Executive Summary

The China-linked advanced persistent threat group APT31 (also known as Judgement Panda, Violet Typhoon, and Zirconium) has orchestrated a sophisticated cyber-espionage campaign targeting the Russian IT sector, with a particular focus on organizations serving government agencies. Leveraging legitimate cloud services such as Yandex Cloud and Microsoft OneDrive for command-and-control (C2) and data exfiltration, APT31 has demonstrated advanced tradecraft in evading detection, maintaining persistence, and extracting sensitive information. The group’s operations, observed from late 2022 through 2025, are characterized by the use of spear-phishing, DLL side-loading, custom malware, and cloud-based C2 channels, enabling them to blend malicious activity with normal enterprise traffic. This report provides a comprehensive technical analysis of the tools, tactics, and procedures (TTPs) employed by APT31, details on exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

APT31 is a China-linked cyber-espionage group active since at least 2010, with a history of targeting government, defense, technology, and critical infrastructure sectors worldwide. The group is known for its adaptive use of both custom and commodity malware, as well as its ability to rapidly shift TTPs in response to detection. In this campaign, APT31 has focused on Russian IT companies, especially those with government contracts, but has also targeted organizations in the Czech Republic and other regions. The group’s operations are notable for their use of legitimate cloud services for C2, which complicates detection and attribution. APT31 is tracked by various vendors under aliases such as Altaire, Bronze Vinewood, RedBravo, Red Keres, and PerplexedGoblin.

Technical Analysis of Malware/TTPs

APT31’s attack chain begins with spear-phishing emails containing malicious RAR or ZIP archives, often disguised as official documents from government agencies such as the Ministry of Foreign Affairs of Peru. These archives contain Windows LNK shortcut files, which, when executed, trigger a multi-stage infection process. The LNK files initiate the loading of a custom Cobalt Strike loader, dubbed CloudyLoader, via DLL side-loading. This technique abuses legitimate signed binaries, such as the Yandex.Browser installer or dot1xtray.exe, to load malicious DLLs (msvcr100.dll, msvcr110.dll, winhttp.dll, wtsapi.dll), thereby evading endpoint security controls.

Once executed, CloudyLoader establishes persistence by creating scheduled tasks that mimic legitimate applications like Yandex Disk or Google Chrome. The loader then deploys a Cobalt Strike beacon or custom remote access trojans (RATs) such as YaRAT and OneDriveDoor, which communicate with C2 infrastructure hosted on Yandex Cloud, Microsoft OneDrive, and even VirusTotal (via the VtChatter tool). These channels are used to receive commands, exfiltrate data, and download additional payloads.

APT31 employs a suite of custom tools for reconnaissance and credential theft, including SharpADUserIP (for Active Directory reconnaissance), SharpChrome.exe (for extracting browser credentials), SharpDir (for file system searches), and StickyNotesExtract.exe (for harvesting Windows Sticky Notes data). For lateral movement, the group uses a variant of PlugX (LocalPlugX) and establishes encrypted tunnels using Tailscale VPN and Microsoft dev tunnels. On Linux systems, the AufTime backdoor, leveraging wolfSSL for encrypted C2, has been observed.

The group’s operations are further characterized by the use of malicious IIS modules (Owawa) for credential theft, the COFFProxy Golang backdoor for tunneling and command execution, and the CloudSorcerer backdoor for cloud-based C2. Data exfiltration is facilitated by the YaLeak .NET tool, which uploads stolen data to Yandex Cloud.

To evade detection, APT31 times its operations for weekends and holidays, when monitoring is typically reduced, and leverages cloud services to blend malicious traffic with legitimate enterprise activity. The use of scheduled tasks and registry run keys for persistence, as well as the abuse of signed binaries for DLL side-loading, further complicates detection and response.

Exploitation in the Wild

APT31’s campaign has resulted in the compromise of multiple Russian IT companies, particularly those with direct or indirect access to government networks. The group has demonstrated the ability to maintain a presence within victim environments for extended periods, with dwell times exceeding one year in some cases. During these intrusions, APT31 has exfiltrated credentials, internal documents, emails, and sensitive government-related data. The group’s use of cloud-based C2 channels has enabled them to bypass traditional perimeter defenses and maintain operational security.

The attack chain typically begins with a spear-phishing email containing a malicious archive or document. Upon execution of the embedded LNK file or macro, the initial loader is deployed, followed by the establishment of persistence and C2 communication. The attackers then conduct internal reconnaissance, harvest credentials, and move laterally within the network using custom tools and legitimate administrative utilities. Data is exfiltrated via encrypted channels to cloud storage services, making detection and attribution challenging.

Notably, APT31 has also targeted organizations outside Russia, including the Czech Republic Ministry of Foreign Affairs, indicating a broader strategic interest in government and diplomatic entities.

Victimology and Targeting

The primary victims of this campaign are Russian IT companies, especially those serving as contractors or integrators for government agencies. The group has also targeted media and energy companies, as well as organizations in other countries, such as the Czech Republic. The selection of targets suggests a focus on entities with access to sensitive government information and critical infrastructure.

APT31’s targeting is highly selective, with spear-phishing lures tailored to the recipient’s role and organization. The use of official-looking documents and references to government agencies increases the likelihood of successful compromise. The group’s ability to remain undetected for extended periods underscores the sophistication of their operations and the effectiveness of their evasion techniques.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risk posed by APT31 and similar threat actors. Key recommendations include:

Monitoring for suspicious scheduled tasks that mimic legitimate applications such as Yandex Disk and Google Chrome is essential. Organizations should audit cloud storage access logs for Yandex Cloud and Microsoft OneDrive to identify anomalous activity indicative of C2 or data exfiltration. Security teams should search for known APT31 tool filenames and hashes, including CloudyLoader.dll, SharpADUserIP.exe, SharpChrome.exe, SharpDir.exe, StickyNotesExtract.exe, OneDriveDoor.exe, and YaLeak.exe.

Investigating any use of VirusTotal as a C2 channel, particularly via the VtChatter tool, is recommended. Organizations should review spear-phishing attempts with RAR, ZIP, or Word attachments, especially those referencing government agencies or containing the author field "pc1q213". Monitoring for DLL side-loading activity involving Yandex.Browser and dot1xtray.exe can help detect early stages of the attack chain.

Endpoint detection and response (EDR) solutions should be configured to alert on the execution of unsigned or suspicious DLLs by signed binaries, as well as the creation of new scheduled tasks and registry run keys. Network monitoring should include inspection of outbound connections to cloud storage services and the use of encrypted tunnels such as Tailscale VPN and Microsoft dev tunnels.

User awareness training focused on spear-phishing and social engineering tactics can reduce the likelihood of initial compromise. Regular patching and hardening of systems, combined with the principle of least privilege, will limit the attacker’s ability to move laterally and escalate privileges.

References

The Hacker News: China-Linked APT31 Launches Stealthy Cyberattacks on Russian IT Using Cloud Services (https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html), Positive Technologies: Flying in the clouds: APT31 renews its attacks on Russian companies through cloud storage (https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/apt31-cloud-attacks/), Kaspersky Securelist (https://securelist.com/), Malpedia: APT31 (https://malpedia.caad.fkie.fraunhofer.de/actor/apt31), MITRE ATT&CK: APT31 (https://attack.mitre.org/groups/G0128/)

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and vendor ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring the resilience of critical business operations. For more information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.