Cyber Incident Victim: Aoyuan Healthy Life Group

On or around September 28, 2022, the PT_Moisha ransomware group publicly claimed responsibility for a cyberattack targeting Aoyuan Healthy Life Group, a subsidiary of China Aoyuan Group. The Hong Kong-based victim entity maintained operational offices in Sydney, Toronto, and Vancouver, forming part of a larger Chinese conglomerate founded in 1996 and listed on the Hong Kong Stock Exchange since 2007. PT_Moisha, identifying itself as an established group despite being newly recognized by researchers, infiltrated Aoyuan Healthy Life Group’s computer networks and exfiltrated approximately 200 gigabytes of documents. The attackers established contact with cybersecurity researchers via the qTox encrypted messaging platform to disclose their involvement.

PT_Moisha provided researchers with a 90-file sample totaling 200 megabytes as proof of the compromise, representing a fraction of the stolen data. The exfiltrated documents reportedly included corporate records, though specific file types or sensitive data categories were not detailed in the disclosed sample. The ransomware group maintained possession of the full 200 GB dataset at the time of disclosure, implying ongoing leverage for potential extortion or secondary distribution. No explicit ransom demands or payment conditions were referenced in the initial outreach. China Aoyuan Group’s corporate structure, including its Cayman Islands registration, was highlighted in connection with the incident, though the breach appeared confined to the Healthy Life Group subsidiary. The attack’s operational impacts—including potential disruptions to business functions, financial losses, or containment measures—were not described in available disclosures.