkit included:

– PlugX (Korplug) backdoor
– Toshiba executable exploitation through DLL sideloading
– NPS proxy for covert communications
– RC4-encrypted payloads

In the November 2024 attack, the group exploited a Palo Alto PAN-OS vulnerability (CVE-2024-0012) to deploy both espionage tools and ransomware. This hybrid approach suggests that state-backed cyber operatives may be conducting ransomware attacks for personal financial gain.

This development follows earlier observations by Palo Alto Networks’ Unit 42, which had previously linked Emperor Dragonfly to RA World ransomware operations. The RA World variant evolved from the RA Group, which emerged in 2023 based on the Babuk ransomware family.