{ "id": "1dabe364-7706-4a53-9480-fb7fdbab753a", "created_at": "2026-04-06T00:13:06.283293Z", "updated_at": "2026-04-10T03:37:22.799116Z", "deleted_at": null, "sha1_hash": "584898cd3bd0e8bd8e44f4af2c148f3d5c6f64df", "title": "APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 551126, "plain_text": "APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and\r\nelsewhere\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 19:08:55 UTC\r\nIntroduction\r\nPT Expert Security Center (PT ESC) specialists regularly track the activity of hacker groups and the emergence of new\r\ninformation security threats (threat intelligence). During such monitoring in April 2021, a mailing list with previously\r\nunknown malicious content was sent to Mongolia. Some of the files found during the study had rather interesting names\r\n(\"хавсралт.scr\" [\"havsralt.scr\"] (mong. attachment), \"Информация_Рб_июнь_2021_года_2021062826109.exe\") and, as\r\nthe study showed, they contained a remote access trojan (RAT). Similar attacks were subsequently identified in Russia,\r\nBelarus, Canada, and the United States. According to PT ESC threat intelligence analysts, from January to July 2021,\r\napproximately 10 attacks were carried out using the discovered malware samples. A detailed analysis of malware samples,\r\ndata on the paths on which working directories and registry keys were located, techniques and mechanisms used by the\r\nattackers (from the injection of malicious code to the logical blocks and structures used) helped correlate this malware with\r\nthe activity of the APT31 group.\r\nThis group, also known as Judgment Panda (CrowdStrike) and Zirconium (Microsoft), has been active since at least 2016.\r\nThe group is presumed to be of Chinese origin, providing data to the Chinese government and state-owned enterprises to\r\nachieve political, economic, and military advantages. Cyberespionage is of key interest. The attackers' targets include the\r\ngovernment sector, aerospace and defense enterprises, as well as international financial companies and the high-tech sector.\r\nIn different years, the group's victims have included the government of Finland and, it is presumed, the governments of\r\nNorway and Germany too. The group also attacked organizations and individuals close to U.S. presidential candidates\r\nduring the 2020 campaign. Recent attacks on companies in France, involving the hacking of home and office routers, have\r\nalso been linked with the group.\r\nIn this article, we will study the malware created by the group, focus in more detail on the types of droppers discovered and\r\nthe tricks used by its developers. We will also present the criteria on the basis of which the attacks were attributed.\r\nAnalysis of malicious content\r\nDropper\r\nThe main objective of the dropper, the appearance of the main function of which is shown in Figure 1, is the creation of two\r\nfiles on the infected computer: a malicious library and an application vulnerable to DLL Sideloading (this application is then\r\nlaunched). Both files are always created over the same path: C:\\ProgramData\\Apacha. In the absence of this directory, it is\r\ncreated and the process is restarted.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 1 of 13\n\nFigure 1. Overview of the dropper's basic function\r\nAt the second stage, the application launched by the dropper loads the malicious library and calls one of its functions. It is\r\nnoteworthy that MSVCR100.dll was chosen as the name of the malicious library in all cases. A library with an identical\r\nname is included in Visual C ++ for Microsoft Visual Studio. It is available on almost all PCs, but in a legitimate case it is\r\nlocated in the System32 folder (Figure 2). Moreover, the size of the malicious library is much smaller than the legitimate\r\none.\r\nFigure 2. Parameters of the legitimate MSVCR100.dll\r\nIt is also worth noting the trick of the malware developers: by way of exports, the library contains names that can be found\r\nin the legitimate MSVCR100.dll. Without a doubt, this was done to make the malicious library as identical to the original\r\nversion as possible.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 2 of 13\n\nFigure 3. Part of the exports of malicious MSVCR100.dll\r\nHowever, the number of exports in the malicious sample is much smaller, and most of them are ExitProcess calls.\r\nBelow is an example of a call to a malicious function from the created library. After the call, control is transferred to the\r\nmalicious code. Note that the names of malicious functions were most often those used during the regular loading of\r\napplications.\r\nFigure 4. Calling a malicious function inside a legitimate application\r\nDuring the analysis of malware samples, PT ESC specialists detected different versions of droppers that contain the same set\r\nof functions. The main difference is the name of the directory in which the files contained in the dropper will be created.