Striking Panda Attacks: APT31 Today
Essential information
- Published
- 27/11/2025 18:37
- Modified
- 21/12/2025 18:09
- Tags
- 2025-11-27 auftime chinese cloud services cloudsorcerer cloudyloader coffproxy cyber espionage data exfiltration government contractors grewapacha it sector localplugx malware onedrivedoor vtchatter yaleak
- Related entities
- 6 observables, 1 intrusion sets (apt), 22 techniques (mitre), 9 malware, 8 others
Description
APT31, a Chinese cyber espionage group, has been actively targeting the Russian IT sector from 2024 to 2025, particularly companies working as contractors for government agencies. The group uses sophisticated tactics to remain undetected, including leveraging cloud services as command and control infrastructure and deploying new malware samples. APT31 demonstrates knowledge of target organizations' workflows, timing attacks during holidays. They use a prepared script for lateral movement and have deployed new malware such as AufTime, COFFProxy, VtChatter, YaLeak, CloudyLoader and OneDriveDoor. The group employs various persistence techniques, credential access methods, and data exfiltration tools. APT31 continues to evolve its toolkit while maintaining some older tools, allowing them to remain undetected in victim networks for years while extracting sensitive data.