A new investigation has revealed that APT31, a long-running Chinese espionage group, quietly infiltrated parts of Russia’s IT supply chain between 2024 and 2025, slipping through networks used by government contractors and remaining unnoticed for extended periods.
Researchers Daniil Grigoryan and Varvara Koloskova of Positive Technologies said the attackers specifically focused on companies that develop or integrate solutions for Russian government agencies, effectively targeting key access points rather than the agencies themselves.
A Familiar Actor With a Broad Track Record
APT31 also known by names such as Judgement Panda, RedBravo, and Violet Typhoon has been active for over a decade. Its operations regularly circle back to one objective: collecting intelligence that may benefit China’s political leadership or state-owned industries.
Countries across Europe and Asia have dealt with the group’s intrusions. Earlier in May 2025, the Czech Republic publicly accused APT31 of hacking its Ministry of Foreign Affairs.
Hiding in Plain Sight Through Local Cloud Services
What makes the Russia-focused campaign stand out is the level of camouflage.
Rather than relying on suspicious external servers, APT31 routed its command-and-control traffic through Yandex Cloud, a popular and trusted platform inside Russia.
The group also slipped encrypted instructions into social media profiles and timed some operations for weekends and national holidays, when the likelihood of detection was significantly lower.
In one case, investigators later discovered that the attackers had been inside a company’s network since late 2022, becoming more active only around the 2023 New Year holiday, a textbook example of long-term, low-noise espionage.
Phishing Emails and a Familiar Loader
A December 2024 incident involved a spear-phishing message carrying a RAR archive. Inside it was a Windows shortcut file that triggered CloudyLoader, a known Cobalt Strike loader deployed through DLL side-loading.
Kaspersky researchers documented related activity in mid-2025, noting similarities to a cluster dubbed EastWind.
Another lure pretended to be a diplomatic report from the Ministry of Foreign Affairs of Peru, ultimately delivering the same loader.
The Tools Behind the Operation
APT31 used a broad mix of open-source utilities and custom malware to maintain access, move laterally, and quietly extract data. Among the tools identified:
1. SharpADUserIP – reconnaissance and user/IP mapping
2. SharpChrome.exe – theft of browser passwords and cookies
3. StickyNotesExtract.exe – pulls saved notes from Windows
4. Tailscale VPN – encrypted peer-to-peer tunnels
5. Owawa – malicious IIS module for credential harvesting
6. COFFProxy – Golang backdoor for tunneling and remote execution
7. OneDriveDoor – a backdoor using Microsoft OneDrive for C2
8. LocalPlugX – a PlugX variant for internal spread
9. CloudSorcerer – cloud-based backdoor
10. YaLeak – uploads stolen data to Yandex Cloud
Persistence was often achieved through scheduled tasks named after legitimate apps such as Yandex Disk or Google Chrome, a simple but effective disguise.
Years of Stealth and Continuous Data Theft
Positive Technologies emphasized that APT31 continues to evolve its toolkit, increasingly relying on cloud platforms as control points. Several implants operated in “server mode,” waiting passively for the attackers to connect.
During their time inside targeted environments, the group systematically exfiltrated documents, passwords, mailbox credentials, and internal service logins.
In many cases, the theft went on for months even years without triggering alarms.
Source: The Hacker News
