The advanced persistent threat (APT) group known as APT31, which Western governments have linked to China's state-sponsored espionage efforts, has been attributed to a series of cyberattacks targeting Russia's information technology (IT) sector. These attacks primarily focused on companies serving as contractors and integrators for government agencies, with activity spanning from late 2022 through 2025. Russian cybersecurity firm Positive Technologies attributed the campaign to APT31 in a November 2025 report, noting that the operations were carefully planned to enable prolonged, undetected access.[1]
APT31, also known as ZIRCONIUM or Judgment Panda, is a sophisticated cybersecurity threat with ties to state-sponsored activities.
See: https://redskyalliance.org/xindustry/who-can-you-trust-anymore-5
The intrusions involved long-term persistence in victim networks. In one documented case, attackers gained access to a Russian IT company's systems as early as late 2022, with heightened activity resuming during the 2023 New Year holidays when staffing levels were low, but infrastructure remained operational. Further attacks were observed in 2024 and 2025, including a spear-phishing incident in December 2024 where a malicious archive disguised as a procurement request was used to deploy malware. Operations were often timed to coincide with weekends and public holidays to minimize the risk of detection.
Tools & Techniques - APT31 employed a combination of publicly available tools and custom malware. Key techniques included:
- Routing commands through profiles on social media and web platforms to make traffic appear legitimate.
- Using legitimate cloud services, such as Yandex Cloud, Microsoft OneDrive, and Dropbox, for command-and-control (C2) communications and data exfiltration.
- Deploying backdoors like CloudSorcerer, OneDriveDoor, and CloudyLoader (a Cobalt Strike loader), often via DLL side-loading.
- Additional tools for reconnaissance, credential theft, and lateral movement, including SharpADUserIP, SharpChrome, Mimikatz, and Tailscale VPN.
These methods enabled the group to maintain access for extended periods, in some cases years, while exfiltrating sensitive data.
Public reports of cyber operations by China-linked actors against Russian targets are uncommon, given the strategic partnership between the two countries. However, this campaign follows earlier indications of similar activity.
- In 2024, Kaspersky reported intrusions into Russian state agencies and tech companies using tools associated with Chinese threat actors, including APT31 and APT27, in a campaign dubbed EastWind.
- Positive Technologies' report did not directly reference China or Beijing. APT31, also tracked as Zirconium, Judgement Panda, and Violet Typhoon, has a history of espionage targeting governments and critical sectors worldwide.
The firm behind the primary attribution, Positive Technologies, is based in Moscow and was sanctioned by the United States in 2021 for allegedly supporting Russian intelligence agencies.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/chinese-threat-group-turns-on-russia-8961.html
Comments