Jewelbug, a Chinese cyber espionage group tracked by multiple security vendors under various aliases (CL-STA-0049, Earth Alux, REF7707), executed a prolonged intrusion into a Russian IT service provider’s network from January to May 2025. This operation marks a geographic expansion beyond their traditional focus on Southeast Asia and Latin America. The attackers gained access to critical assets including code repositories and software build systems, enabling potential supply chain attacks that could impact multiple downstream customers. Jewelbug employed a renamed version of Microsoft Console Debugger (cdb.exe) to execute shellcode and bypass application allowlisting, allowing them to run executables, DLLs, and terminate security tools stealthily. They also used credential dumping tools like Mimikatz and LSASS exploits, established persistence via scheduled tasks, and erased Windows Event Logs to cover their tracks. The group’s malware arsenal includes the FINALDRAFT backdoor capable of infecting Windows and Linux systems, and ShadowPad, a backdoor linked exclusively to Chinese threat actors. They leveraged cloud platforms such as Yandex Cloud and Microsoft Graph API for command-and-control, enabling covert data exfiltration and complicating forensic analysis. The attackers also utilized kernel driver exploits (via EchoDrv) and privilege escalation tools (PrintNotifyPotato, Coerced Potato, Sweet Potato) to deepen their foothold. Jewelbug’s operations demonstrate a preference for blending malicious activities with legitimate cloud services to maintain stealth and persistence. The campaign’s targeting of IT service providers is strategic, as it opens avenues for supply chain compromises affecting multiple organizations. Additionally, Jewelbug’s evolving capabilities were highlighted by a recent intrusion in South America deploying a novel backdoor using Microsoft Graph API and OneDrive for C2. This activity underscores the group’s increasing sophistication and global reach amid complex geopolitical dynamics involving China and Russia.

For European organizations, the Jewelbug campaign presents significant risks primarily through supply chain attacks originating from compromised IT service providers. European companies relying on Russian IT services or software built or maintained by affected providers could face indirect exposure to espionage, data theft, or malware insertion. The use of legitimate cloud services for command-and-control complicates detection and response, potentially allowing prolonged undetected access. The threat actor’s ability to bypass allowlisting and disable security tools increases the likelihood of successful intrusions. Furthermore, the deployment of advanced backdoors capable of infecting multiple operating systems broadens the attack surface. Given Europe’s interconnected technology supply chains and reliance on global IT services, the compromise of a single provider can cascade to multiple sectors including government, telecommunications, manufacturing, and logistics. The geopolitical context, with Russia’s strategic importance and ongoing tensions involving China, heightens the risk of spillover effects impacting European allies and partners. Additionally, the stealthy nature of the attacks and use of cloud-based C2 channels may delay incident detection and remediation, increasing potential damage and data loss.

European organizations should implement enhanced supply chain risk management practices, including rigorous security assessments and continuous monitoring of IT service providers, especially those with ties to Russia or regions targeted by Jewelbug. Employ behavioral analytics and network traffic inspection focused on detecting anomalous use of legitimate tools like Microsoft Console Debugger and cloud APIs (Microsoft Graph, OneDrive). Harden endpoint security by restricting use of debugging tools and monitoring for suspicious scheduled tasks or credential dumping activities. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting kernel driver exploits and privilege escalation techniques such as those used by Jewelbug. Enforce strict application allowlisting policies and monitor for attempts to disable security software. Maintain comprehensive logging and implement secure log management to prevent tampering and enable forensic investigations. Establish incident response playbooks tailored to supply chain compromise scenarios and conduct regular threat hunting exercises focused on stealthy cloud-based C2 communications. Collaborate with intelligence-sharing groups and keep abreast of threat actor TTPs to adapt defenses promptly. Finally, consider network segmentation and zero trust principles to limit lateral movement from compromised providers.