Article Details

China-Linked APT31 Launches Stealthy Cyberattacks on Russian IT Using Cloud Services. The China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025 while staying undetected for extended periods of time. "In the period from 2024 to 2025, the Russian IT sector, especially companies working as contractors and integrators of solutions for government agencies, faced a series of targeted computer attacks," Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova said in a technical report. APT31, also known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium), is assessed to be active since at least 2010. It has a track record of striking a wide range of sectors, including governments, financial, and aerospace and defense, high tech, construction and engineering, telecommunications, media, and insurance. The cyber espionage group is primarily focused on gathering intelligence that can provide Beijing and state-owned enterprises with political, economic, and military advantages. In May 2025, the hacking crew was blamed by the Czech Republic for targeting its Ministry of Foreign Affairs. The attacks aimed at Russia are characterized by the use of legitimate cloud services, mainly those prevalent in the country, like Yandex Cloud, for command-and-control (C2) and data exfiltration in an attempt to blend in with normal traffic and escape detection. The adversary is also said to have staged encrypted commands and payloads in social media profiles, both domestic and foreign, while also conducting their attacks during weekends and holidays. In at least one attack targeting an IT company, APT31 breached its network as far back as late 2022, before escalating the activity coinciding with the 2023 New Year holidays. In another intrusion detected in December 2024, the threat actors sent a spear-phishing email containing a RAR archive that, in turn, included a Windows Shortcut (LNK) responsible for launching a Cobalt Strike loader dubbed CloudyLoader via DLL side-loading. Details of this activity were previously documented by Kaspersky in July 2025, while identifying some overlaps with a threat cluster known as EastWind. The Russian cybersecurity company also said it identified a ZIP archive lure that masqueraded as a report from the Ministry of Foreign Affairs of Peru to ultimately deploy CloudyLoader. To facilitate subsequent stages of the attack cycle, APT31 has leveraged an extensive set of publicly available and custom tools. Persistence is achieved by setting up scheduled tasks that mimic legitimate applications, such as Yandex Disk and Google Chrome. Some of them are listed below - "APT31 is constantly replenishing its arsenal: although they continue to use some of their old tools," Positive Technologies said. "As C2, attackers actively use cloud services, in particular, Yandex and Microsoft OneDrive services. Many tools are also configured to work in server mode, waiting for attackers to connect to an infected host." "In addition, the grouping exfiltrates data through Yandex's cloud storage. These tools and techniques allowed APT31 to stay unnoticed in the infrastructure of victims for years. At the same time, attackers downloaded files and collected confidential information from devices, including passwords from mailboxes and internal services of victims."