cinnamon-tempest

Cinnamon Tempest

also tracked as: DEV-0401 (Microsoft) Bronze Starlight (Secureworks) Emperor Dragonfly (Sygnia) SLIME34 MITRE G1021

A China-based threat group that uses ransomware as a distraction from what researchers assess is the real objective: intellectual property theft and espionage. The group cycled through six distinct ransomware brands in under a year (LockFile → Atom Silo → Rook → Night Sky → Pandora → LockBit 2.0), with each variant deployed against a small number of victims then abandoned — an operational cadence inconsistent with financially motivated ransomware operations and consistent with a cover story for IP exfiltration. Roughly 75% of known victims across the five named-and-shamed ransomware campaigns are organizations that have historically been of interest to Chinese state-sponsored espionage groups: pharmaceutical companies, electronic component manufacturers, aerospace and defense units, and media organizations. The group uses HUI Loader — a custom DLL loader associated exclusively with China-backed threat actors — to deploy Cobalt Strike Beacon for C2 before ransomware deployment.

attributed sponsorChina — state-suspected (moderate confidence, Secureworks)

mitre idG1021

active sinceMid-2021

ransomware brands cycled6 distinct families in under 1 year (2021–2022)

victim espionage alignment~75% of named victims align with Chinese state IP priorities

defining toolHUI Loader — exclusive to China-backed threat actors

ransomware modelOperates all stages independently — no RaaS affiliates, no IABs

cobalt strike watermarkUnique: /rest/2/meetings POST URI + watermark value 0

confirmed overlapBronze University (ShadowPad) active on same network (Jan 2022)

Overview

Cinnamon Tempest presents what Secureworks called "a smokescreen" — deploying ransomware not for the ransoms but to distract incident responders from the real operation, destroy forensic evidence of intrusion, and obscure attribution to a state-sponsored actor. The pattern is analytically distinctive: while financially motivated ransomware operators seek to maximize victim count and revenue per victim, Cinnamon Tempest deploys each ransomware family against a small number of organizations over a short period, then abandons that brand entirely and moves to the next. Six distinct ransomware families in under a year is not an optimization strategy for a financially motivated operator — it is an overhead cost, suggesting the ransomware deployment is serving a function other than financial return.

The victimology reinforces this interpretation. Of 21 known victims associated with AtomSilo, Night Sky, Pandora, and Rook across Secureworks' analysis, approximately 75% were organizations of known interest to Chinese state-sponsored espionage programs: pharmaceutical companies (including organizations in the US and Brazil), electronic component designers and manufacturers (Japan, Lithuania), a media company with Hong Kong and China offices, and the aerospace and defense division of an Indian conglomerate. This is not the victim profile of a ransomware operator optimizing for payment likelihood — it is a victim profile consistent with Chinese economic intelligence collection priorities.

The HUI Loader is the single most definitive attribution indicator. HUI Loader is a custom DLL loader whose use has been observed exclusively in campaigns associated with Chinese state threat actors — specifically Bronze Riverside (APT10, targeting Japanese organizations) and Bronze Starlight (Cinnamon Tempest, deploying ransomware). The loader uses DLL search order hijacking to load a third encrypted file containing the payload. An updated version documented by Secureworks in early 2022 added ETW disabling, AMSI disabling, and Windows API hooking — all active evasion improvements, indicating the tool is under continued development. The same HUI Loader samples that loaded Cobalt Strike Beacon were used across AtomSilo, Night Sky, and Pandora ransomware deployments, with a unique Cobalt Strike Beacon configuration (HTTP POST URI beginning with /rest/2/meetings, watermark value of 0) observed exclusively in these campaigns.

A January 2022 Secureworks incident response engagement found Cinnamon Tempest and the Bronze University threat group — another Chinese APT that deploys ShadowPad — active on the same compromised network, with overlapping timeframes. Importantly, Cinnamon Tempest did not deploy ransomware against this particular organization — which was a known target of Chinese cyberespionage. This suggests either deconfliction between the two groups after discovering shared access, or a deliberate decision not to burn the access with a disruptive ransomware deployment when the espionage objective had already been served.

