APT31 Sneaky Cyberattacks on Russian IT Using Cloud Services: China-Linked Attacks
“There are huge sneaky cyberattacks run by Chinese APT31 on russian IT using cloud services.”
The Russian information technology (IT) industry was the target of cyberattacks between 2024 and 2025 by the China-affiliated advanced persistent threat (APT) organization known as APT31, which remained undiscovered for a considerable amount of time.
Daniil Grigoryan & Varvara Koloskova, Positive Technologies Researchers, Report
| “The Russian IT industry experienced several targeted cyberattacks between 2024 and 2025, particularly those that contracted with and integrated solutions for government organizations.”
“Even if they still employ parts of their outdated equipment, APT31 is continuously expanding its arsenal.”
“Attackers actively utilize cloud services as C2, specifically Yandex and Microsoft OneDrive services. Additionally, a lot of programs are set up to operate in server mode, awaiting an attacker’s connection to an infected machine.”
“Furthermore, the organization uses Yandex’s cloud storage to exfiltrate data. APT31 was able to remain undetected in the victims’ infrastructure for years thanks to these tools and strategies. Attackers simultaneously downloaded files and gathered private data from devices, including passwords from victims’ internal services and mailboxes.” |
Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium) are several names for APT31, which has been active since at least 2010.
It has a history of affecting many different industries, such as:
- Governments,
- Financial,
- Aerospace & Defense,
- High Tech,
- Construction & Engineering,
- Telecommunications,
- Media, and
- Insurance
The primary goal of the cyber espionage squad is to get intelligence that could give Beijing and state-owned businesses military, economic, and political advantages. The Czech Republic accused the hacking group of attacking its Ministry of Foreign Affairs in May 2025.
In an effort to blend in with regular traffic and avoid detection, the attacks targeting Russia are typified by the use of genuine cloud services, primarily those that are common in the nation, such as Yandex Cloud, for command-and-control (C2) and data exfiltration.
Additionally, it is said that the adversary placed encrypted commands and payloads in both domestic and foreign social media identities, carrying out their attacks on weekends and holidays.
In at least one attack targeting an IT company, APT31 entered its network as far back as late 2022, before intensifying the activity corresponding with the 2023 New Year’s vacations.
In a different incursion that was discovered in December 2024, the threat actors delivered a spear-phishing email that contained a RAR package. This RAR archive had a Windows Shortcut (LNK) that used DLL side-loading to start a Cobalt Strike loader known as CloudyLoader.
Kaspersky previously reported on this activity in July 2025, noting some similarities with the EastWind threat cluster.
The Russian cybersecurity firm also claimed to have discovered a ZIP archive bait that pretended to be a report from Peru’s Ministry of Foreign Affairs to install CloudyLoader.
APT31 has made use of a wide range of both proprietary and publicly accessible technologies to aid in later phases of the assault cycle. By creating scheduled tasks that imitate trustworthy programs like Yandex Disk and Google Chrome, persistence is attained. A few of them are mentioned below:
- SharpADUserIP: A C# reconnaissance and discovery tool.
- exe: To get cookies and passwords from the Microsoft Edge and Google Chrome web browsers.
- SharpDir: To look up files.
- exe: To retrieve information from the database of Windows Sticky Notes.
- Tailscale VPN: To establish a peer-to-peer (P2P) network and an encrypted tunnel between the hacked server and their infrastructure.
- Microsoft dev tunnels: To use a tunnel for transportation.
- Owawa: A rogue IIS module designed to steal credentials.
- AufTime: A Linux backdoor that connects to C2 via the wolfSSL library.
- COFFProxy: A Golang backdoor that can execute instructions, manage files, tunnel communications, and provide extra payloads.
- VtChatter: An application that sends Base64-encoded comments every two hours via a two-way C2 channel to a text file maintained on VirusTotal.
- OneDriveDoor: Microsoft OneDrive is used as C2 in a backdoor.
- LocalPlugX: Instead of communicating with C2, this version of PlugX is used to propagate around the local network.
- CloudSorcerer: A backdoor that made use of C2 cloud services.
- YaLeak: An application for uploading data to Yandex Cloud.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Google Update: Nano Banana 2 Trend Taking Over the Internet
About Author
English