Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Cyberspy Group APT31 Starts Targeting Russia

China-linked hacking group APT31 has been using new malware in recent attacks targeting Mongolia, Belarus, Canada, the United States, and — for the first time — Russia, according to enterprise cybersecurity firm Positive Technologies.

China-linked hacking group APT31 has been using new malware in recent attacks targeting Mongolia, Belarus, Canada, the United States, and — for the first time — Russia, according to enterprise cybersecurity firm Positive Technologies.

Also tracked as Judgment Panda, Zirconium, and Red Keres, APT31 is believed to be working on behalf of the Chinese government, conducting cyberespionage campaigns against targets of interest to the country.

In July 2021, the group was officially accused of targeting vulnerabilities in Microsoft Exchange servers, on behalf of China, and France warned of APT31’s continuous abuse of hacked routers in malicious attacks.

The group is believed to have launched at least 10 cyberattacks between January and July 2021, delivering a remote access Trojan (RAT) and mainly targeting entities in Mongolia, Russia, Belarus, Canada, and the United States.

According to Positive Technologies, it’s the first time this particular threat group has targeted Russia, and evidence suggests that at least some of the targets here were government organizations.

As part of the activity, the cyberspies employed a new malware dropper that leverages DLL sideloading to execute the malicious payload on the target machine (alongside the malicious library, the dropper deploys and executes on the compromised machine an application vulnerable to DLL sideloading).

The malicious library mimics the legitimate MSVCR100.dll file that Microsoft’s Visual Studio application uses, in an attempt to hide the nefarious activity.

During their investigation into the hacking group’s activities, Positive Technologies’ security researchers discovered several versions of the dropper, including one that downloads all files from the command and control server.

“It is also worth noting that in some cases, particularly during attacks on Mongolia, the dropper was signed with a valid digital signature,” the researchers say, assessing that the signature was most likely stolen.

The malicious library the dropper uses is responsible for fetching and executing the main payload.

Once deployed, the malware waits for commands from the server. Based on these, it can harvest information on drives, search for files, create a process, create a new stream, create a directory, or delete itself.

Given numerous similarities with the DropboxAES RAT that Secureworks previously attributed to APT31, Positive Technologies concluded that they were looking at a variant of the same malware, which showed only minor differences. However, no overlaps between the network infrastructures of the detected malware samples were observed.

“The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular. We believe that further instances will be revealed soon of this group being used in attacks,” Positive Technologies concludes.

Related: Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak

Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms

Related: Finland IDs Hackers Linked to Parliament Spying Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.