Palo Alto PAN-OS Vulnerability (CVE-2024-0012) Used on Attack by Emperor Dragonfly Group

China-based threat actor known as Emperor Dragonfly, traditionally associated with state-sponsored espionage, has been observed leveraging its sophisticated toolset in a recent ransomware attack. This marks a potential blurring of lines between nation-state cyber operations and financially motivated cybercrime, raising significant alarms for security professionals and DevOps teams alike.   

In late 2024, security researchers at Symantec's Threat Hunter Team uncovered an attack targeting an Asian software and services company. The attack employed the RA World ransomware, accompanied by a staggering $2 million ransom demand. What caught the researchers' attention was the deployment of tools previously linked to Chinese espionage campaigns.   

"During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks," Symantec researchers stated. 

This observation suggests a worrying overlap where resources and techniques from state-backed espionage groups are potentially being repurposed for cybercriminal activities. While resource sharing among China-based espionage groups isn't uncommon, the utilization of these sophisticated, often non-public tools in ransomware attacks is a notable and concerning development.

Further context comes from a July 2024 report by Palo Alto Networks' Unit 42, which tentatively connected Emperor Dragonfly (also known as Bronze Starlight) to the RA World ransomware operation. RA World is believed to be an offshoot of the RA Group, a ransomware family that emerged in 2023 with roots in the Babuk ransomware.   

From Long-Term Persistence to Rapid Encryption

Historically, Emperor Dragonfly has been associated with long-term espionage campaigns. Between July 2024 and January 2025, the group targeted government ministries and telecom operators in Southeast Europe and Asia, focusing on establishing persistent access for intelligence gathering. These attacks involved:   

• PlugX (Korplug) Backdoor: A specific variant of this well-known backdoor was deployed.  
• DLL Sideloading: The backdoor was executed using a legitimate Toshiba executable (toshdpdb.exe) and a malicious DLL (toshdpapi.dll).
• NPS Proxy: A China-developed tool facilitating covert network communication was utilized.  
• RC4-Encrypted Payloads: Various payloads were encrypted using the RC4 algorithm.

However, in November 2024, the same Korplug payload was observed in an attack against a South Asian software company, but this time, it culminated in an RA World ransomware deployment.  

The attack on the software company reportedly began with the exploitation of a known vulnerability in Palo Alto PAN-OS (CVE-2024-0012). After gaining initial access, the attackers mirrored their espionage tactics, employing DLL sideloading with the Toshiba executable and DLL to deploy Korplug before initiating the encryption process.