Cinnamon Tempest: The Espionage Group Cloaked in Ransomware
- Suspected Origin
- China
- Motivation
- Espionage, Intellectual Property Theft
- Aliases
- DEV-0401, Emperor Dragonfly, BRONZE STARLIGHT
- Target Sectors
- Pharmaceutical, Electronic Components, Law Firms, Media, Aerospace, Defense, Government, Telecom, Software and Services, Gambling
- Associated Malware
- LockFile, AtomSilo, Rook, Night Sky, Pandora, Cheerscrypt, RA World, HUI Loader, Cobalt Strike, PlugX, Impacket, Iox, NPS, Meterpreter, Rclone, Keylogger
Overview
Cinnamon Tempest, identified by MITRE as G1021, is a sophisticated, China-based threat group that has been operational since at least 2021. This group is also known across the security community by several aliases, including DEV-0401, Emperor Dragonfly, and BRONZE STARLIGHT. What sets Cinnamon Tempest apart is its distinctive operational model: while they frequently deploy multiple strains of ransomware, often derived from the leaked Babuk source code, their primary motivation is not financial gain. Instead, the ransomware serves as a calculated smokescreen for cyberespionage and the theft of intellectual property. Unlike many financially motivated ransomware groups, Cinnamon Tempest operates independently, managing all stages of the attack lifecycle without relying on an affiliate model or purchasing initial access from other actors. Their victimology points to targets of strategic interest to a state-sponsored entity, spanning critical sectors globally.
Tactics & Techniques
Cinnamon Tempest demonstrates a broad and adaptable set of tactics, techniques, and procedures (TTPs) designed for stealth, persistence, and effective data exfiltration.
For Initial Access, the group consistently exploits unpatched vulnerabilities in internet-facing applications and network perimeter devices. Known targets have included vulnerabilities in Microsoft Exchange, ManageEngine AdSelfService Plus, Confluence, and the notorious Log4j flaw (CVE-2021-44228). They also leverage compromised user accounts to gain initial footholds.
Once inside, Execution is often achieved through PowerShell for command and control (C2) communications, file downloads, and reconnaissance. They deploy ransomware using batch scripts, frequently pushed via Group Policy Objects (GPO). A hallmark technique is abusing legitimate executables to side-load malicious DLLs for deploying payloads like Cobalt Strike Beacons. This has been observed with applications from Toshiba, Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan. DLL search order hijacking is another common method.
Persistence mechanisms include creating system services for deployed tooling and exploiting DLL search order hijacking and side-loading vulnerabilities. They also modify Group Policy to maintain access.
For Privilege Escalation, Cinnamon Tempest leverages DLL search order hijacking and side-loading, in conjunction with compromised domain accounts and Group Policy modifications. Their goal is often to obtain highly privileged credentials, such as domain administrator, to facilitate malware deployment and lateral movement.
Defense Evasion is a core component of their strategy. Beyond DLL hijacking and side-loading, they deobfuscate and decode files, and rename Impacket modules to avoid detection. Notably, they have been observed disabling Windows event tracing, the Anti-Malware Scan Interface (AMSI), and hooking Windows API calls to destroy forensic evidence of their activities. The group’s practice of frequently rebranding their ransomware payloads serves to obscure their true identity and make attribution more difficult. They have also incorporated geofencing, attempting to avoid targeting machines in specific countries like the United States, Germany, and the United Kingdom.
Lateral Movement is achieved using tools like Impacket, specifically its wmiexec.py and smbexec.py modules for remote execution and reconnaissance. They deploy ransomware from network shares and exploit compromised user accounts to move within the network. Remote Desktop Protocol (RDP) is also a technique observed for lateral movement.
Their Command and Control (C2) infrastructure relies heavily on Cobalt Strike Beacons, often delivered via DLL side-loading. PowerShell is frequently used for C2 communication. To further mask their activities, they employ customized proxy and tunneling tools such as Iox and NPS, which are known to be developed by Chinese actors for covert network communication.
