{"id":47236,"date":"2022-06-23T19:58:43","date_gmt":"2022-06-23T19:58:43","guid":{"rendered":"https:\/\/www.darkreading.com\/attacks-breaches\/chinese-apt-ransomware-attacks-cover-ip-theft"},"modified":"2022-06-23T19:58:43","modified_gmt":"2022-06-23T19:58:43","slug":"chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/","title":{"rendered":"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7b0b1c27d52b4578\/62b4ba5e9b1d980db353fdce\/chinaiptheft_Pixels_Hunter_shutterstock.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>A China-based advanced persistent threat (APT) actor, active since early 2021, appears to be using ransomware and double-extortion attacks as camouflage for systematic, government-sponsored cyberespionage and intellectual property theft.<\/p>\n<p>In all of the attacks, the threat actor has used a malware loader called the HUI Loader \u2014 associated exclusively with China-backed groups \u2014 to load Cobalt Strike Beacon and then deploy ransomware on compromised hosts. Researchers at Secureworks who are tracking the group as \u201cBronze Starlight\u201d say it\u2019s a tactic they have not observed other threat actors use.<\/p>\n<p>Secureworks also says&nbsp;it has identified organizations in multiple countries that the adversary appears to have compromised. The group\u2019s US-based victims include a pharmaceutical company, a law firm, and a media company with offices in Hong Kong and China. Others include electronic component designers and manufacturers in Japan and Lithuania, a pharmaceutical company in Brazil, and the aerospace and defense division of an Indian conglomerate. Some three-quarters of Bronze Starlight\u2019s victims so far are organizations that have typically been of interest to government-sponsored Chinese cyber-espionage groups.<\/p>\n<h2 class=\"regular-text\">Cycling Through Ransomware Families<\/h2>\n<p>Since it began operations in 2021, Bronze Starlight&nbsp;has used at <a href=\"https:\/\/www.secureworks.com\/research\/bronze-starlight-ransomware-operations-use-hui-loader\" target=\"_blank\" rel=\"noopener\">least five different ransomware tools in its attacks<\/a>: LockFile, AtomSilo, Rook, Night Sky, and Pandora. Secureworks\u2019 analysis shows that the threat actor used a traditional ransomware model with LockFile, where it encrypted data on a victim network and demanded a ransom for the decryption key. But it switched to a double-extortion model with each of the other ransomware families. In these attacks Bronze Starlight attempted to extort victims by both encrypting their sensitive data and threatening to leak it publicly. Secureworks identified data belonging to at least 21 companies posted on leak sites associated with AtomSilo, Rook, Night Sky, and Pandora.<\/p>\n<p>While Bronze Starlight appears on the surface to be financially motivated, its real mission appears to <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/us-needs-comprehensive-policy-to-combat-china-on-ip-theft\" target=\"_blank\" rel=\"noopener\">be cyberespionage and intellectual property theft<\/a> in support of Chinese economic objectives, says Marc Burnard, senior consultant information security research at Secureworks. The US government last year <a href=\"https:\/\/www.darkreading.com\/informationweek-home\/us-accuses-china-of-using-criminal-hackers-in-cyber-espionage-operations-\/d\/d-id\/1341552\" target=\"_blank\" rel=\"noopener\">formally accused China<\/a> of using threat groups such as Bronze Starlight in state-sponsored cyber-espionage campaigns.<\/p>\n<p>\u201cThe victimology, tooling, and rapid cycling through ransomware families suggest that Bronze Starlight\u2019s intent may not be financial gain,\u201d he says. Instead, it\u2019s possible that the threat actor is using ransomware and double extortion as a cover to steal data from organizations of interest to China and destroy evidence of its activity.<\/p>\n<p>Bronze Starlight has consistently targeted only a small number of victims over short periods of time with each ransomware family \u2014 something that threat groups don\u2019t often do because of the overhead associated with developing and deploying new ransomware tools. In Bronze Starlight\u2019s case, the threat actor appears to have employed the tactic to prevent drawing too much attention from security researchers, Secureworks said. <\/p>\n<h2 class=\"regular-text\">The Chinese Connection<\/h2>\n<p>Burnard says the threat actor\u2019s use of the HUI Loader along with a relatively rare version of PlugX, a remote access Trojan linked exclusively to China-backed threat groups, is another sign that there\u2019s more to Bronze Starlight than its ransomware activity might suggest. <\/p>\n<p>\u201cWe believe the HUI Loader is a tool unique to Chinese state-sponsored threat groups,\u201d Burnard says. It is not widely used, but where it has been used, the activity has been attributed to other likely Chinese threat group activity, such as one by a group dubbed Bronze Riverside that is focused on stealing IP from Japanese companies.&nbsp;<\/p>\n<p>\u201cIn terms of the use of the HUI Loader to load Cobalt Strike Beacons, this is one key characteristic of the Bronze Starlight activity that connects the broader campaign and five ransomware families together,\u201d Burnard says.<\/p>\n<p>Another sign that Bronze Starlight is more than just a ransomware operation involves a breach that Secureworks investigated earlier this year, where Bronze Starlight broke into a server at an organization that had previously already been compromised by another China-sponsored threat operation called Bronze University. In this incident, though, Bronze Starlight deployed the HUI Loader with Cobalt Strike Beacon on the compromised server, but it did not deploy any ransomware.&nbsp;<\/p>\n<p>\u201cAgain, this raises an interesting question around links between Bronze Starlight and state-sponsored threat groups in China,\u201d Burnard says.<\/p>\n<p>There\u2019s also evidence that Bronze Starlight is learning from its intrusion activity and improving the HUI Loader\u2019s capabilities, he adds. The version of the loader that the group used in its initial intrusions, for instance, were merely designed to load, decrypt, and execute a payload. But an updated version of the tool that Secureworks came across while responding to a January 2022 incident revealed several improvements.&nbsp;<\/p>\n<p>\u201cThe updated version comes with detection evasion techniques, such as disabling Windows Event Tracing for Windows [ETW] and Antimalware Scan Interface [AMSI] and Windows API hooking,\u201d Burnard notes. \u201cThis indicates the HUI Loader is actively being developed and upgraded.\u201d<\/p>\n<p>Secureworks\u2019 investigation shows that Bronze Starlight primarily compromises Internet-facing servers on victim organizations by exploiting known vulnerabilities. So as part of a multilayered approach to network security, network defenders should ensure that Internet-facing servers are patched in a timely manner, Burnard says.&nbsp;<\/p>\n<p>\u201cWhile the focus is often on zero-day exploitation, we often see threat groups like Bronze Starlight exploit vulnerabilities that already have a patch available,&#8221; he says.<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/chinese-apt-ransomware-attacks-cover-ip-theft\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bronze Starlight\u2019s use of multiple ransomware families and its victim-targeting suggest there\u2019s more to the group\u2019s activities than just financial gain, security vendor says.Read More <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/chinese-apt-ransomware-attacks-cover-ip-theft\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-47236","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-23T19:58:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7b0b1c27d52b4578\/62b4ba5e9b1d980db353fdce\/chinaiptheft_Pixels_Hunter_shutterstock.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft\",\"datePublished\":\"2022-06-23T19:58:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/\"},\"wordCount\":890,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt7b0b1c27d52b4578\\\/62b4ba5e9b1d980db353fdce\\\/chinaiptheft_Pixels_Hunter_shutterstock.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/\",\"name\":\"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt7b0b1c27d52b4578\\\/62b4ba5e9b1d980db353fdce\\\/chinaiptheft_Pixels_Hunter_shutterstock.jpg\",\"datePublished\":\"2022-06-23T19:58:43+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt7b0b1c27d52b4578\\\/62b4ba5e9b1d980db353fdce\\\/chinaiptheft_Pixels_Hunter_shutterstock.jpg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt7b0b1c27d52b4578\\\/62b4ba5e9b1d980db353fdce\\\/chinaiptheft_Pixels_Hunter_shutterstock.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/","og_locale":"en_US","og_type":"article","og_title":"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-06-23T19:58:43+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7b0b1c27d52b4578\/62b4ba5e9b1d980db353fdce\/chinaiptheft_Pixels_Hunter_shutterstock.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft","datePublished":"2022-06-23T19:58:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/"},"wordCount":890,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7b0b1c27d52b4578\/62b4ba5e9b1d980db353fdce\/chinaiptheft_Pixels_Hunter_shutterstock.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/","url":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/","name":"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7b0b1c27d52b4578\/62b4ba5e9b1d980db353fdce\/chinaiptheft_Pixels_Hunter_shutterstock.jpg","datePublished":"2022-06-23T19:58:43+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7b0b1c27d52b4578\/62b4ba5e9b1d980db353fdce\/chinaiptheft_Pixels_Hunter_shutterstock.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7b0b1c27d52b4578\/62b4ba5e9b1d980db353fdce\/chinaiptheft_Pixels_Hunter_shutterstock.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/chinese-apt-group-likely-using-ransomware-attacks-as-cover-for-ip-theft\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=47236"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47236\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=47236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=47236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=47236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}