Recent cyber incidents have revealed a concerning trend where espionage actors, traditionally associated with covert intelligence gathering, are also engaging in ransomware attacks. In a series of high-profile intrusions during late 2024 and early 2025, a sophisticated attacker deployed a toolset—long linked to China-based espionage groups—against multiple targets in Europe and Asia. The attack combined classic espionage techniques with a ransomware campaign using the RA World ransomware, raising critical questions about motive and methodology.
Espionage Attacks and Ransomware: A Dual Strategy
Prior to the ransomware incident, the attacker demonstrated a clear pattern of espionage. In July 2024, a breach of a southeastern European country’s Foreign Ministry saw the use of a legitimate Toshiba executable, toshdpdb.exe, to sideload a malicious DLL named toshdpapi.dll. This DLL functioned as a loader for a heavily obfuscated payload stored in a file called toshdp.dat. The payload, encrypted with an RC4 key and later decrypted to reveal a variant of the PlugX backdoor, was marked by features such as encrypted strings, dynamic API resolution, and control flow flattening. Similar techniques and configuration details—encrypted using the key qwedfgx202211—were later observed in other intrusions targeting government ministries and a telecom operator across Europe and Southeast Asia.
In late November 2024, amidst these espionage operations, the same toolset was repurposed in a ransomware attack against a medium-sized software and services company in South Asia. The attacker exploited a known vulnerability in Palo Alto’s PAN-OS firewall software to gain entry, escalated privileges by harvesting administrative credentials, and even stole cloud credentials from an Amazon S3 server. Once inside, the attacker again used toshdpdb.exe to deploy the malicious DLL, which loaded the same PlugX variant before encrypting network machines with RA World ransomware and demanding a multi-million-dollar ransom.
The Role of Malicious DLLs in Modern Attacks
A key component in these attacks is the malicious DLL, toshdpapi.dll. In the world of Windows-based systems, DLLs (Dynamic Link Libraries) are modules that contain code and data used by multiple programs. When hijacked, a malicious DLL can act as a stealthy loader for additional harmful payloads, enabling attackers to bypass traditional security measures. In this case, the DLL not only facilitated the delivery of a custom PlugX backdoor but also provided a mechanism to maintain persistent access to compromised systems, a technique long associated with nation-state espionage.
SentinelOne and the Tracking of China-Linked Threat Actors
Adding another layer to the narrative, cybersecurity firm SentinelOne has been tracking threat actors linked to China, including a group known as Bronze Starlight (also referred to as Emperor Dragonfly). SentinelOne’s reports indicate that Bronze Starlight has been involved in a range of ransomware attacks—using toolsets that include the NPS Proxy Tool and variants of the LockFile, AtomSilo, NightSky, and LockBit families. These findings suggest that the same toolkits, once used solely for espionage, are now crossing over into financially motivated cyber extortion. SentinelOne’s insights help illuminate this unusual blend of espionage and criminal activity, prompting further investigation into whether individual actors are monetizing their access using sophisticated, state-level tools.
Hypotheses and the Unusual Blend of Motives
The convergence of espionage and ransomware in this incident is perplexing. Traditionally, China-linked espionage groups have focused on covert data collection and establishing persistent backdoors, rarely engaging in overt financial extortion. One hypothesis is that the attacker might be using their employer’s espionage toolkit to generate supplementary income. Alternatively, the ransomware attack could be a diversion—meant to obscure the true nature of the espionage or to cover up evidence of the intrusion. However, the fact that the attacker engaged in active ransom negotiations, demanding $2 million (with a reduction if paid promptly), implies a calculated effort to extract financial gain rather than simply masking a covert operation.
Comparative Analysis with Prior Incidents
Comparisons with previous espionage attacks reveal striking similarities. The same PlugX variant, with its distinctive encrypted configuration and control flow flattening, was used in multiple intrusions dating back to July 2024. In each case, a legitimate Toshiba executable was exploited to load a malicious DLL, highlighting a recurring tactic among China-linked actors. Unlike typical ransomware campaigns—which are generally associated with North Korean groups—the use of these sophisticated, espionage-grade tools in a ransomware attack underscores an emerging trend where attackers blend state-sponsored techniques with cybercrime strategies.
Protection and Mitigation Measures
Organizations can refer to updated protection bulletins for guidance on mitigating these threats. Security solutions, such as those provided by SentinelOne, play a critical role in detecting and blocking malicious DLLs and associated payloads. Indicators of compromise, including specific file hashes for toshdpdb.exe (benign), multiple hashes for toshdpapi.dll, and toshdp.dat, are crucial for timely detection and remediation. It is essential for cybersecurity teams to monitor for unusual network behavior, maintain robust endpoint protection, and ensure that systems are updated against known vulnerabilities like CVE-2024-0012 in PAN-OS firewall software.
The dual use of espionage tools and ransomware in these attacks illustrates a disturbing evolution in cyber threats, where sophisticated nation-state techniques are being repurposed for financial gain. The deployment of a malicious DLL to load a custom PlugX backdoor—coupled with SentinelOne’s findings linking the attacker to known China-based groups—underscores the blurred lines between espionage and cybercrime. As organizations continue to confront these emerging threats, a combination of advanced detection systems and proactive mitigation strategies will be essential to protect sensitive data and critical infrastructure.