\r\nHowever, in all the instances studied, the directories found in C:\\ProgramData\\ were used.\r\nThe version of the dropper that downloads all files from the control server is worthy of particular note. Let's take a closer\r\nlook. At the first stage, the presence of a working directory is also checked, after which connection is made to the control\r\nserver and the necessary data is downloaded from it.\r\nFigure 5. Checking for a directory\r\nCommunication with the server is not encrypted in any way, nor is the control server's address inside the malware.\r\nDownloaded files are written to the created working directory.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 3 of 13\n\nFigure 6. Creating files in the working directory\r\nFigure 7 displays the code sections responsible for downloading all files from the server (the last reviewed case), while\r\nFigure 8 displays the code for loading the main library (first instance).\r\nFigure 7. Downloading files from C2\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 4 of 13\n\nFigure 8. Downloading a malicious library from C2\r\nExamining the open directories of control servers revealed unencrypted libraries (Figure 9).\r\nFigure 9. Encrypted and unencrypted libraries on the server\r\nIt is also worth noting that in some cases, particularly during attacks on Mongolia, the dropper was signed with a valid\r\ndigital signature (Figure 10). PT ESC experts believe that this signature was most likely stolen.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 5 of 13\n\nFigure 10. Valid digital signature of a dropper\r\nMalicious library\r\nExecution commences with receipt of a list of launched processes. That said, this has no impact on anything and is not used\r\nanywhere. The library then checks for the presence of the file C:\\\\ProgramData\\\\Apacha\\\\ssvagent.dll. This is the encrypted\r\nmain load downloaded from the server. If this file does not exist, then the address of the control server from which the\r\ndownload will be performed is decrypted.\r\nIn fact, this is a 5-byte XOR with a key built into the library. Inside the binary file, the key is stored in the form xmmword\r\nwith the constant 9000000090000000900000009h (the fifth byte is added to the memory by the malware itself using the\r\ndirect address). In fact, encryption is performed with byte 0x9. After decrypting the C2 address, it connects to the control\r\nserver and downloads the encrypted payload from it. Then the received data is saved in the file\r\nC:\\\\ProgramData\\\\Apacha\\\\ssvagent.dll, and the legitimate application ssvagent.exe is restarted. The main part of the\r\ndescribed functions is presented in Figure 11.\r\nFigure 11. Decrypting the C2 address, loading and launching a new instance of ssvagent.exe\r\nIf the payload has been loaded earlier, it is checked for an application that is already running. To do this, a mutex named\r\nssvagent is created; if it has been created, the application ends.\r\nThe library then writes the legitimate ssvagent.exe to startup via the registry, as shown in Figure 12.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 6 of 13\n\nFigure 12. Persistence via registry key\r\nAfter this, the file downloaded from the server is decrypted using a XOR operation with a 5-byte key. (The algorithm and\r\nkey shown in Figure 10 differ from those used when decrypting the address of the control server.) Just as when decrypting\r\nthe address of the control server, the key is stored in the form xmmword and is a constant:\r\n1100000033000000060000000Eh. The fifth byte is identical in all cases; its value is 0x12.\r\nFigure 13. Decryption code of the main library\r\nAfter this, the decrypted data is placed in the application memory, and control is transferred to it.\r\nPayload\r\nThe main library starts its execution by creating a package that will be sent to the server. Officially, the package is created\r\nfrom three parts:\r\n1. Main heading\r\n2. Hash\r\n3. Encrypted data\r\nThe main heading has the following structure:\r\n \r\ntypedef struct _MAIN_HEADER\r\n{\r\nDWORD sizeOfPacket;//excluding the field itself\r\nDWORD const_1;\r\nDWORD const_2;\r\n} MAIN_HEADER, *PMAIN_HEADER;\r\n \r\nThe values of const_1 and const_2 are identical and remain unchanged from package to package (unit value equalized to 4\r\nbytes value).\r\nTo generate a hash, which is preceded by the main heading, the malware obtains the MAC address and PC name (the result\r\nof executing GetComputerNameExW). These values are concatenated (without using any separators), after which an MD5\r\nhash is taken from the resulting value, which is then converted into a string. An example of hash generation is presented in\r\nFigure 14.