According to Kaspersky, cyberspies suspected of having ties to China have infected “dozens” of computers of Russian government agencies and IT providers with backdoors and Trojans since late July.

The Russian security industry has claimed that the malware used in the ongoing targeted attacks – dubbed EastWind – is linked to two groups with Chinese links, APT27 and APT31.

After initially gaining access to their victims’ devices via phishing emails, the attackers used various cloud services and sites, including GitHub, Dropbox, Quora, LiveJournal, and Yandex.Disk, to send their remote-control malware to download additional payloads to compromised computers. These services were effectively used as command-and-control (C2) servers.

These phishing emails sent RAR archive attachments containing a Windows shortcut, along with a decoy document and both legitimate and malicious files to organizations’ email addresses. These included malicious libraries that used DLL sideloading to insert a backdoor that then began communicating with Dropbox.

Once it connects to the cloud storage service, the backdoor retrieves instructions from its masters, executes commands, performs reconnaissance, and downloads additional malware. The malware contains a trojan – previously linked to APT31 during a campaign in 2021 and 2023 – that Kaspersky dubbed “GrewApacha.”

This particular version of GrewApacha uses the same loader that was spotted in 2023, but now uses two C2 servers. It also uses a GitHub profile bio to obfuscate the C2 server address, which is stored in a Base64-encoded string.

In addition to the GrewApacha trojan, the attackers also downloaded the CloudSorcerer backdoor. Kaspersky reported on this malware earlier in July, noting that the attackers have since modified it to use profile pages on the Russian-language social network LiveJournal and the question-answer website Quora as the original C2 servers.

According to Proofpoint, while CloudSorcerer was used against Russian organizations in this specific campaign, it was also spotted attacking a U.S. organization in late May.

When analyzing the updated CloudSorcerer samples, the threat hunters discovered that the criminals used this backdoor to download a previously unknown implant they dubbed PlugY.

This implant connects to the C2 server via TCP, UDP, or named pipes, and can execute a “fairly extensive” set of commands, we’re told. This includes manipulating files, executing shell commands, logging keystrokes, monitoring screens, and snooping through clipboards.

“The analysis of the implant is still ongoing, but we can conclude with a high degree of confidence that the code from the DRBControl (also known as Clambling) backdoor was used to develop it,” Kaspersky researchers wrote this week.

The DRBControl backdoor is linked to APT27.

And Kaspersky noted that the fact that the EastWind campaign used malware with similarities to samples used by both APT27 and APT29 “clearly demonstrates” that nation-state-backed teams “very often work together and actively share knowledge and tools.” ®

Postscript: Last week we noted that Iranian cyber teams were ramping up their efforts to influence this year’s US elections. Now Google says it has seen Iranian-backed teams targeting people in both Republican and Democratic campaigns, including the Israeli military.