Content
Between 2024 and 2025, the Russian IT sector, particularly firms involved as contractors and integrators for government agencies, fell victim to a series of covert cyberattacks. These intrusions were linked to APT31, a China-related advanced persistent threat group known for its stealth and persistence. Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova shed light on these attacks, revealing how APT31 managed to remain undetected for long stretches while carrying out intelligence-gathering missions aimed at securing political, economic, and military leverage for Beijing and affiliated state-owned enterprises.
APT31, which has been operating since at least 2010 under numerous aliases including Altaire, Bronze Vinewood, and Violet Typhoon, has a diverse target list. Its campaigns span governments, financial institutions, aerospace and defense sectors, among others. In May 2025, the Czech Republic accused this group of targeting its Ministry of Foreign Affairs, demonstrating APT31's broad geographical reach beyond Russia. The group’s latest operations against Russian IT companies relied heavily on legitimate cloud services—especially native platforms like Yandex Cloud—to mask command-and-control (C2) communications and data theft, blending malicious traffic with normal network activity to avoid detection.
The attackers also employed innovative tactics like embedding encrypted commands and payloads in social media profiles and timing their assaults during weekends and holidays to reduce the chances of being caught. Evidence shows that at least one Russian IT company was compromised as far back as late 2022, with attack intensity ramping up over the 2023 New Year period. Another notable incident from December 2024 involved spear-phishing emails carrying malicious RAR archives. These archives contained Windows Shortcut files used to deploy a Cobalt Strike loader dubbed CloudyLoader through DLL side-loading—a technique that exploits legitimate processes to execute harmful code. Kaspersky’s July 2025 report linked some of this activity to a threat cluster known as EastWind, which reportedly used ZIP archives posing as official documents to trick victims.
APT31’s toolkit is extensive and constantly evolving. They blend off-the-shelf utilities with custom-built malware to maintain persistence and conduct reconnaissance. For example, they use tools like SharpADUserIP for network discovery, SharpChrome.exe for extracting browser credentials, and VtChatter to communicate covertly via Base64-encoded comments on VirusTotal. The group also utilizes legitimate cloud services for communication channels, leveraging Microsoft OneDrive and Yandex Cloud for C2 and data exfiltration. Maintaining persistence often involves creating scheduled tasks that mimic the behavior of trusted applications like Google Chrome or Yandex Disk, further obfuscating their presence.
In addition to Windows-based tools, APT31 deploys Linux backdoors such as AufTime, which uses wolfSSL for encrypted communications, and COFFProxy, a Golang-based backdoor for traffic tunneling and payload delivery. Other specialized tools include Owawa, a malicious IIS module designed for credential theft, and LocalPlugX, a local-network spreading variant of the PlugX malware family. The group’s ability to tunnel traffic using technologies like Tailscale VPN and Microsoft developer tunnels helps them create secure, encrypted pathways between infected systems and their command servers.
Overall, APT31’s blend of old and new attack vectors, combined with its strategic use of cloud platforms and off-hours timing, has allowed it to lurk within victim infrastructures for years. This quiet but effective espionage campaign has led to the theft of sensitive data including passwords for mailboxes and internal services, highlighting the ongoing challenge of defending highly targeted IT environments from sophisticated nation-state actors.
