A Chinese state-aligned threat actor may have been spying on Russia's government for years through its IT sector. For all of the adversarial intelligence gathering going on in the world today, there is also plenty of spying among friends. Friendly nations, and friendly-ish nations like China and Russia, regularly use cyberspace against their allies to glean potentially valuable political or economic intelligence, gain advantages in strategic negotiations, or simply steal technology.
On 20 November 2025, Russian IT security vendor Positive Technologies detailed a longstanding espionage campaign against Russia's IT sector. The culprit: China's APT31 also known as Judgment Panda, TA412, Violet Typhoon an advanced persistent threat (APT) of a decade and a half, well-known for performing industrial espionage and intellectual property (IP) theft against thousands of worldwide organizations.
APT31's trick this time around, the researchers found, was a sophisticated manipulation of legitimate cloud services for malicious command-and-control (C2). The first known evidence of APT31's campaign against Russia's IT sector dates to the end of 2022, though the meat of the campaign appears to have occurred in 2024 and 2025. In many ways, the attacks have unfolded as most Chinese espionage campaigns do: APT31 distributed targeted phishing emails with archive files attached, containing decoy documents and its malware, executed in victims' systems using dynamic link library (DLL) sideloading.
APT31 uses both commercial software and custom malware programs for various stages of its attack chain. For instance, the group can steal victims' authentication data using a tool that culls Google Chrome and Microsoft Edge, and another that searches through local files, and a third that scrapes Windows Sticky Notes, just in case victims leave their passwords on digital Post-its instead of physical ones.
APT31 employs a variety of backdoors customized to the victim's operating system Windows and Linux call for different choices and its own chosen means of C2 communication. For example, its "OneDriveDoor" backdoor uses Microsoft OneDrive for C2 communication, but "CloudSorcerer" can use OneDrive, Dropbox, or the Russian Yandex Cloud service. Its "YaLeak" tool uses the Russian Yandex Cloud service for data exfiltration, and its most tongue in cheek malware, "VtChatter," uses the commenting system on threat intelligence platform VirusTotal (VT) as a covert C2 channel.
Bugcrowd founder Casey Ellis laments just how difficult it is to prevent hackers from abusing legitimate cloud services to conceal their malicious activity. "Aside from playing whack-a-mole when a campaign like this, there is very little that cloud services can do to stop this type of C2 abuse," he explains. "This is deliberate exploitation of intentional design, and the fact that it flies under the radar for this reason is being deliberately abused by the threat actors. This type of C2 is notoriously difficult to prevent, aside from adding coarse features like geo-blocking entire regions or shutting the whole service down."
Certain circumstantial evidence suggests that APT31's campaign might have been aimed at more than just IT companies, commercial data, and possibly beyond Russia. Importantly, its attacks were concentrated not just against Russia's IT sector broadly, but against contractors and integrators of IT solutions for government agencies specifically. Russia itself has used this backdoor approach to breach the US government in the past.
The researchers also spotted a version of APT31's very same attack chain in Peru. In that case, an unidentified victim was served malware alongside a decoy document crafted to appear like an official financial report from the Ministry of Foreign Affairs of Peru a more direct indication that APT31 may have been seeking out government victims.
Certis Foster, senior threat hunter lead at Deepwatch, points out that it can be difficult to separate government and commercial cyberespionage coming from China. "Targeting Russian IT contractors gives China a backdoor into hardened government networks," he says. "Russia still has valuable aerospace, defense, and nuclear technologies that Chinese state-owned companies seek to gain a competitive advantage. With Western sanctions limiting Russia's tech options, China also wants to know what alternatives Russia is developing in the shadows. The lines between espionage and corporate theft blur completely here because, in my book, China's state and major corporations are the same entity."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
https://www.darkreading.com/cyberattacks-data-breaches/china-spies-russian-it-orgs
Comments