Key Findings:

• Between 2024 and 2025, the China-linked advanced persistent threat (APT) group APT31 conducted targeted cyber attacks on the Russian IT sector, particularly companies working as contractors and integrators for government agencies.

• The attacks were characterized by the use of legitimate cloud services, mainly prevalent in Russia, like Yandex Cloud, for command-and-control (C2) and data exfiltration, in an attempt to blend in with normal traffic and evade detection.

• APT31 also staged encrypted commands and payloads in social media profiles, both domestic and foreign, and conducted attacks during weekends and holidays.

• The threat group leveraged an extensive set of publicly available and custom tools for various stages of the attack cycle, including for reconnaissance, credential theft, file management, and payload delivery.

• Persistence was achieved by setting up scheduled tasks that mimicked legitimate applications, such as Yandex Disk and Google Chrome.

• Data exfiltration was done through Yandex's cloud storage, allowing the group to stay undetected in the victims' infrastructure for years.

Background

APT31, also known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium), is assessed to be active since at least 2010. It has a track record of striking a wide range of sectors, including governments, financial, aerospace and defense, high tech, construction and engineering, telecommunications, media, and insurance. The cyber espionage group is primarily focused on gathering intelligence that can provide Beijing and state-owned enterprises with political, economic, and military advantages.

Tactics, Techniques, and Tools

• Use of legitimate cloud services, such as Yandex Cloud and Microsoft OneDrive, for C2 and data exfiltration

• Staging of encrypted commands and payloads in social media profiles

• Conducting attacks during weekends and holidays

• Leveraging a wide range of tools, including:

• SharpADUserIP for reconnaissance and discovery

• SharpChrome.exe to extract passwords and cookies

• SharpDir to search files

• StickyNotesExtract.exe to extract data from the Windows Sticky Notes database

• Tailscale VPN and Microsoft dev tunnels for creating encrypted tunnels

• Owawa, a malicious IIS module for credential theft

• AufTime, a Linux backdoor

• COFFProxy, a Golang backdoor

• VtChatter, a tool that uses VirusTotal comments for C2

• OneDriveDoor, a backdoor that uses Microsoft OneDrive as C2

• LocalPlugX, a variant of PlugX for local network spread

• CloudSorcerer, a backdoor that uses cloud services as C2

• YaLeak, a .NET tool to upload information to Yandex Cloud

Persistence and Exfiltration

• Persistence achieved by setting up scheduled tasks mimicking legitimate applications like Yandex Disk and Google Chrome

• Data exfiltration done through Yandex's cloud storage, allowing the group to stay undetected for years

Conclusion

APT31 has demonstrated its ability to conduct stealthy and long-lasting cyberattacks on the Russian IT sector by leveraging legitimate cloud services and a wide arsenal of tools. The group's tactics, techniques, and persistence mechanisms have allowed it to evade detection and maintain access to victim networks for extended periods, posing a significant threat to the targeted organizations.

Sources

• https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html

• https://galileosg.com/2025/11/22/china-linked-apt31-launches-stealthy-cyberattacks-on-russian-it-using-cloud-services/

• https://www.reddit.com/r/SecOpsDaily/comments/1p3y9wr/chinalinked_apt31_launches_stealthy_cyberattacks/

• https://bvtech.org/china-linked-apt31-launches-stealthy-cyberattacks-on-russian-it-using-cloud-services/

• https://x.com/TheCyberSecHub/status/1992272170391838901