New research has discovered a number of ransomware attacks linked to APT27, a hacker group widely believed to be operating from China. A report from Security Joes and Profero has outlined its response to a ransomware incident involving the encryption of several core servers. During their analysis, researchers also found malware samples tied to a DRBControl backdoor campaign from earlier this year, which targeted major gaming companies worldwide. Two Chinese APT groups have been linked to the campaign: APT27 and Winnti.

APT27, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse, is an infamous hacker group that has targeted organizations around the world since 2013. What is interesting about this campaign is it is the first time that the hacker group, previously known for cyber operations focusing on intellectual property theft, is joining the ransomware business with a directly-financial goal.


Our analysis

In the recent ransomware incident analyzed, dubbed the "Clambling" sample, victim infection was done through a third-party service provider, which in turn had been infected through a different third-party service provider. Following the infection, a DBRControl backdoor, as well as a PlugX sample (very common among Chinese threat actors) were loaded in to memory using a Google Updater executable. This form of upload exploits the executable's vulnerability to DLL side-loading, a process during which a malicious DLL is used to spoof a legitimate one, then utilizing a legitimate Windows executables to execute malicious code. This sample did not use Dropbox as a C2 server like in the earlier DBRControl campaign, yet it is still quite versatile, allowing attackers to drop additional malware samples or execute commands through a reverse shell. In this incident, the attackers commanded BitLocker, a drive encryption tool built in to Windows, to encrypt core servers. An ASPXSpy webshell was also deployed in the attack, helping the campaign's lateral movement. During the same time period as this analysis, researchers at PTSecurity2 covered another ransomware attack linked to APT27, using the Polar ransomware variant.

Security news website BleepingComputer mentions the key takeaway from these attacks as described by Daniel Bunce, Principal Security Analyst at Security Joes - the involvement of a cyberespionage group in a financially-driven campaign. This unlikely shift may very well be a heads up for the security industry. The Security Joes and Profero report suggests that with COVID-19 on the loose, and China currently under lockdown, such a switch to financial motives may not be so surprising.


The ThreatSTOP security research team is constantly researching new ransomware variants

We ensure that our solutions provide reliable protection against ransomware attacks. As part of our research, we’ve created an extensive ransomware guide that you can use to:

  • Learn about ransomware types and attack vectors
  • Review variant history and evolution
  • Understand ransomware trends
  • Know how to protect yourself from ransomware


View ThreatSTOP's Ultimate Ransomware Guide:

Download Guide


It takes less than an hour to install ThreatSTOP, and the security benefits are immediately visible. Join the movement of companies blocking attackers instead of just their threats. 

Get a Demo