A long running cyber espionage operation linked to the China based advanced persistent threat group APT31 has quietly infiltrated multiple Russian information technology companies between 2024 and 2025. According to researchers Daniil Grigoryan and Varvara Koloskova from Positive Technologies, the attackers focused on contractors and integrators that provide services to Russian government agencies, remaining unnoticed inside networks for extended periods.
APT31, also tracked as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon, has been active since at least 2010. The group frequently targets governments, finance, defense, telecommunications, aerospace, media, and engineering sectors. Its primary objective is to gather intelligence that offers political, military, and economic benefits to Beijing and state owned enterprises. In May 2025, the Czech Republic attributed an attack on its Ministry of Foreign Affairs to the same threat actor.
Cloud Services Used for Command and Control
The campaign against Russian entities involved extensive use of legitimate cloud platforms, particularly services widely adopted inside Russia, including Yandex Cloud. The intention was to mix malicious traffic with regular user activity, making the attacks difficult to detect.
Researchers also found evidence of encrypted commands and payloads being planted on social media profiles. Many operations were executed during weekends and public holidays to reduce the likelihood of immediate detection. One targeted company was compromised as early as late 2022, with increased activity recorded around the 2023 New Year period.
Phishing Emails and CloudyLoader Deployment
Another major intrusion identified in December 2024 began with a spear phishing email carrying a RAR archive. Inside was a Windows Shortcut (LNK) file that initiated a Cobalt Strike loader known as CloudyLoader through DLL side loading. This activity, documented earlier by Kaspersky in July 2025, was found to overlap with a threat cluster called EastWind.
Positive Technologies noted a separate lure where a ZIP archive falsely presented itself as a report from the Ministry of Foreign Affairs of Peru, ultimately delivering the same CloudyLoader payload.
Extensive Arsenal of Public and Custom Tools
APT31 relies on a wide variety of tools to execute different stages of its attack cycle. Persistence is maintained by registering scheduled tasks that impersonate legitimate applications, including Yandex Disk and Google Chrome. Some of the tools observed include:
• SharpADUserIP, a C# utility for reconnaissance
• SharpChrome.exe, for extracting cookies and passwords from Google Chrome and Microsoft Edge
• SharpDir, for searching system files
• StickyNotesExtract.exe, to collect data stored in Windows Sticky Notes
• Tailscale VPN, for encrypted P2P communications
• Microsoft dev tunnels, for secure traffic tunneling
• Owawa, a malicious IIS module used for credential theft
• AufTime, a Linux backdoor communicating with C2 through the wolfSSL library
• COFFProxy, a Golang backdoor capable of file operations, command execution, tunneling, and payload delivery
• VtChatter, a tool that uses Base64 encoded comments on VirusTotal files as a two way C2 channel every two hours
• OneDriveDoor, a backdoor that uses Microsoft OneDrive for command and control
• LocalPlugX, a PlugX variant that spreads locally within networks
• CloudSorcerer, a backdoor that leverages cloud services for communication
• YaLeak, a dot NET tool that uploads stolen data to Yandex Cloud
Stealthy Operations and Data Exfiltration
Positive Technologies reported that APT31 continually expands its toolkit while continuing to reuse older components. Many of its tools operate in server mode, waiting silently for a connection from the attackers. Stolen data, including passwords for internal services and email accounts, is frequently exfiltrated using Yandex cloud storage.
These techniques have allowed APT31 to remain hidden within victim networks for years, quietly collecting confidential information and transferring sensitive files to remote infrastructure.
