China-affiliated Advanced Persistent Threat (APT) group known as APT31 The cause is believed to be a cyberattack that targeted Russia’s information technology (IT) sector in 2024-2025 and went undetected for a long time.
“In 2024-2025, the Russian IT sector, especially companies working as contractors and integrators of government solutions, faced a series of targeted computer attacks,” Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova said in a technical report.
APT31, also known as Altaire, Bronze Vinewood, Judgment Panda, Perplexed Goblin, RedBravo, Red Keres, and Violet Typhoon (formerly known as Zirconium), is believed to have been active since at least 2010. We have a proven track record of attacking a wide range of sectors, including government, finance, aerospace and defense, high technology, construction and engineering, telecommunications, media, and insurance.
This cyber espionage group is primarily focused on gathering information that provides political, economic, and military advantage to the Chinese government and state-owned enterprises. In May 2025, a hacking group was accused by the Czech Republic of targeting the Ministry of Foreign Affairs.
Attacks targeting Russia are characterized by the use of legitimate cloud services that are popular in the country, primarily Yandex Cloud, for command and control (C2) and data exfiltration, in an attempt to blend into normal traffic and escape detection.
The adversary also allegedly planted encrypted commands and payloads on domestic and international social media profiles, while conducting attacks on weekends and holidays. In at least one attack targeting an IT company, APT31 infiltrated its network as far back as late 2022, and expanded its activity to coincide with the 2023 holiday season.
In another intrusion detected in December 2024, threat actors sent spear phishing emails containing RAR archives. The email contained a Windows shortcut (LNK) that launched a Cobalt Strike loader called CloudyLoader via DLL sideloading. Details of this activity were previously documented by Kaspersky Lab in July 2025, but some overlap with the threat cluster known as EastWind has been identified.
The Russian cybersecurity firm also said it had identified a ZIP archive lure disguised as a report from the Peruvian Ministry of Foreign Affairs to finally deploy CloudyLoader.
To facilitate subsequent stages of the attack cycle, APT31 leveraged a wide range of publicly available custom tools. Persistence is achieved by setting up scheduled tasks that mimic legitimate applications such as Yandex Disk or Google Chrome. Some of them are listed below.
- SharpADUserIP, a C# utility for reconnaissance and discovery
- SharpChrome.exe extracts passwords and cookies from Google Chrome and Microsoft Edge browsers.
- SharpDir, search for files
- StickyNotesExtract.exe, which extracts data from the Windows Sticky Notes database.
- Tailscale VPN: Creates an encrypted tunnel and sets up a peer-to-peer (P2P) network between a compromised host and its infrastructure.
- Microsoft Development Tunnel, tunnel your traffic
- Owawa, Malicious IIS Module for Credential Theft
- AufTime, a Linux backdoor that uses the wolfSSL library to communicate with the C2
- COFFProxy: Golang backdoor that supports commands for tunneling traffic, executing commands, managing files, and delivering additional payloads
- VtChatter is a tool that uses Base64-encoded comments every two hours to text files hosted on VirusTotal as a two-way C2 channel
- OneDriveDoor, a backdoor that uses Microsoft OneDrive as a C2
- LocalPlugX. A variant of PlugX used for spreading within local networks rather than communicating with C2.
- CloudSorcerer, a backdoor that uses cloud services as a C2
- YaLeak, a .NET tool for uploading information to Yandex Cloud
“While APT31 continues to use some of its older tools, it is constantly replenishing its arsenal,” Positive Technologies said. “As a C2, the attackers are actively using cloud services, especially Yandex and Microsoft OneDrive services. Many tools are also configured to operate in server mode, waiting for the attackers to connect to infected hosts.”
“Additionally, this grouping allows data to be exfiltrated through Yandex’s cloud storage. These tools and techniques allowed APT31 to remain unnoticed within the victim’s infrastructure for years. At the same time, the attackers downloaded files and collected sensitive information from the device, including passwords for mailboxes and internal services of the victim.”