Six Ransomware Brands — Rapid Cycling Cadence

The sequential deployment and abandonment of six distinct ransomware families in under a year is the defining operational signature of Cinnamon Tempest's cover-story strategy. LockFile and AtomSilo share a proprietary codebase. After Avast released decryptors for both, the group pivoted to the leaked Babuk source code, producing Rook, Night Sky, and Pandora as successive variants. LockBit 2.0 was adopted as an affiliate in the final documented phase.

Brand 1

LockFile

August 2021

Traditional encryption-only ransomware scheme. Ransom note and TOR infrastructure directly copied from LockBit 2.0. AES-256 encryption of files; AES key protected with RSA-4096. Ransom note filenames used computer name and timestamp. Deployed against targets exploiting ProxyShell / Exchange vulnerabilities. Avast decryptor later released.

Brand 2

Atom Silo

October 2021

Derived from LockFile codebase — near-identical encryption (AES-256 + RSA-4096) and ransom note filename pattern. Double-extortion website references BlackMatter; ransom notes reference Cerber. Only four confirmed victims. Avast decryptor released — likely triggering the pivot away from the proprietary codebase to Babuk-derived tooling.

Brand 3

Rook

November 2021

First Babuk-derived variant, pivoting after Avast decryptors made LockFile/AtomSilo ineffective. Babuk source code leaked September 2021. Rook uses AES to encrypt file contents, RSA key to protect the AES key — standard Babuk encryption architecture. Named-and-shamed leak site operated. Victims include electronic component manufacturers in Japan and Lithuania.

Brand 4

Night Sky

December 2021

Babuk-derived variant of Rook. Used in the January 2022 Log4Shell exploitation campaign against VMware Horizon servers. Delivered alongside keylogger (uploading to Alibaba Cloud), iox proxy tool, and NPS tunneling software — the additional tooling consistent with espionage rather than ransomware as primary objective. Sygnia later confirmed Night Sky as a Cheerscrypt rebrand operated by the same group.

Brand 5

Pandora

February 2022

Third Babuk-derived variant. Code overlap identified between updated HUI Loader samples and Pandora ransomware — the strongest direct link between the loader tooling and the ransomware brand. Leak site listed five victims as of April 2022. HUI Loader samples deploying Pandora share unique Cobalt Strike Beacon configuration (/rest/2/meetings URI, watermark 0) with AtomSilo and Night Sky.

Brand 6

LockBit 2.0

April 2022

After cycling through five proprietary or derived brands, Cinnamon Tempest became a LockBit 2.0 affiliate — operating within the established RaaS ecosystem rather than maintaining its own ransomware tooling. This affiliate phase represents the most operationally efficient cover: LockBit 2.0 attribution is inherently ambiguous since many actors operate under the brand, providing additional deniability for the underlying espionage mission.

Target Profile

Cinnamon Tempest's victim selection aligns with Chinese state economic intelligence collection priorities — sectors where China has documented interest in acquiring foreign intellectual property and technical capabilities.

Pharmaceutical companies (US and Brazil): Drug development data, clinical trial results, and formulation IP are high-priority collection targets for Chinese state programs. The pharmaceutical sector is also of interest for vaccine and therapeutic IP, accelerated by increased focus following the COVID-19 pandemic period.
Electronic component designers and manufacturers (Japan and Lithuania): Semiconductor design, electronic component specifications, and manufacturing process data are directly relevant to China's semiconductor self-sufficiency objectives. Japan is a long-standing target of Chinese industrial espionage via multiple APT groups (notably APT10).
Aerospace and defense — Indian conglomerate: Defense technology, aerospace manufacturing specifications, and military procurement data from a major Indian defense and aerospace organization represent intelligence of direct strategic value. India's defense modernization program and its procurement relationships with Western defense contractors make it a priority target.
Media organization with Hong Kong and China offices: Editorial content, source identities, and communication records from a media organization covering China-relevant news have intelligence collection value for tracking dissident networks, foreign correspondent activities, and political information flows.
Law firm: Legal communications, case files, and client data from a law firm can yield intelligence on corporate transactions, regulatory proceedings, and sensitive communications that would not appear in public filings.

