The China-linked advanced persistent threat (APT) group known as APT31 has been identified conducting a cyber-espionage campaign targeting Russian IT service providers and government organizations. This operation is distinguished by its use of legitimate cloud storage services for command-and-control (C2) and data exfiltration, a technique designed to evade detection.

Cloud Services as a C2 Channel

In this campaign, APT31 deployed a sophisticated malware implant that communicates with Dropbox and Yandex Cloud. The malware establishes a persistent connection to these cloud platforms using hardcoded OAuth2 access tokens for authentication. This “living off the cloud” strategy allows the attackers’ C2 traffic to blend in with legitimate network activity, making it difficult for security systems to identify.

The operational flow involves the malware creating a dedicated folder within the compromised user’s cloud storage account. Attacker commands are delivered to the infected system as files placed in this folder, and the malware uploads stolen data back to the same location for the threat actor to retrieve. This method provides a stealthy and resilient channel for remote control and data theft.

Targeting and Malware Attribution

The primary targets of this campaign were identified as Russian IT service providers and government entities. The attack chain delivers a custom remote access trojan (RAT) as its final payload, granting the operators extensive control over the compromised machines. This includes the ability to execute commands, manage files, and exfiltrate sensitive information.

Security researchers attribute the campaign to APT31 based on the tools, techniques, and procedures (TTPs) employed. The malware used is a variant of a backdoor previously and exclusively associated with APT31, also known as Zirconium and Judgment Panda. This connection provides a clear link between this activity and the China-based threat group.

Source: https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html