The China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025 while staying undetected for extended periods of time.
“In the period from 2024 to 2025, the Russian IT sector, especially companies working as contractors and integrators of solutions for government agencies, faced a series of targeted computer attacks,” Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova said in a technical report.
APT31, also known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium), is assessed to be active since at least 2010. It has a track record of striking a wide range of sectors, including governments, financial, and aerospace and defense, high tech, construction and engineering, telecommunications, media, and insurance.
The cyber espionage group is primarily focused on gathering intelligence that can provide Beijing and state-owned enterprises with political, economic, and military advantages. In May 2025, the hacking crew was blamed by the Czech Republic for targeting its Ministry of Foreign Affairs.
The attacks aimed at Russia are characterized by the use of legitimate cloud services, mainly those prevalent in the country, like Yandex Cloud, for command-and-control (C2) and data exfiltration in an attempt to blend in with normal traffic and escape detection.
The adversary is also said to have staged encrypted commands and payloads in social media profiles, both domestic and foreign, while also conducting their attacks during weekends and holidays. In at least one attack targeting an IT company, APT31 breached its network as far back as late 2022, before escalating the activity coinciding with the 2023 New Year holidays.
In another intrusion detected in December 2024, the threat actors sent a spear-phishing email containing a RAR archive that, in turn, included a Windows Shortcut (LNK) responsible for launching a Cobalt Strike loader dubbed CloudyLoader via DLL side-loading. Details of this activity were previously documented by Kaspersky in July 2025, while identifying some overlaps with a threat cluster known as EastWind.
The Russian cybersecurity company also said it identified a ZIP archive lure that masqueraded as a report from the Ministry of Foreign Affairs of Peru to ultimately deploy CloudyLoader.
To facilitate subsequent stages of the attack cycle, APT31 has leveraged an extensive set of publicly available and custom tools. Persistence is achieved by setting up scheduled tasks that mimic legitimate applications, such as Yandex Disk and Google Chrome. Some of them are listed below –
- SharpADUserIP, a C# utility for reconnaissance and discovery
- SharpChrome.exe, to extract passwords and cookies from Google Chrome and Microsoft Edge browsers
- SharpDir, to search…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
