Executive Summary

Between January and May 2025, the Chinese advanced persistent threat (APT) group Jewelbug (also known as REF7707, CL-STA-0049, and Earth Alux) infiltrated the network of a Russian IT service provider. The attackers maintained undetected access for approximately five months, targeting the organization’s code repositories and software build systems. This access created the potential for a software supply chain attack against the provider’s customers. Data exfiltration was conducted via Yandex Cloud, a legitimate Russian cloud service, likely to avoid detection by blending in with normal network traffic. The attackers used a renamed, signed Microsoft binary (cdb.exe as 7zup.exe) for stealthy code execution, performed credential dumping, escalated privileges using scheduled tasks, and attempted to cover their tracks by clearing Windows Event Logs. The incident is recognized by major cybersecurity authorities, including CISA NICCS, and is supported by multiple independent, reputable sources. The campaign highlights the risk posed by supply chain attacks on IT service providers and demonstrates the evolving technical sophistication and global reach of the Jewelbug group. All findings in this report are based on direct evidence from primary sources.

Technical Information

The Jewelbug intrusion into the Russian IT service provider’s network demonstrates a multi-stage, stealthy attack campaign with a focus on espionage and potential supply chain compromise. The attackers’ initial access was marked by the appearance of a suspicious file, 7zup.exe, which is a renamed copy of cdb.exe (Microsoft Console Debugger). This legitimate, signed Microsoft binary was abused to execute arbitrary code, bypass application whitelisting, launch executables, run DLLs, and terminate security solutions. The use of a renamed cdb.exe is a known hallmark of Jewelbug operations and enabled the attackers to evade detection and move laterally within the network (https://www.security.com/threat-intelligence/jewelbug-apt-russia).

Persistence and privilege escalation were achieved through the creation of scheduled tasks using the Windows schtasks utility. This allowed the attackers to maintain access and execute payloads with elevated permissions. The attackers also performed credential dumping, harvesting account credentials to facilitate further lateral movement and privilege escalation. To hinder forensic investigation and cover their tracks, the attackers cleared Windows Event Logs (https://www.security.com/threat-intelligence/jewelbug-apt-russia).

Data exfiltration was conducted using a custom malware sample named yandex2.exe, which transferred stolen data to Yandex Cloud. The choice of Yandex, a widely used Russian cloud service, was likely intended to avoid detection, as traffic to this service would not typically be blocked or scrutinized by Russian enterprises (https://www.security.com/threat-intelligence/jewelbug-apt-russia).

The attackers’ access to code repositories and software build systems created the risk of a software supply chain attack, potentially enabling the compromise of the IT provider’s customers. IT service providers are attractive targets for such attacks due to their privileged access to client networks and their ability to distribute software updates across multiple organizations (https://therecord.media/rare-china-linked-intrusion-russian-tech-firms).

Jewelbug is a Chinese APT group active since at least mid-2023, with a history of targeting government and corporate networks in South America, South and Southeast Asia, and Taiwan. The group is known for long-term espionage, supply chain targeting, and the development of custom malware and backdoors. The Russian IT provider incident is notable as a rare example of Chinese cyber-espionage against a strategic partner (https://therecord.media/rare-china-linked-intrusion-russian-tech-firms).

The technical methods used in this campaign map to several MITRE ATT&CK techniques, including Valid Accounts (T1078), Signed Binary Proxy Execution (T1218), Scheduled Task/Job (T1053.005), OS Credential Dumping (T1003), Indicator Removal on Host (T1070.001), and Exfiltration to Cloud Storage (T1567.002). All technical claims are directly supported by the referenced sources.

Attribution to Jewelbug is assessed with high confidence, based on the use of known TTPs, overlap with previous campaigns, and confirmation by multiple independent sources, including Symantec, Security.com, and CISA NICCS (https://www.security.com/threat-intelligence/jewelbug-apt-russia, https://therecord.media/rare-china-linked-intrusion-russian-tech-firms, https://niccs.cisa.gov/news-events/news).

