In early 2025, a novel campaign attributed to the Chinese APT group known as Jewelbug began targeting an IT service provider in Russia.
The attackers infiltrated build systems and code repositories, laying the groundwork for a potential software supply chain compromise.
Initial access was achieved via a renamed Microsoft Console Debugger binary, “7zup.exe,” which executed shellcode and bypassed application whitelisting.
This stealthy approach allowed the adversary to maintain presence on the network from January through May 2025.
Symantec analysts noted that the use of a signed Microsoft binary for malicious purposes is a hallmark of living-off-the-land tactics.
By renaming cdb[.]exe and leveraging its debugging capabilities, the attackers could launch executables, run arbitrary DLLs, and terminate security processes without raising immediate alarms.
Subsequent activity included credential dumping, privilege elevation via scheduled tasks, and clearing of Windows Event Logs to cover their tracks.
Data exfiltration was conducted through Yandex Cloud, a legitimate Russian service unlikely to be blocked by local enterprises.
A custom payload, “yandex2.exe,” automated the upload of sensitive files, leveraging the cloud platform’s trustworthiness to blend in with normal traffic.
The attackers specifically targeted high-value assets stored on build servers, indicating an espionage-driven objective focused on source code and proprietary software updates.
Beyond exfiltration, additional post-compromise actions were observed. The threat actors created persistent scheduled tasks using schtasks and manipulated registry settings to disable security restrictions.
They also attempted lateral movement by deploying tools such as Mimikatz for LSASS memory dumping and Fast Reverse Proxy for exposing internal servers to the internet.
Infection Mechanism
The initial compromise pivoted on a seemingly innocuous Microsoft-signed binary. The attackers dropped the renamed Console Debugger executable into the user profile directory and invoked it with the following command:
C:UsersPublic7zup.exe -c ".shellcode 0x1000,LoadShellcode; g;" This invocation injects shellcode directly into memory, bypassing signature checks and application whitelisting. By chaining debugger commands, the malware allocated executable memory regions, loaded encrypted payloads, and transferred execution to malicious code.
Through this injection technique, Jewelbug achieved a silent foothold, enabling subsequent rounds of credential harvesting and data siphoning.
The reliance on dual-use tools like cdb[.]exe, combined with legitimate cloud channels, underscores the group’s sophisticated evasion methods and long-term espionage objectives.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
