Researchers linked a series of long-running, targeted cyberattacks against Russia’s IT sector (2024–2025) to APT31 and recovered unique samples of the group’s tools and methods. The attackers disguised malware as legitimate software, abused social network profiles and other online services for encrypted bidirectional C2, and used a keylogger that captured commands pasted from the clipboard. #APT31 #LocalPlugx
Keypoints
- Between 2024 and 2025, contractors and systems integrators in Russia’s IT sector serving government agencies were targeted in a series of well-planned cyberespionage attacks.
- Investigators attributed some intrusions to APT31 and obtained unique samples of its malware and tooling.
- Attackers used a mix of third-party tools for lateral movement and reconnaissance and bespoke malware families including LocalPlugx, CloudSorcerer, COFFProxy, VtChatter, CloudyLoader, OneDriveDoor, and GrewApacha.
- Legitimate online services and social network profiles were abused to host encrypted commands and payloads, enabling stealthy bidirectional C2 that blended with normal traffic.
- Operators timed actions for weekends and public holidays (notably a large New Year holiday attack) to exploit reduced monitoring and maintain long dwell times.
- LocalPlugx keylogger data showed commands were pasted from the clipboard, indicating attackers executed prewritten commands rather than typing them interactively.
MITRE Techniques
- [T1036 ] Masquerading – The group disguised its tools as legitimate software to evade detection (‘disguises its tools as legitimate software’).
- [T1102 ] Web Service – Attackers abused legitimate online services and social network profiles to place encrypted commands and payloads for bidirectional C2 (‘They placed encrypted commands and payloads in profiles on popular social networks — both Russian and international — as well as on other platforms.’).
- [T1056.001 ] Keylogging – A keylogger module in LocalPlugx was used to capture input on compromised hosts (‘we found LocalPlugx installed on many computers with the keylogger module enabled’).
- [T1056.003 ] Clipboard – Captured clipboard data showed commands were pasted rather than typed, allowing reconstruction of attacker commands (‘all commands were pasted from the clipboard rather than typed manually’).
- [T1059 ] Command and Scripting Interpreter – Operators executed prepared commands in compromised infrastructure, likely via command interpreters or scripted sequences (‘it is likely that the attackers followed a prewritten scenario, simply copying and running prepared commands’).
- [T1021 ] Remote Services (Lateral Movement) – Third-party tools were used to move laterally within networks and perform reconnaissance (‘The attackers used both third-party tools (for lateral movement and reconnaissance) and their own malware’).
Indicators of Compromise
- [Malware/Tool names ] Names of malicious tooling used in intrusions – LocalPlugx, CloudyLoader, and 5 more (CloudSorcerer, COFFProxy, VtChatter, OneDriveDoor, GrewApacha).
- [Compromised Platforms ] Channels abused for command and control – social network profiles, OneDrive, and other online platforms used to host encrypted commands and payloads.