A significant cybersecurity development has emerged as an RA World ransomware attack in November 2024 revealed connections to Chinese cyber espionage operations. The attack, targeting an Asian software company, employed tools traditionally associated with China-based threat actors.

Symantec’s Threat Hunter Team identified a distinct pattern where the attacker used PlugX malware, typically deployed by the Mustang Panda group, through DLL side-loading techniques. The attack utilized a legitimate Toshiba executable “toshdpdb.exe” to load malicious content.

Prior to this incident, similar toolsets were used in multiple espionage campaigns throughout 2024, targeting:
– A southeastern European Foreign Ministry (July 2024)
– Government entities in Southeast Asia and Europe (August 2024)
– A telecom operator (September 2024)
– A Southeast Asian government ministry (January 2025)

The November 2024 attack stood out as it shifted from espionage to criminal extortion, exploiting a Palo Alto Networks PAN-OS vulnerability (CVE-2024-0012) to deploy RA World ransomware.

Parallel Development: Salt Typhoon Campaign

Simultaneously, the Chinese hacking group Salt Typhoon conducted extensive attacks between December 2024 and January 2025, targeting:
– Major telecommunications providers in the US, UK, South Africa, and Thailand
– Over 1,000 Cisco devices globally
– Universities across nine countries

The group exploited Cisco device vulnerabilities (CVE-2023-20198 and CVE-2023-20273), establishing GRE tunnels for persistent access and data exfiltration.

Security experts recommend prioritizing patch management for network devices and limiting exposure of administrative interfaces to prevent similar attacks.