A sophisticated Chinese cyber espionage group known as APT31 has been blamed for targeting Russia’s information technology (IT) sector between 2024 and 2025. The group, also known by other names such as Altaire, Bronze Vinewood, and Judgement Panda, has been active since at least 2010.
APT31 primarily focuses on gathering intelligence to gain political, economic, and military advantages for Beijing and its state-owned enterprises. To avoid detection, the attackers use legitimate cloud services like Yandex Cloud for command-and-control (C2) and data exfiltration.
The group’s tactics include staging encrypted commands in social media profiles and conducting attacks during weekends and holidays. In one attack targeting an IT company, APT31 breached its network as far back as late 2022.
To facilitate their attacks, APT31 uses a range of publicly available and custom tools, including SharpADUserIP, SharpChrome.exe, and Owawa. These tools help the attackers gain persistence by mimicking legitimate applications and setting up scheduled tasks.
The group’s arsenal is constantly being replenished as they update and improve their tools to stay ahead of detection. APT31 actively uses cloud services like Yandex and Microsoft OneDrive for C2, and exfiltrates data through these platforms. The group’s tactics allowed them to remain undetected in the infrastructure of victims for years.
The attacks are characterized by the use of legitimate cloud services to blend in with normal traffic and escape detection. APT31’s tools and techniques enabled them to stay unnoticed in the infrastructure of victims, while also downloading files and collecting confidential information from devices.
Note: I simplified the text by removing unnecessary details and focusing on the main points of the article. I also reorganized some sections to improve clarity and flow.
Source: https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html