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 7 of 13\n\nFigure 14. Example of hash generation\r\nThe third part of the package is then formed. The structure describing it is presented below:\r\n \r\ntypedef struct _FIRST_PACKET\r\n{\r\nchar pcName[]; //result of GetComputerNameExW\r\nBYTE splitByte_0x09;\r\nchar userName[]; // result of GetUserNameW\r\nBYTE splitByte_0x09;\r\nchar hostIp[];\r\nBYTE splitByte_0x09;\r\nchar decrStr_1[2];\r\nBYTE splitByte_0x2E;\r\nchar decrStr_2[1];\r\nBYTE splitByte_0x2E;\r\nchar decrStr_3[5];\r\nBYTE splitByte_0x2E;\r\nchar decrStr_4[2];\r\nBYTE splitByte_0x2E;\r\nchar osVersion_inverted[2];\r\nBYTE splitByte_0x09;\r\nchar version[3];\r\nBYTE splitByte_0x09;\r\nchar macAddr[];\r\nBYTE splitByte_0x09;\r\n} _FIRST_PACKET, *_FIRST_PACKET;\r\n \r\nEach field is separated from the other by a value of 0x09; some fields are separated by a value of 0x2E.\r\nFigure 15. An example of a generated package\r\nHeading fields decrStr_1 through decrStr_4 are not generated by the malware and are not collected on the infected\r\ncomputer. All values are encrypted inside the malware. Each value is decrypted separately and is added to the heading. The\r\ndecrStr_4 field depends on the bitness of the operating system, which ultimately leads to different offsets of the encrypted\r\ndata transferred to the decryption function (Figure 17) as an argument.\r\nThe format of a complete generated package is presented below. The main heading is highlighted in green; the hash, in red;\r\nthe encrypted data, in yellow.\r\nFigure 16. Encrypted package with all headings\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 8 of 13\n\nFigure 17. Decrypting data from a specific position within a binary file\r\nThe generated package is encrypted with RC-4 with the key 0x16CCA81F, which is embedded in the encrypted data and\r\nsent to the server. After this, malware waits for commands from the server.\r\nLet's take a look at the list of commands that the malware implements:\r\n0x3: get information on mapped drives.\r\n0x4: perform file search.\r\n0x5: create a process, communication through the pipe.\r\n0xA: create a process via ShellExecute.\r\n0xC: create a new stream with a file download from the server.\r\n0x6, 0x7, 0x8, 0x9 (identical): search for a file or perform the necessary operation via SHFileOperationW (copy file,\r\nmove file, rename file, delete file).\r\n0xB: create a directory.\r\n0xD: create a new stream, sending the file to the server.\r\n0x11: self-delete.\r\nIt is noteworthy that some of them duplicate each other's functions, and some are identical in terms of code implementation.\r\nThis is most likely connected with the fact that the potential malware version is 1.0. This assumption is based on the value\r\nembedded in the code and contained in the network packages.\r\nThe code for processing the last command is particularly intriguing: all the created files and registry keys are deleted using a\r\nbat-file.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 9 of 13\n\nFigure 18. Code for removing all components\r\nAttribution\r\nDuring their investigation, PT ESC specialists found a Secureworks report describing the APT31 DropboxAES RAT trojan.\r\nAnalysis of the detected malware instances allows us to assert that the group is also behind the attack we studied. Numerous\r\noverlaps were found in functionality, techniques and mechanisms used, starting with the injection of malicious code (up to\r\nthe names of the libraries used) and ending with logical blocks and structures used inside the program code. The paths along\r\nwhich the malware working directories are located and the registry keys through which the persistence mechanism and their\r\nidentity to the working directories are provided are also identical. In addition, the command handlers executed by the\r\nmalware proved to be extremely similar, while the self-delete mechanism is identical.\r\nThe main difference between this version of the malware and that reviewed by Secureworks lies in the communication of the\r\nmain load with the control server. In the cases studied, there was a custom communication protocol that Dropbox does not\r\nuse to exchange data.\r\nNetwork infrastructure\r\nThe detected malware samples, including the encrypted ones, revealed no overlaps between them in the network\r\ninfrastructure. Nevertheless, in several cases, the payload accessed nodes other than those from which it was downloaded.\r\nFigure 19. Identified servers\r\nIn one of the latest malware samples, an interesting domain inst.rsnet-devel[.]com was identified, which imitates the\r\ndomain of federal government bodies and government bodies of constituent entities of the Russian Federation for a segment\r\nof the Internet. This might indicate an attack on government organizations in the Russian Federation.