ChamelGang APT Disguises Espionage Activities With Ransomware

The China-nexus cyber-threat actor has been operating since at least 2019 and has notched victims in multiple countries.

A likely China-backed advanced persistent threat (APT) group has been systematically using ransomware to disguise its relatively prolific cyber-espionage operations for the past three years, at least.
The threat actor, who researchers at SentinelOne are tracking as ChamelGang (aka CamoFei), has recently targeted critical infrastructure organizations in East Asia and India.
Some of ChamelGangs victims in that region include an aviation organization in the Indian subcontinent and the All India Institute of Medical Sciences (AIIMS). But the groups previous victims include government and private sector organizations — including those in
critical infrastructure sectors
— in the US, Russia, Taiwan, and Japan.
According to SentinelOne, what makes ChamelGangs operations noteworthy is its regular use of a ransomware tool called CatB to distract from and conceal its cyber-espionage focus.
Cyberespionage operations disguised as ransomware activities provide an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities, the security vendor said in a report shared with Dark Reading. Furthermore, misattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions, especially in the context of attacks on government or critical infrastructure organizations.
Significantly, ransomware also gives cyber-espionage actors a way to conveniently cover their tracks by destroying artifacts and evidence that would have pointed to their data theft activities, SentineOne said.
ChamelGang is not the first China-nexus cyberespionage player to use ransomware in this manner. Other examples include
APT41
— an umbrella group of multiple smaller subgroups — and
Bronze Starlight
, whose victims include organizations in the US and multiple other countries.
Current and historical evidence suggests that cyberespionage clusters use ransomware primarily for disruption or financial gain, says Aleksandar Milenkoski, senior threat researcher at SentinelOnes SentinelLabs.
In ChamelGangs case, the threat actor has typically tended to deploy its ransomware toward the end of its missions where covertness is no longer an operational objective, Milenkoski says. Ransomware can be used as a cover for exfiltrating intelligence-relevant data and deflecting blame, so victims of a ransomware attack should not ignore this aspect when responding to an attack, he says: Depending on the potential value of the targeted organization to adversaries from an intelligence perspective, these dimensions of ransomware activities should be considered when assessing the situation.
ChamelGang is a threat actor that others such as Positive Technologies and Team5 have previously identified as focused on data theft and cyber espionage. Positive Technologies
reported on the groups activities in September 2021
following a breach investigation at an energy company where the threat actor disguised its malware and infrastructure to look like legitimate Microsoft, Google, IBM, TrendMicro, and McAfee services.
Team5
, which tracks the group as Camo Fei, has assessed the threat actor as having been active since at least 2019 and using a variety of malware tools in its campaigns, including Cobalt Strike, DoorMe, IISBeacon, MGDrive, and the CatB ransomware tool. Team5s research showed the threat actor is primarily focused on targets in the government sector and, to a lesser extent, the healthcare, telecommunications, energy, water, and high-tech sectors as well.
SentinelOne itself has assessed ChamelGangs current focus on East Asia and the Indian subcontinent as resulting from geopolitical tensions, regional rivalries and a race for technological and economic superiority. The companys investigations showed the group deployed CatB ransomware in its 2022 attacks on Indias AIIMS and against the Brazilian government after using tools such as BeaconLoader and Cobalt Strike during earlier phases of the intrusion.
The interest of threat actors in conducting both cyber espionage and financially motivated activities to actually collect a ransom depends on their objectives when targeting an organization, Milenkoski says. Historically, a common case where threat actors have shown no interest in collecting ransom is when deploying ransomware for disruptive purposes, he says. But we note that interest in ransom payment may represent a cover by itself.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
ChamelGang APT Disguises Espionage Activities With Ransomware