Known as the China-linked Advanced Persistent Threat (APT) group apt31 Cyber attacks targeting the Russian information technology (IT) sector have been attributed to between 2024 and 2025, while remaining undetected for a longer period of time.
“In the period from 2024 to 2025, the Russian IT sector, especially companies working as contractors and integrators of solutions for government agencies, faced a series of targeted computer attacks,” Positive Technologies researchers Daniel Grigoryan and Varvara Koloskova said in a technical report.
APT31, also known as Altair, Bronze Vinewood, Judgment Panda, PerplexedGoblin, RedBravo, Red Caress, and Violet Typhoon (formerly Zirconium), is estimated to have been active since at least 2010. It has a track record of striking across a range of sectors including governments, financial and aerospace and defence, high-tech, construction and engineering, telecommunications, media and insurance.
The cyber espionage group focuses primarily on gathering intelligence that could provide political, economic and military benefits to Beijing and state-owned enterprises. In May 2025, a hacking crew was blamed by the Czech Republic for targeting its Foreign Ministry.
Attacks targeted at Russia are characterized by the use of legitimate cloud services, predominantly prevalent in the country, such as Yandex Cloud, for command-and-control (C2) and data exfiltration in an attempt to blend in with normal traffic and detect escapes.
The adversary is also said to have staged encrypted commands and payloads in both domestic and foreign social media profiles, while also carrying out its attacks during weekends and holidays. In at least one attack targeting an IT company, APT31 breached its network in late 2022, before ramping up activity to coincide with the 2023 New Year holidays.
In another intrusion discovered in December 2024, threat actors sent a spear-phishing email containing a RAR archive, which, in turn, contained a Windows shortcut (LNK) responsible for launching the Cobalt Strike Loader called CloudyLoader via DLL side-loading. Details of this activity were first documented by Kaspersky in July 2025, while some overlap with a threat group called Eastwind was identified.
The Russian cybersecurity company also said it had identified a ZIP archive lure that ultimately led to the deployment of Cloud Loader, a report by the Peruvian Ministry of Foreign Affairs said.
To facilitate the latter stages of the attack cycle, APT31 has taken advantage of an extensive set of publicly available and custom tools. Persistence is achieved by installing scheduled tasks that mimic legitimate applications such as Yandex Disk and Google Chrome. Some of them are listed below –
- SharpEducer, a C# utility for IP, reconnaissance and discovery
- SharpChrome.exe to remove passwords and cookies from Google Chrome and Microsoft Edge browsers
- sharddir to find files
- StickyNotesExtract.exe, to extract data from Windows Sticky Notes database
- Telscale VPN, to create an encrypted tunnel and establish a peer-to-peer (P2P) network between the compromised host and their infrastructure.
- Microsoft developed Tunnel to tunnel traffic
- Oavava, a malicious IIS module for credential theft
- AufTime, a Linux backdoor that uses the WolfSSL library to communicate with C2
- COFFProxy, a Golang backdoor that supports commands to tunnel traffic, execute commands, manage files, and deliver additional payloads
- VtChatter, a tool that uses Base64-encoded comments in a text file hosted on VirusTotal as a two-way C2 channel every two hours
- OneDriveDoor, a backdoor that uses Microsoft OneDrive as C2
- LocalPlugX, a variant of PlugX that is used to propagate within a local network rather than communicating with C2
- CloudSorcerer, a backdoor that used cloud services as C2
- YaLeak, a .NET tool for uploading information to Yandex Cloud
Positive Technologies said, “APT31 are constantly replenishing their arsenal: although they continue to use some of their older equipment.” “As in C2, attackers actively use cloud services, in particular, Yandex and Microsoft OneDrive services. Many tools are also configured to work in server mode, waiting for attackers to connect to the infected host.”
“In addition, the group exfiltrates data through Yandex’s cloud storage. These tools and techniques allowed APT31 to move unnoticed into victims’ infrastructure for years. At the same time, the attackers downloaded files and collected confidential information from devices, including mailboxes and passwords to victims’ internal services.”
