A technical report by Positive Technologies researchers Daniil Grigoryan and Varvara Koloskova said that a China-linked advanced persistent threat known as APT31 carried out targeted attacks against the Russian information technology sector between 2024 and 2025, with many victims contracted to or integrating solutions for government agencies.
APT31, which is also tracked under names such as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres and Violet Typhoon, is assessed to have been active since at least 2010 and has a history of operations against governments, financial institutions, aerospace and defence, telecommunications and other sectors.
The researchers said the intrusions made extensive use of legitimate cloud services popular in Russia, notably Yandex Cloud, for command-and-control and data exfiltration to blend with normal traffic. They also reported that operators staged encrypted commands and payloads in social media profiles and timed activity to weekends and holidays; one intrusion traced back to a compromise as early as late 2022 that intensified around the 2023 New Year holidays.
In one incident detected in December 2024, the actors sent a spear‑phishing message with a RAR archive that contained a Windows Shortcut (LNK) which launched a Cobalt Strike loader known as CloudyLoader via DLL side‑loading, an activity that was previously documented by Kaspersky and showed overlaps with other observed threat clusters.
To support reconnaissance, persistence and lateral movement the group used a mix of publicly available and custom tools, including SharpADUserIP, SharpChrome.exe, SharpDir, StickyNotesExtract.exe, the Microsoft dev tunnels capability, and a local variant of PlugX tracked as LocalPlugX. The report also notes use of a two‑way channel that placed Base64‑encoded comments in a text file hosted on VirusTotal and other bespoke backdoors linked to cloud services.
Positive Technologies said the operators exfiltrated files and collected credentials from internal services and mailboxes, frequently using Yandex cloud storage for data theft, and that these techniques allowed the adversary to remain unnoticed on some victim networks for years.