Affected Versions & Timeline

The intrusion began in January 2025, with the first evidence of suspicious activity being the appearance of the 7zup.exe file. The attackers maintained undetected access until May 2025, when the most recent suspicious activity was observed. During this period, the attackers had access to the organization’s code repositories and software build systems, and exfiltrated data to Yandex Cloud. The campaign targeted a Russian IT service provider, but the risk extended to the provider’s customers due to the potential for a software supply chain attack (https://www.security.com/threat-intelligence/jewelbug-apt-russia, https://therecord.media/rare-china-linked-intrusion-russian-tech-firms).

The affected systems included code repositories, software build systems, and endpoints where the attackers established persistence and performed credential dumping. The use of legitimate tools and cloud services enabled the attackers to remain undetected for several months.

Threat Activity

The Jewelbug group’s activity in this campaign was characterized by stealth, persistence, and a focus on espionage and supply chain compromise. The attackers used a renamed, signed Microsoft binary (cdb.exe as 7zup.exe) to execute arbitrary code and evade security controls. Persistence and privilege escalation were achieved through scheduled tasks, while credential dumping enabled further lateral movement. The attackers cleared Windows Event Logs to hinder detection and forensic analysis.

Data exfiltration was conducted via Yandex Cloud using a custom malware sample (yandex2.exe), allowing the attackers to blend in with legitimate network traffic. The targeting of code repositories and build systems created the risk of a software supply chain attack, potentially impacting the IT provider’s customers.

The campaign is consistent with Jewelbug’s historical targeting of IT service providers and organizations with privileged access to multiple networks. The group’s motivation appears to be long-term espionage and the establishment of a persistent foothold for future operations. The use of legitimate tools and cloud services demonstrates a high level of technical sophistication and an understanding of the target environment (https://www.security.com/threat-intelligence/jewelbug-apt-russia, https://therecord.media/rare-china-linked-intrusion-russian-tech-firms).

Mitigation & Workarounds

The following mitigation actions are prioritized by severity:

Critical: Organizations should immediately review and restrict the use of cdb.exe (Microsoft Console Debugger) and other signed Microsoft binaries that can be abused for proxy execution. Microsoft recommends blocking cdb.exe from running by default and only whitelisting it for specific users when explicitly needed (https://www.security.com/threat-intelligence/jewelbug-apt-russia).

Critical: Monitor for and investigate the creation of suspicious scheduled tasks, especially those that execute unsigned or renamed binaries. Scheduled tasks should be regularly audited for legitimacy.

Critical: Implement robust credential management and monitoring to detect and prevent credential dumping. This includes enforcing strong password policies, using multi-factor authentication, and monitoring for abnormal authentication activity.

High: Monitor for data exfiltration to cloud services, including Yandex Cloud and other legitimate platforms that may be abused by attackers. Network traffic to cloud services should be logged and analyzed for anomalies.

High: Regularly review and secure code repositories and software build systems. Access should be restricted to authorized personnel, and all changes should be logged and monitored for suspicious activity.

High: Implement centralized logging and ensure that event logs are protected from unauthorized modification or deletion. Regularly review logs for signs of tampering or clearing.

Medium: Conduct regular security awareness training for IT staff and developers, focusing on the risks of supply chain attacks and the abuse of legitimate tools.

Medium: Ensure that endpoint detection and response (EDR) solutions are deployed and configured to detect the use of renamed or suspicious binaries, credential dumping tools, and unauthorized scheduled tasks.

Low: Maintain up-to-date asset inventories and ensure that all systems are regularly patched and updated to reduce the attack surface.

All mitigation recommendations are based on the technical findings and attack methods described in the primary sources.

References

https://www.security.com/threat-intelligence/jewelbug-apt-russia (15 Oct 2025)

https://therecord.media/rare-china-linked-intrusion-russian-tech-firms (15 Oct 2025)

https://niccs.cisa.gov/news-events/news (15 Oct 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor the security posture of their vendors and supply chain partners. Our platform offers actionable insights into vendor access, software distribution channels, and potential supply chain risks, supporting proactive defense against advanced persistent threats and supply chain attacks. For further information or to discuss this incident, please contact us at ops@rescana.com.