Two APT groups from China are carrying out cyber espionage and stealing intellectual property from Western and Japanese firms. While doing so, they are deploying ransomware as a decoy to cover their activities.

The campaign

Researchers from Secureworks spotted two hacking clusters, tracked as APT41 and APT10, using HUI Loader to deploy QuasarRAT, PlugX, and Cobalt Strike.
  • APT41 is focused on stealing intellectual property from Japanese firms while APT10 has been targeting global organizations.
  • Both groups were propagating short-lived ransomware to mask their espionage activities as financially-motivated attacks to reduce accurate attribution and create a good distraction for defenders.

The Chinese connection 

Links to PlugX and Chinese-language resources used in ransomware activities revealed that the group is the Chinese APT10 group.

Use of Cobalt Strike tool and HUI loader

Since March, in addition to the above tools, APT10 has used several other tools and tactics to distribute more malware.
  • It used Cobalt Strike to deploy ransomware such as Rook, Pandora, AtomSilo, LockFile, and Night Sky. 
  • The group disabled Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) functions.
  • Cobalt Strike beacons shared C2 addresses in three distinct attacks of AtomSilo, Pandora, and Night Sky. 
  • Further, the same source was used for uploading the HUI Loader samples on VirusTotal.


Probably for the first time ransomware is being used by APT groups to mask their espionage activities. For that reason, experts suggest having multiple layers of robust detection/protection mechanisms to stay protected from all kinds of cyber threats.
Cyware Publisher