Fresh ‘APT31’ Activity Surfaces, Including Russian Targets for the First Time Ever

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The Chinese hacking group tracked as ‘APT31’ (aka “Zirconium” or “Hurricane Panda”) last made headlines in February when researchers at Check Point figured that the actors were using malware tools that were based on leaked NSA code. Now, it is the security research team at Positive Technologies who has an update on the most recent activity of the Chinese hackers, having tracked several emails sent by the actors in the last couple of months, targeting government entities in the United States, Canada, Russia, Belarus, and Mongolia.

According to the report, this is the first time that APT31 is confirmed to be targeting Russian entities in the five years that it has been active. In 2020, the group focused on Europe-based companies and also public agencies in Finland, France, Germany, and Norway, but its interest has shifted again as it seems.

For Russia specifically, the sophisticated actors have set up a spoofing site on “inst.rsnet-devel[.]com”, which imitates the domain of Russia’s National Computer Incident Response & Coordination Center. This is a portal meant to collect reports about cyber-incidents from companies, provide aid and advice, and coordinate response operations. The servers infrastructure that Positive Technologies was able to map is given below.

Source: Positive Technologies

The malware that’s dropped onto the targets' systems is dropped through DLL sideloading in a newly created directory at “C:\ProgramData\Apacha”. It is noteworthy that the droppers are often signed with a valid digital signature that is most probably stolen.

Source: Positive Technologies

The malware itself is similar to what was used by the group in last year’s operations and supports the following commands:

Daniil Koloskov, a Senior Threat Analysis Specialist at Positive Technologies, states:

It is worth noting how cunning the malware developers were: in order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: