The China-linked Advanced Persistent Threat (APT) group, known as APT31, is blamed for a long period of undetected cyberattacks targeting Russia’s information technology (IT) sector from 2024 to 2025.
“In 2024-2025, the Russian IT sector, especially companies working as contractors and integrators of government solutions, faced a series of targeted computer attacks,” Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova said in a technical report.
APT31, also known as Altaire, Bronze Vinewood, Judgment Panda, Perplexed Goblin, RedBravo, Red Keres, and Violet Typhoon (formerly known as Zirconium), is believed to have been active since at least 2010. We have a proven track record of attacking a wide range of sectors, including government, finance, aerospace and defense, high technology, construction and engineering, telecommunications, media, and insurance.
This cyber espionage group is primarily focused on gathering information that provides political, economic, and military advantage to the Chinese government and state-owned enterprises. In May 2025, a hacking group was accused by the Czech Republic of targeting the Ministry of Foreign Affairs.
Attacks targeting Russia are characterized by the use of legitimate cloud services that are popular in the country, primarily Yandex Cloud, for command and control (C2) and data exfiltration, in an attempt to blend into normal traffic and escape detection.
The adversary also allegedly planted encrypted commands and payloads on domestic and international social media profiles, while conducting attacks on weekends and holidays. In at least one attack targeting an IT company, APT31 infiltrated its network as far back as late 2022, and expanded its activity to coincide with the 2023 holiday season.
In another intrusion detected in December 2024, threat actors sent spear phishing emails containing RAR archives. The email contained a Windows shortcut (LNK) that launched a Cobalt Strike loader called CloudyLoader via DLL sideloading. Details of this activity were previously documented by Kaspersky Lab in July 2025, but some overlap with the threat cluster known as EastWind has been identified.
The Russian cybersecurity firm also said it had identified a ZIP archive lure disguised as a report from the Peruvian Ministry of Foreign Affairs to finally deploy CloudyLoader.
To facilitate subsequent stages of the attack cycle, APT31 leveraged a wide range of publicly available custom tools. Persistence is achieved by setting up scheduled tasks that mimic legitimate applications such as Yandex Disk or Google Chrome. Some of them are listed below.
SharpADUserIP, C# utility SharpChrome.exe for reconnaissance and detection, SharpDir to extract passwords and cookies from Google Chrome and Microsoft Edge browsers, StickyNotesExtract.exe to search files, Tailscale VPN to extract data from the Windows Sticky Notes database, Microsoft dev tunnel to create an encrypted tunnel and set up a peer-to-peer (P2P) network between a compromised host and its infrastructure, Owawa to tunnel traffic, malicious IIS AufTime module for credential theft, COFFProxy, a Linux backdoor that uses the wolfSSL library to communicate with the C2, a Golang backdoor that supports commands for tunneling traffic, executing commands, managing files, and delivering additional payloads.VtChatter, a tool that uses Base64-encoded comments every two hours in a text file hosted on VirusTotal as a bidirectional C2 channel.OneDriveDoor, a tool that uses Microsoft OneDrive to communicate with the C2. Backdoor LocalPlugX to use as. A PlugX variant used to spread within local networks rather than communicating with C2 CloudSorcerer (a backdoor that uses cloud services as a C2 YaLeak). .NET tools for uploading information to Yandex Cloud
“While APT31 continues to use some of its older tools, it is constantly replenishing its arsenal,” Positive Technologies said. “As a C2, the attackers are actively using cloud services, especially Yandex and Microsoft OneDrive services. Many tools are also configured to operate in server mode, waiting for the attackers to connect to infected hosts.”
“Additionally, this grouping allows data to be exfiltrated through Yandex’s cloud storage. These tools and techniques allowed APT31 to remain unnoticed within the victim’s infrastructure for years. At the same time, the attackers downloaded files and collected sensitive information from the device, including passwords for mailboxes and internal services of the victim.”
Source link
