Despite seemingly being cleared during the WannaCry witch hunt, Chinese entities have re-emerged as potential suspects following analysis from risk intelligence firm Flashpoint.
Initial assessment seemed to suggest that China was not behind the attack, despite the country usually being one of the first accused, after the Chinese government's petrol corporation reportedly saw 20,000 of its stations hit by the ransomware.
Reports also claimed that around half of the IP addresses hit were registered in China.
Flashpoint has, however, come up with a new theory after analysing the ransom notes that appeared on infected machines.
Linguistic analysis of the notes, it claims, proves that all of them were translated from one language into other languages using Google Translate - except the English version and two Chinese versions.
These versions, it claims, were written by the hackers, but a "glaring grammatical error" proves that the perpetrator was most likely a non-native English speaker.
From this evidence, Flashpoint draws the conclusion that the hacker is a fluent Chinese speaker who translated the ransom note from Chinese to other languages, using the internet.
Flashpoint said on its website: "Flashpoint assesses with high confidence that the author(s) of WannaCry's ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore.
"Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. This alone is not enough to determine the nationality of the author(s).
"Flashpoint assesses with moderate confidence that the Chinese ransom note served as the original source for the English version, which then generated machine-translated versions of the other notes.
"The Chinese version contains content not in any of the others, though no other notes contain content not in the Chinese. The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language - perhaps comfortable enough to use the language to write the initial note."
The increasing focus on China differs from initial theories from the likes of Symantec and Kaspersky, which in the aftermath of the attack claimed North Korea was most likely to be behind the attack.
Symantec claimed that tools and infrastructure used in WannaCry share similarities with the hacking group Lazarus, which is widely considered to be linked to North Korea, and was credited with the Sony hack in 2014.
Chief exec Jens Montanana claims Logicalis performed well despite 'currency headwinds'
All the photos from last night's event, which saw over 600 people congregate at the Hilton London Bankside
Five year deal with Essex NHS Trust will cover 400 sites, including hospitals, clinics and GP practices
18 individuals and three companies walked away as winners at CRN's inaugural Women in Channel Awards last night