Tactics, Techniques & Procedures

TTPs as documented by Secureworks (Bronze Starlight analysis, June 2022), Microsoft (DEV-0401 tracking), Sygnia (Emperor Dragonfly, October 2022), and MITRE ATT&CK G1021.

mitre id	technique	description
T1190	Exploit Public-Facing Applications — Initial Access	Cinnamon Tempest consistently exploits known vulnerabilities in internet-facing servers — ProxyShell (Exchange Server), Zoho ManageEngine ADSelfService Plus, Atlassian Confluence (including newly disclosed flaws at time of exploitation), and Apache Log4j (Log4Shell, CVE-2021-44228). Microsoft emphasized the group's involvement in all stages of the attack lifecycle including initial access — unlike RaaS operations that purchase access from Initial Access Brokers, Cinnamon Tempest conducts its own exploitation. The January 2022 Night Sky campaign specifically exploited Log4Shell to gain access to VMware Horizon servers.
T1574.001	HUI Loader — DLL Search Order Hijacking	HUI Loader is the group's primary post-exploitation loader, associated exclusively with China-backed threat actors. The malware is loaded by legitimate programs vulnerable to DLL search order hijacking — the legitimate program loads the malicious DLL rather than the intended legitimate library. HUI Loader decrypts and loads a third file containing an encrypted payload (Cobalt Strike Beacon) that is also deployed to the compromised host. An updated version documented in early 2022 added ETW disabling, AMSI disabling, and Windows API hooking for enhanced evasion. HUI Loader has been used since at least 2015 to deploy RATs including SodaMaster, PlugX, Cobalt Strike, and QuasarRAT across Chinese APT operations.
T1059.001 / T1059.003	Cobalt Strike C2 — Unique Configuration Fingerprint	HUI Loader deploys an encrypted Cobalt Strike Beacon for C2. The beacon configuration observed across AtomSilo, Night Sky, and Pandora campaigns has a unique HTTP POST URI pattern beginning with /rest/2/meetings and a watermark value of 0. Secureworks documented that as of mid-2022 this specific configuration had not been observed in Cobalt Strike Beacons associated with other threat actors, providing a cross-campaign linking indicator. The Cobalt Strike C2 infrastructure overlap across ransomware variants is the core technical evidence linking the six ransomware brands to a single operator.
T1056.001 / T1041	Keylogger + Alibaba Cloud Exfiltration (Night Sky)	In the January 2022 Night Sky campaign, alongside the Cobalt Strike Beacon, attackers delivered a custom keylogger that uploaded captured keystrokes to Alibaba Cloud — a non-standard exfiltration destination that the Sygnia analysis identified as a behavioral indicator of Chinese-operated tooling. The keylogger was accompanied by a customized version of iox (internet proxy utility) and the NPS tunneling software — tools used for network tunneling and proxy infrastructure. Rclone was used to exfiltrate data to Mega before ransomware deployment. This toolset combination is characteristic of a dual-mission operation: collect espionage data first, deploy ransomware as the final visible act.
T1486 / T1657	Ransomware Deployment and Double Extortion as Cover	Ransomware is deployed as the final-stage visible action — after HUI Loader, Cobalt Strike C2 establishment, lateral movement, data exfiltration, and IP theft have been completed. The double-extortion model (AtomSilo through Pandora) publicly names victims on leak sites and threatens data release, creating a cover narrative that the entire intrusion was financially motivated ransomware. This attribution deflection is the assessed primary purpose of the ransomware stage: incident responders investigating a ransomware attack are less likely to identify the IP exfiltration that preceded it, and law enforcement attribution to a state-sponsored espionage program is complicated by the ransomware criminality overlay.
T1027 / T1562.001	Evasion — ETW/AMSI Disable, API Hooking	The updated HUI Loader (documented from early 2022) actively disables Windows Event Tracing for Windows (ETW) — preventing logging of API calls made by the loader and its payload, removing telemetry that EDR products rely on for behavioral detection. AMSI (Antimalware Scan Interface) functions are also disabled, blocking script-level malware scanning. Windows API hooking is applied to further obscure activity from host-based security tools. The progressive addition of these evasion capabilities to an existing tool indicates active development and capability improvement, consistent with a state-backed operation rather than a static criminal toolkit.

