Connect with us

Hi, what are you looking for?



Chinese Cyberspy Group APT31 Starts Targeting Russia

China-linked hacking group APT31 has been using new malware in recent attacks targeting Mongolia, Belarus, Canada, the United States, and — for the first time — Russia, according to enterprise cybersecurity firm Positive Technologies.

China-linked hacking group APT31 has been using new malware in recent attacks targeting Mongolia, Belarus, Canada, the United States, and — for the first time — Russia, according to enterprise cybersecurity firm Positive Technologies.

Also tracked as Judgment Panda, Zirconium, and Red Keres, APT31 is believed to be working on behalf of the Chinese government, conducting cyberespionage campaigns against targets of interest to the country.

In July 2021, the group was officially accused of targeting vulnerabilities in Microsoft Exchange servers, on behalf of China, and France warned of APT31’s continuous abuse of hacked routers in malicious attacks.

The group is believed to have launched at least 10 cyberattacks between January and July 2021, delivering a remote access Trojan (RAT) and mainly targeting entities in Mongolia, Russia, Belarus, Canada, and the United States.

According to Positive Technologies, it’s the first time this particular threat group has targeted Russia, and evidence suggests that at least some of the targets here were government organizations.

As part of the activity, the cyberspies employed a new malware dropper that leverages DLL sideloading to execute the malicious payload on the target machine (alongside the malicious library, the dropper deploys and executes on the compromised machine an application vulnerable to DLL sideloading).

The malicious library mimics the legitimate MSVCR100.dll file that Microsoft’s Visual Studio application uses, in an attempt to hide the nefarious activity.

Advertisement. Scroll to continue reading.

During their investigation into the hacking group’s activities, Positive Technologies’ security researchers discovered several versions of the dropper, including one that downloads all files from the command and control server.

“It is also worth noting that in some cases, particularly during attacks on Mongolia, the dropper was signed with a valid digital signature,” the researchers say, assessing that the signature was most likely stolen.

The malicious library the dropper uses is responsible for fetching and executing the main payload.

Once deployed, the malware waits for commands from the server. Based on these, it can harvest information on drives, search for files, create a process, create a new stream, create a directory, or delete itself.

Given numerous similarities with the DropboxAES RAT that Secureworks previously attributed to APT31, Positive Technologies concluded that they were looking at a variant of the same malware, which showed only minor differences. However, no overlaps between the network infrastructures of the detected malware samples were observed.

“The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular. We believe that further instances will be revealed soon of this group being used in attacks,” Positive Technologies concludes.

Related: Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak

Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms

Related: Finland IDs Hackers Linked to Parliament Spying Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...