Full Report
The China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025 while staying undetected for extended periods of time. "In the period from 2024 to 2025, the Russian IT sector, especially companies working as contractors and integrators of solutions for government agencies,
Analysis Summary
# Threat Actor: APT31
## Attribution & Identity
**Attribution:** China-linked Advanced Persistent Threat (APT) group.
**Known Aliases:** Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium).
**Associated Groups:** Identified overlaps with a threat cluster known as EastWind. The group has been active since at least 2010.
## Activity Summary
APT31 has been attributed to cyber-espionage attacks specifically targeting the **Russian IT sector between 2024 and 2025**. The operations were characterized by attempting to remain undetected for extended periods. Attacks occurred using legitimate cloud services prevalent in Russia (like Yandex Cloud) for C2 and data exfiltration to blend in with normal traffic. The group has been observed staging encrypted commands and payloads in social media profiles (both domestic and foreign) and notably conducting attacks during weekends and holidays. An investigation revealed one intrusion into an IT company network dating back to late 2022, escalating activity around the 2023 New Year holidays.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Spear-phishing emails containing RAR archives that led to a Windows Shortcut (LNK) file.
- **Execution:** LNK file launched a Cobalt Strike loader dubbed "CloudyLoader" via DLL side-loading.
- **Command and Control (C2):** Extensive use of legitimate, prevalent cloud services (primarily **Yandex Cloud**) for C2 and data exfiltration. Staging of encrypted data/commands on social media profiles.
- **Persistence:** Setting up scheduled tasks that mimic legitimate applications (e.g., Yandex Disk, Google Chrome).
- **Discovery/Reconnaissance:** Use of custom and public tools like `SharpADUserIP`.
- **Credential Access:** Use of `SharpChrome.exe` to extract passwords/cookies from Chrome/Edge, and the malicious IIS module `Owawa` for credential theft.
- **Defense Evasion:** Conducting operations during low-activity periods (weekends and holidays).
- **Tunneling/Exfiltration:** Use of Tailscale VPN for encrypted P2P networks and **COFFProxy** (Golang backdoor) for tunneling traffic.
- **Tools/Malware:** CloudyLoader (Cobalt Strike loader), AufTime (Linux/wolfSSL backdoor), COFFProxy (Golang backdoor), VtChatter (uses Base64-encoded comments on VirusTotal text files).
- **Custom Utilities Used:** `SharpADUserIP` (C# utility), `SharpDir` (file search), `StickyNotesExtract.exe`.
## Targeting
- **Sectors:** Russian Information Technology (IT) sector, especially companies acting as **contractors and integrators of solutions for government agencies**. Historically: governments, financial, aerospace and defense, high tech, construction and engineering, telecommunications, media, and insurance.
- **Geography:** Russia (recent focus); historically global.
- **Victims:** Russian IT sector contractors/integrators. Also cited for targeting the Czech Republic's Ministry of Foreign Affairs in May 2025.
## Tools & Infrastructure
- **Malware families used:** CloudyLoader, AufTime, COFFProxy, Owawa, VtChatter.
- **Infrastructure (C2, domains, IPs):**
- **Legitimate Cloud Services:** Yandex Cloud (primary C2/Exfiltration).
- **Tunneling/P2P:** Tailscale VPN, Microsoft dev tunnels.
- **Staging:** Domestic and foreign social media profiles.
## Implications
APT31 continues to demonstrate a high level of operational security by leveraging trusted cloud infrastructure (Yandex Cloud) and operational tradecraft (attacks during holidays) to achieve long-term, undetected access within sensitive sectors underpinning government operations (Russian IT contractors). Their focus on supply chain entanglement suggests an effort to gain access to higher-value state assets indirectly.
## Mitigations
- Implement rigorous monitoring and anomaly detection around legitimate cloud service utilization (e.g., Yandex Cloud) for non-standard C2 or data staging activities.
- Harden security controls around email attachments and LNK files, particularly those received outside standard channels during off-hours.
- Investigate unauthorized scheduled tasks mimicking system utilities (Yandex Disk, Google Chrome) as a potential persistence mechanism.
- Enhance monitoring for the use of legitimate tools repurposed for malicious activity, such as Tailscale VPN or Microsoft dev tunnels, within internal networks.