\r\nAuthors: Denis Kuvshinov, Daniil Koloskov, PT ESC\r\nConclusion\r\nIn the study PT ESC specialists analyzed new versions of the malware used by APT31 in attacks from January to July this\r\nyear. The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 10 of 13\n\nthat the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in\r\nparticular. We believe that further instances will be revealed soon of this group being used in attacks, including against\r\nRussia, along with other tools that might be identified by code correspondence or network infrastructure.\r\nIOCs\r\nFile MD5 SHA-1\r\nDropper\r\njconsole.exe 3f5ea95a5076b473cf8218170e820784 765bd2fd32318a4cb9e4658194fe0fb5d94568e0\r\n- db1673a1e8316287cb940725bb6caa68 6a358afdd2c59f0bbfc7b1982ae6b0a782399923\r\n- 2798b66475cf0794e9b868d656defca7 0c3e0a5553cc29049fd8c5fc3a1af3ae6c0c298e\r\n- 626270d5bf16eb2c4dda2d9f6e0c4ef9 f585917fdb89b9dc849621676376b0b1e6b348f\r\nnews.exe 56450799fe4e44d7c5aff84d173760e8 10037b4533df13983a75d74dcea32dc73665700\r\n- d919fed03ec53654be59e15525c1448f 9db9fe7b04bc5b2fc10f78da3891eb30c19a48b6\r\nхавсралт.scr d22670ab9b13de79e442100f56985032 6e7540fa001fc992d2050b97ea17686d3486374\r\npresident_email.exe 8e744f7b07484afcf87c454c6292e944 da845d8219d3315c02f84c27094965d02cdaa76\r\nИнформация_Рб_июнь_2021_года_2021062826109.exe 49bca397674f67e4c069068b596cab3e d13d6d683855f5a547b96b6e2365c6f49a899d6\r\nMalicious library\r\nMSVCR100.dll 8cefaa146178f5c3a297a7895cd3d1fc 81779c94dbe2887ff1ff0fd4c15ee0c373bd0b40\r\nMSVCR100.dll 326024bc9222ebec281ec53ca5598cc1 5c25b93ebcedafcff0c85bcde2a0857ca72dc73e\r\nMSVCR100.dll 6f3047277719e2351ce14a54a39f7b15 7de335e005b0766268df918e7e3b64f4b3521c1\r\nNetwork indicators\r\ngitcloudcache[.]com\r\nedgecloudc[.]com\r\napi[.]hostupoeui[.]com\r\napi[.]flushcdn[.]com\r\nconst[.]be-government[.]com\r\ndrmtake[.]tk\r\ninst[.]rsnet-devel[.]com\r\n20[.]11[.]11[.]67\r\nNetwork signature\r\nAs a result of researching the format of the complete generated packet, Positive Technologies experts managed to develop\r\nrules for detecting this threat in network traffic. You can download the free redistributable rules from our repository at\r\nhttps://github.com/ptresearch/AttackDetection/tree/master/APT31\r\nMITRE\r\nID Name Description\r\nResource Development\r\nT1587.001 Malware\r\nAPT31 develops malware and malware components that\r\ncan be used during targeting\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 11 of 13\n\nT1587.002\r\nDevelop Capabilities: Code Signing\r\nCertificates\r\nAPT31 uses code signing to sign their malware and tools\r\nInitial Access\r\nT1566 Phishing\r\nAPT31 sends phishing messages to gain access to victim\r\nsystems\r\nExecution\r\nT1204.002 User Execution: Malicious File\r\nAPT31 relies upon a user open a malicious file to get it\r\nexecuted\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command Shell\r\nAPT31 uses the Windows command shell for command\r\nexecution\r\nT1106 Native API\r\nAPT31 directly interacts with the native OS application\r\nprogramming interface (API) to execute behaviors\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\nAPT31 achieves persistence by adding a program to a\r\nRegistry run key\r\nT1574\r\nHijack Execution Flow: DLL Search Order\r\nHijacking\r\nAPT31 executes their own malicious payloads by\r\nhijacking the way operating systems run programs\r\nDefense Evasion\r\nT1036 Masquerading\r\nAPT31 manipulates features of their artifacts to make\r\nthem appear legitimate to users\r\nT1140 Deobfuscate/Decode Files or Information\r\nAPT31 uses mechanisms to decode or deobfuscate\r\ninformation\r\nT1027 Obfuscated Files or Information\r\nAPT31 uses encryption to make it difficult to detect or\r\nanalyze an executable file\r\nT1112 Modify Registry APT31 team uses the Windows registry for persistence\r\nDiscovery\r\nT1082 System Information Discovery\r\nAPT31 obtains detailed information about the operating\r\nsystem\r\nCollection\r\nT1005 Data from Local System\r\nAPT31 uses backdoor functionality to exfiltrate any file\r\non the infected machine\r\nCommand and Control\r\nT1001 Data Obfuscation\r\nAPT31 obfuscates command and control traffic to make\r\nit more difficult to detect\r\nT1521 Standard Cryptographic Protocol APT31 uses data hiding in C\u0026C with RC4\r\nT1043 Commonly Used Port APT31 uses ports 80 and 443 for communication\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nAPT31 uses HTTP and HTTPS protocols to\r\ncommunicate with control servers\r\nExfiltration\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 12 of 13\n\nT1020 Automated Exfiltration APT31 uses automatic exfiltration of stolen files\r\nT1041 Exfiltration Over C2 Channel APT31 uses C\u0026C channel to exfiltrate data\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/" ], "report_names": [ "apt31-new-attacks" ], "threat_actors": [ { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434386, "ts_updated_at": 1775792242, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/584898cd3bd0e8bd8e44f4af2c148f3d5c6f64df.pdf", "text": "https://archive.orkl.eu/584898cd3bd0e8bd8e44f4af2c148f3d5c6f64df.txt", "img": "https://archive.orkl.eu/584898cd3bd0e8bd8e44f4af2c148f3d5c6f64df.jpg" } }