Indicators of Compromise

detection strategy note

Cinnamon Tempest deliberately cycles ransomware brands to invalidate static indicators. The most durable detection approach focuses on the HUI Loader DLL hijacking pattern and the unique Cobalt Strike Beacon configuration (/rest/2/meetings URI + watermark 0) rather than ransomware-specific hashes that will be invalid for the next brand. Behavioral detection of ETW/AMSI disabling from DLL-loaded processes and Rclone exfiltration to Mega from enterprise environments are also high-fidelity indicators that persist across brand cycles. Full IOC lists for each ransomware family are available in the Secureworks Bronze Starlight report and the Sygnia Emperor Dragonfly report.

indicators of compromise — cross-brand persistent indicators

HUI loader mechanism DLL search order hijacking — legitimate application loads malicious DLL; decrypts and executes encrypted payload file deployed alongside

cobalt strike uri pattern HTTP POST URI beginning with /rest/2/meetings — unique across AtomSilo, Night Sky, Pandora campaigns

cobalt strike watermark Watermark value 0 — unique configuration fingerprint observed only in Cinnamon Tempest Beacon samples (as of 2022)

keylogger exfil target Alibaba Cloud — keystrokes exfiltrated to Alibaba Cloud storage in Night Sky campaign; indicator of Chinese-operated tooling

data exfil tool Rclone — used to exfiltrate data to Mega cloud storage prior to ransomware deployment; presence of Rclone with Mega configuration in enterprise context is high-suspicion indicator

network tunneling tools iox (customized internet proxy utility); NPS (tunneling software) — deployed alongside Cobalt Strike in Night Sky campaign; both are Go-based tools written by Chinese developers for Chinese users (Sygnia)

evasion indicators ETW disabled from DLL-loaded process (HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger); AMSI function nullification; Windows API hooking from non-standard DLL load path

impacket usage Impacket suite used for lateral movement and network reconnaissance; presence in post-exploitation chain consistent with Cinnamon Tempest operations

initial access CVEs CVE-2021-26855 (ProxyLogon); CVE-2021-34473/34523/31207 (ProxyShell); CVE-2021-44228 (Log4Shell); CVE-2021-40539 (ManageEngine ADSelfService Plus); Atlassian Confluence CVEs

full ioc reference Secureworks — BRONZE STARLIGHT Ransomware Operations Use HUI Loader (Jun 2022); Sygnia — Revealing Emperor Dragonfly: Night Sky and Cheerscrypt (Oct 2022)

