December 3, 2023

A China-linked state-sponsored hacking group was observed deploying various ransomware families to hide the true intent of its attacks.

The threat group dubbed Bronze light started using the HUI Loader to drop ransomware such as AtomSilo, LockFile, Night Sky, Pandora, and Rook.

The TTPs used and the tools used by the group forced the researchers believe that Bronze Starlight is likely interested in cyberespionage and intellectual property (IP) theft rather than financial gain.


Earlier since 2015, HUI Loader has been used for the delivery of remote access trojans (RATs) and other types of malware, including Cobalt Strike,  QuasarRAT, PlugX, and SodaMaster.

Starting in 2021, the loader has been used in campaigns focused on intellectual property theft, with two distinct clusters of activity identified: Bronze Riverside (APT10), which has been focusing on compromising Japanese organizations, and Bronze Starlight, which employs ransomware to distract incident responders and likely to destroy evidence of intrusion.

Researchers analyzed the five ransomware families which were linked to HUI Loader samples that used to deploy Cobalt Strike Beacon and discovered that they were built from two distinct codebases: an early one for AtomSilo and LockFile, and a more recent Babuk ransomware source code leak – for Night Sky, Pandora, and Rook.

The same network had been compromised by both Bronze Starlight and Bronze University, which deployed the ShadowPad malware. The intrusions started in November 2021 and overlapped for several weeks.

The simultaneous and continued operations by another Chinese threat group on the same network suggests that the two groups may have deconflicted their post-intrusion activity. This scenario assumes collaboration and knowledge sharing between the groups.


This is an indication that Bronze Starlight participates in government-sponsored intelligence-gathering efforts rather than being a purely financially motivated threat group

On total of 21 known victims associated with AtomSilo, Night Sky, Pandora, and Rook, roughly 15 are of interest to Chinese state-sponsored cyberespionage groups. These include pharmaceutical companies, electronic component designers and manufacturers, a media company, and the aerospace and defense unit of an Indian conglomerate.

This research and documentation was conducted by SecureWorks firm.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: