Between 2024 and 2025, the Russian information technology sector, particularly companies serving government agencies, faced a series of sophisticated cyberattacks attributed to the China-linked advanced persistent threat group APT31. Researchers from Positive Technologies report that the group remained undetected for extended periods while leveraging legitimate cloud services for espionage and data exfiltration.
APT31’s Modus Operandi
APT31, also known under aliases including Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon, has been active since at least 2010. Historically, the group has targeted sectors spanning government, finance, aerospace, telecommunications, and high-tech industries, aiming to provide Beijing and state-owned enterprises with political, economic, and military advantages.
For attacks on Russian IT firms, APT31 primarily used local cloud services, such as Yandex Cloud, as command-and-control (C2) infrastructure. Researchers noted that encrypted commands and payloads were sometimes staged via social media profiles, with operations frequently conducted during weekends and public holidays to avoid detection. In one instance, the group gained access to a network as early as late 2022 and escalated activity during the 2023 New Year period.
Tactics and Tools
APT31 has employed a combination of publicly available and custom tools to maintain persistence and exfiltrate sensitive information. Techniques include scheduled tasks mimicking legitimate applications, spear-phishing campaigns, and the use of malicious archives containing loaders like CloudyLoader via DLL side-loading.
Key tools and malware families identified include:
- SharpADUserIP: C# utility for reconnaissance and discovery
- SharpChrome.exe: Extracts passwords and cookies from browsers
- StickyNotesExtract.exe: Extracts data from Windows Sticky Notes
- Tailscale VPN & Microsoft Dev Tunnels: Create encrypted communication channels
- Owawa & AufTime: Backdoors for credential theft and Linux system access
- COFFProxy & CloudSorcerer: Backdoors for C2, file management, and payload delivery
- VtChatter: Uses Base64-encoded comments on VirusTotal as a C2 channel
- OneDriveDoor & YaLeak: Leverage cloud storage services for data exfiltration
- LocalPlugX: Network-spreading variant of PlugX
Positive Technologies emphasized that APT31 continually updates its toolkit, reusing some legacy tools while integrating new capabilities that exploit cloud services for both persistence and stealthy data exfiltration.
Impact on Russian IT
These operations allowed APT31 to remain embedded within victim networks for years, harvesting sensitive information including passwords and confidential internal communications. By blending into legitimate cloud traffic, the group minimized the risk of detection, underscoring the evolving challenges of securing IT infrastructure against state-linked cyber espionage.