Mitigation & Defense

Prioritize Patching Internet-Facing Exchange, Confluence, and ManageEngine Instances: Cinnamon Tempest's consistent initial access vector is unpatched vulnerabilities in internet-facing server software — specifically Exchange (ProxyShell/ProxyLogon), Atlassian Confluence, Zoho ManageEngine ADSelfService Plus, and Apache Log4j. Any internet-exposed instance of these products should be treated as Cinnamon Tempest attack surface until fully patched. CISA's KEV catalog tracks all documented Cinnamon Tempest-exploited CVEs as mandatory patch items for federal agencies; private sector organizations in pharmaceutical, defense, and electronics sectors — the group's documented victim profile — should treat KEV as a minimum baseline.
Detect DLL Search Order Hijacking for Legitimate Application Process Trees: HUI Loader uses DLL search order hijacking — a legitimate application loads an unexpected DLL from an unexpected path. Implement EDR rules alerting when known legitimate applications (that should load specific signed DLLs) load unsigned or unexpected DLLs. Monitor for processes spawned by legitimate applications that subsequently disable ETW or perform AMSI patching — both are post-HUI-Loader behaviors that are highly anomalous and precede Cobalt Strike Beacon deployment.
Alert on Cobalt Strike Beacon Configurations Matching /rest/2/meetings URI: The unique /rest/2/meetings HTTP POST URI in Cinnamon Tempest's Cobalt Strike Beacon configuration is detectable at the network layer with deep packet inspection or proxy logging. Configure network monitoring to flag outbound HTTPS sessions with POST requests to URIs matching this pattern, particularly from servers that have internet-facing services matching the group's initial access profile. The watermark value 0 is not detectable at the network layer but is identifiable during forensic analysis of memory dumps or captured network traffic with Cobalt Strike parsing tools.
Monitor for Rclone Execution with Mega Configuration in Enterprise Environments: Rclone is a legitimate cloud synchronization tool; its presence in an enterprise environment where it has not been sanctioned by IT should trigger an alert. Specifically, monitor for Rclone executed with "--config" pointing to a temporary or user-writable location, with Mega as the configured remote. Rclone with Mega configuration on a corporate server in a sector matching Cinnamon Tempest's victim profile (pharma, defense, electronics) is a high-fidelity indicator of data pre-ransomware exfiltration.
Apply the "Ransomware as Cover" Lens to Incident Response: When responding to a ransomware incident, standard IR prioritizes restoring business operations and removing the encryption mechanism. For organizations in pharmaceutical, defense, aerospace, electronics manufacturing, and media sectors — Cinnamon Tempest's documented victim industries — IR teams should explicitly scope the investigation to include pre-encryption activity: what data was accessed, what was exfiltrated, and what additional tools were deployed before the ransomware stage. A ransomware incident in these sectors may represent the end of an IP theft campaign, not the beginning of a criminal one.
ETW and AMSI Integrity Monitoring: The updated HUI Loader actively disables Windows ETW and AMSI. Monitor for modifications to ETW autologger registry keys and for AMSI function nullification in running processes. These are not behaviors generated by any legitimate software under normal operating conditions. Third-party security solutions that operate independently of Microsoft's ETW and AMSI infrastructure (e.g., kernel-level telemetry agents) maintain visibility when HUI Loader's evasion is active.

analyst note

Cinnamon Tempest is one of the clearest documented examples of ransomware as a state espionage instrument — not a financially motivated operation that happens to be state-backed, but an espionage operation that uses ransomware operationally as a cover, distraction, and evidence-destruction mechanism. The deliberate sacrifice of financial efficiency — cycling through six ransomware brands rather than optimizing one — only makes sense if the ransomware is a cost center rather than a revenue source. The 75% espionage-aligned victimology is the analytical core of this assessment; a financially motivated operator would not consistently choose victims in pharmaceutical and defense-adjacent sectors where payment likelihood is uncertain. Three structural features distinguish this from conventional ransomware: independence from IABs (the group exploits its own initial access rather than purchasing it), the small-and-discard victim count per brand (inconsistent with maximizing revenue), and the simultaneous presence of espionage-specific tooling (HUI Loader, keylogger exfiltrating to Alibaba Cloud, iox and NPS for network tunneling) deployed alongside the ransomware stage. The January 2022 incident where both Cinnamon Tempest and Bronze University (ShadowPad, an established Chinese APT tool) were found on the same network simultaneously — and where Cinnamon Tempest notably did not deploy ransomware — is perhaps the most direct evidence of the espionage-primary mission: when the target was already being worked by another Chinese APT group, there was no apparent reason to run the ransomware cover operation.

Sources & Further Reading

— end of profile