Exfiltration of sensitive data often precedes ransomware deployment. While they maintain leak sites as part of a double extortion facade, suggesting financial motivation, the true goal appears to be data theft. They use tools like Rclone, an open-source command-line utility, to exfiltrate information to cloud storage services, including Alibaba Cloud Object Storage Service (Aliyun OSS).
Notable Campaigns
Cinnamon Tempest’s operations are characterized by their “name-and-shame” ransomware schemes, designed to pressure victims while obscuring the true espionage objective. The group has consistently changed its ransomware families to maintain a low profile and evade sanctions. These have included LockFile, AtomSilo, Rook, Night Sky, Pandora, and Cheerscrypt.
A significant aspect of their early operations involved the widespread exploitation of the Log4Shell vulnerability for initial access, leading to the deployment of various ransomware strains and Cobalt Strike.
More recently, in late 2024 and early 2025, Cinnamon Tempest has been observed utilizing the RA World ransomware, alongside a toolset previously attributed to espionage actors. These campaigns targeted Asian software and services companies, demanding significant ransoms (e.g., $2 million), and government departments and telecom carriers across Southeast Europe and Asia. These incidents highlight a potential overlap between state-backed cyber espionage and financially motivated cybercrime tactics. Another notable campaign specifically targeted the gambling sector in Southeast Asia.
Associated Malware & Tools
Cinnamon Tempest utilizes a varied arsenal of both custom-developed and open-source tools:
- Ransomware: Their ransomware payloads are frequently based on the leaked Babuk source code, with known variants including LockFile, AtomSilo, Rook, Night Sky, Pandora, Cheerscrypt, and RA World. Cheerscrypt, for example, has been used in attacks against both ESXi and Windows environments.
- Loaders/Backdoors: The custom DLL loader known as HUI Loader is a critical component, used to decrypt and load payloads such as Cobalt Strike and PlugX. PlugX is a remote access Trojan (RAT) frequently associated with China-based threat groups.
- C2/Post-Exploitation Frameworks: Cobalt Strike Beacon is a primary C2 framework, often deployed via DLL side-loading techniques. Meterpreter has also been observed.
- Lateral Movement/Reconnaissance: They extensively use Impacket, particularly its
wmiexec.pyandsmbexec.pymodules, for lateral movement and remote execution of commands. SMBexec is also used independently. - Proxy/Tunneling: Customized versions of the Iox proxy tool and the NPS tunneling tool are employed for covert network communications and to create multiple connections through a single tunnel.
- Data Exfiltration: Rclone, an open-source command-line tool, is used for exfiltrating sensitive information to cloud storage. They also use a custom keylogger that uploads data to Alibaba cloud storage.
Current Status
Cinnamon Tempest remains an active and evolving threat. Recent activity observed in late 2024 and early 2025 confirms their continued engagement in both cyberespionage and ransomware operations. These recent campaigns involving the RA World ransomware and their distinctive espionage toolset, targeting government entities, telecom carriers, and software/services companies in Asia and Southeast Europe, underscore their ongoing relevance and persistent threat. Their consistent pattern of frequently altering ransomware payloads and operating as an independent entity suggests a deliberate and sophisticated strategy to evade detection and misdirect attribution, ensuring their sustained capability for state-sponsored espionage and intellectual property theft under the guise of cybercrime. The combination of destructive ransomware capabilities with a clear espionage motive makes Cinnamon Tempest a significant concern for targeted organizations.
Related content
Akira Ransomware: A Persistent and Evolving Global Threat
Adversary ProfileINC Ransom (G1032) Threat Actor Profile: Operations, Tactics, and Evolution
Adversary ProfileCarbanak Threat Profile: Financial Apex Predators
Adversary ProfileDeep Panda (G0009) Threat Actor Profile: A Persistent Chinese Espionage Group
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call