APT31, a long-running China-linked APT also tracked as Altaire, Judgement Panda and Violet Typhoon, has been attributed to stealthy cyber-espionage campaigns against Russian IT contractors and system integrators serving government agencies between 2022 and 2025. The group abused legitimate cloud services such as Yandex Cloud and Microsoft OneDrive as command-and-control (C2) channels and used tools like CloudyLoader and CloudSorcerer to blend into normal network traffic, mapping to MITRE ATT&CK T1102 (Web Service), T1071 (Application Layer Protocol) and T1567 (Exfiltration Over Web Service). Initial access in at least one intrusion came via spear-phishing emails delivering RAR archives containing malicious Windows Shortcut (LNK) files that side-loaded a Cobalt Strike–based loader, aligning with T1566 (Phishing) and T1204 (User Execution). Once inside targeted networks, APT31 deployed a diverse toolset for discovery, credential theft, persistence and data collection. Utilities such as SharpADUserIP, SharpDir and StickyNotesExtract.exe supported reconnaissance and data-harvesting, while Owawa and LocalPlugX were used for credential theft and lateral movement. For remote access and tunneling, the actors leveraged Tailscale VPN, Microsoft dev tunnels, COFFProxy and custom Linux backdoors like AufTime that communicate over encrypted channels. Data exfiltration frequently flowed through cloud services, including Yandex cloud storage and OneDrive-based backdoors like OneDriveDoor, enabling the group to masquerade as legitimate SaaS traffic and remain resident for months or years. The campaigns focus on Russian IT companies acting as contractors and integrators for government agencies, giving APT31 an opportunity to gain indirect access to sensitive networks and information. This third-party targeting mirrors previous APT31 operations against governments and strategic sectors worldwide, seeking political, economic and military intelligence for Beijing and state-owned enterprises. Prolonged dwell time and the use of cloud-native C2 make detection challenging and heighten the risk of unnoticed theft of credentials, government documents and internal communications. Defenders should assume that cloud services and VPNs can be dual-use channels and build detection around usage patterns rather than simple domain blocklists. Mitigations include monitoring for unusual Tailscale or dev tunnel usage, auditing scheduled tasks that mimic legitimate software like Yandex Disk or Chrome, and inspecting for known APT31 tools and backdoors on endpoints and servers. Organizations relying on Russian or regional IT contractors should strengthen third-party risk controls, enforce strict segmentation between provider and client environments, and collect detailed telemetry on cloud-service access used for administration or remote support.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: APT31’s campaigns against Russian IT contractors highlight the systemic risk posed by service providers with privileged access to government and enterprise environments. Successful compromise can expose sensitive political, defense and economic data, while the use of cloud C2 and legitimate VPNs makes intrusions harder to detect and remediate, raising the likelihood of long-term espionage and strategic data loss. Technical Context: The group relies on spear-phishing with LNK loaders, cloud-hosted payload staging and a large arsenal of custom and commodity tools to conduct discovery, credential theft, tunneling and exfiltration. Techniques map to MITRE T1566, T1102, T1071 and T1567, with persistence via scheduled tasks that impersonate legitimate applications and multiple backdoors including CloudyLoader, CloudSorcerer, OneDriveDoor and AufTime. Effective defense requires deep telemetry on cloud and VPN usage, hardening of third-party access paths and threat hunting for APT31-specific tooling.
⚡Strategic Intelligence Guidance
- Review and harden third-party access from IT contractors and integrators by enforcing strong MFA, least-privilege roles and dedicated, monitored admin paths for remote support.
- Deploy advanced EDR and logging on systems administered by service providers, hunting for known APT31 tools, suspicious scheduled tasks and side-loaded DLLs linked to CloudyLoader-style chains.
- Monitor for anomalous usage of Tailscale VPN, dev tunnels and cloud storage (e.g., Yandex, OneDrive) from servers that do not normally rely on these services, correlating with unusual data-transfer volumes.
- Build threat-hunting playbooks focused on cloud-based C2, including DNS and HTTPS pattern analysis, and ensure incident response plans account for long-dwell espionage scenarios involving IT suppliers.
Vendors
YandexMicrosoft OneDriveTailscale
Threats
APT31Cloud-based command and controlNation-state cyber espionage
Targets
Russian IT contractorsGovernment IT integratorsManaged service providers