Ethical Hacking News
A China-linked APT group has been blamed for a series of targeted cyber attacks against Russia's IT sector between 2024 and 2025. The group, known as APT31, uses legitimate cloud services to blend in with normal traffic and escape detection. To stay up-to-date on the latest cybersecurity news and trends, follow us on Twitter, LinkedIn, or Google News.
A recent China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025. The attack used legitimate cloud services, such as Yandex Cloud, for command-and-control (C2) and data exfiltration to blend in with normal traffic. APT31 has a track record of striking a wide range of sectors, including governments, financial, aerospace and defense, high tech, construction and engineering, telecommunications, media, and insurance. The group primarily focuses on gathering intelligence that can provide Beijing and state-owned enterprises with political, economic, and military advantages.
The threat landscape has been evolving at an unprecedented rate, with new and sophisticated cyber threats emerging every day. Recently, a China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025 while staying undetected for extended periods of time. In this article, we will delve into the details of this cyber attack, exploring its tactics, techniques, and procedures (TTPs), as well as the tools and methods used by APT31 to achieve their objectives.
The Russian IT sector, particularly companies working as contractors and integrators of solutions for government agencies, faced a series of targeted computer attacks between 2024 and 2025. Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova reported that the hacking crew was blamed by the Czech Republic for targeting its Ministry of Foreign Affairs in May 2025. This attack is just one example of APT31's extensive operations, which have been ongoing since at least 2010.
APT31, also known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium), has a track record of striking a wide range of sectors, including governments, financial, aerospace and defense, high tech, construction and engineering, telecommunications, media, and insurance. The cyber espionage group is primarily focused on gathering intelligence that can provide Beijing and state-owned enterprises with political, economic, and military advantages.
The attacks aimed at Russia are characterized by the use of legitimate cloud services, mainly those prevalent in the country, like Yandex Cloud, for command-and-control (C2) and data exfiltration in an attempt to blend in with normal traffic and escape detection. APT31 has also been known to stage encrypted commands and payloads in social media profiles, both domestic and foreign, while also conducting their attacks during weekends and holidays.
In at least one attack targeting an IT company, APT31 breached its network as far back as late 2022, before escalating the activity coinciding with the 2023 New Year holidays. The threat actors sent a spear-phishing email containing a RAR archive that, in turn, included a Windows Shortcut (LNK) responsible for launching a Cobalt Strike loader dubbed CloudyLoader via DLL side-loading.
Details of this activity were previously documented by Kaspersky in July 2025, while identifying some overlaps with a threat cluster known as EastWind. APT31 has leveraged an extensive set of publicly available and custom tools to facilitate subsequent stages of the attack cycle. Persistence is achieved by setting up scheduled tasks that mimic legitimate applications, such as Yandex Disk and Google Chrome.
Some of these tools include SharpADUserIP, a C# utility for reconnaissance and discovery; SharpChrome.exe, to extract passwords and cookies from Google Chrome and Microsoft Edge browsers; SharpDir, to search files; StickyNotesExtract.exe, to extract data from the Windows Sticky Notes database; Tailscale VPN, to create an encrypted tunnel and set up a peer-to-peer (P2P) network between the compromised host and their infrastructure.
Microsoft dev tunnels, to tunnel traffic; Owawa, a malicious IIS module for credential theft; AufTime, a Linux backdoor that uses the wolfSSL library to communicate with C2; COFFProxy, a Golang backdoor that supports commands for tunneling traffic, executing commands, managing files, and delivering additional payloads. VtChatter, a tool that uses Base64-encoded comments to a text file hosted on VirusTotal as a two-way C2 channel every two hours.
OneDriveDoor, a backdoor that used Microsoft OneDrive as C2; LocalPlugX, a variant of PlugX that's used to spread within the local network, rather than to communicate with C2; CloudSorcerer, a backdoor that used cloud services as C2; YaLeak, a .NET tool to upload information to Yandex Cloud. These tools and techniques allowed APT31 to stay unnoticed in the infrastructure of victims for years.
At the same time, attackers downloaded files and collected confidential information from devices, including passwords from mailboxes and internal services of victims. Positive Technologies stated that "APT31 is constantly replenishing its arsenal: although they continue to use some of their old tools." The grouping exfiltrates data through Yandex's cloud storage.
These tools and techniques allowed APT31 to stay unnoticed in the infrastructure of victims for years. At the same time, attackers downloaded files and collected confidential information from devices, including passwords from mailboxes and internal services of victims.
In conclusion, the recent cyber attacks attributed to APT31 pose a significant threat to Russia's IT sector. The sophisticated tactics used by this group demonstrate the evolving nature of cyber threats, which require continuous monitoring and awareness to mitigate. By understanding the TTPs, tools, and methods used by APT31, organizations can take necessary precautions to protect themselves from similar attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-China-Linked-APT-Groups-Stealthy-Cyberattacks-A-Threat-to-Russias-IT-Sector-ehn.shtml
https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html
Published: Sat Nov 22 10:46:40 2025 by llama3.2 3B Q4_K_M
