{
	"id": "0024cf7d-6277-4717-a75e-fc24dede8e38",
	"created_at": "2026-04-06T03:37:39.02851Z",
	"updated_at": "2026-04-10T03:37:22.813225Z",
	"deleted_at": null,
	"sha1_hash": "db0c34fc010514830667727cff3549183fa4c4ad",
	"title": "Chinese hacking group APT31 uses mesh of home routers to disguise attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89443,
	"plain_text": "Chinese hacking group APT31 uses mesh of home routers to\r\ndisguise attacks\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-12 · Archived: 2026-04-06 03:26:32 UTC\r\nA Chinese cyber-espionage group known as APT31 (or Zirconium) has been seen hijacking home routers to form\r\na proxy mesh around its server infrastructure in order to relay and disguise the origins of their attacks.\r\nIn a security alert published today, the French National Cybersecurity Agency, also known as ANSSI (Agence\r\nNationale de la Sécurité des Systèmes d'Information), published a list of 161 IP addresses that have been hijacked\r\nby APT31 in recent attacks against French organizations.\r\nThe agency said the APT31 attacks started at the beginning of 2021 and are still ongoing.\r\nFrench officials said that APT31's proxy botnet was used to perform both reconnaissance operations against their\r\ntargets, but also to carry out the attacks themselves.\r\nIn a series of tweets today, Ben Koehl, a security researcher for the Microsoft Threat Intelligence Center, said\r\nAPT31 was using this proxy network to make it appear that attacks are coming from the target organization's\r\nnational IP address space.\r\nOne of the reasons for this tactic is that some organizations might be blocking incoming traffic from international\r\nIP addresses as a security measure.\r\nOn the other side they are able to exit in the countries of their targets to _somewhat_ evade basic\r\ndetection techniques.\r\n— bk (Ben Koehl) (@bkMSFT) July 21, 2021\r\nANSSI officials are now urging companies, both in France and in other countries, to take the 161 IP addresses and\r\nsee if connections have been detected in network logs this year, which would suggest that an organization might\r\nhave been the target of an APT31 operation.\r\n\"Finding one of the IOCs in logs does not mean the entire system has been compromised and further analysis will\r\nbe required,\" the agency said.\r\nAccording to William Thomas, a security researcher at security firm Cyjax, the IP addresses were located all over\r\nthe world, and not all were located in France. A copy of the APT31 malware implant installed on the hacked\r\nrouters was also identified on VirusTotal.\r\n— Will (@BushidoToken) July 21, 2021\r\nAPTs have used proxy meshes since 2018\r\nhttps://therecord.media/chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks\r\nPage 1 of 3\n\nThe operational tactic of using home routers to create proxy meshes to disguise the origin of web attacks is a\r\ncommon tactic these days.\r\nIn most cases, hacked routers and IoT devices are assembled into botnets, which are then rented to cybercrime\r\ngroups. These groups use the botnets as giant proxy meshes to relay a wide variety of malicious activity, such as\r\nbrute-force attacks, vulnerability exploitation, port scanning operations, and traffic carrying stolen data.\r\nBut while the tactic has been widely used by financially motivated cybercrime groups, it has also been seen as part\r\nof the arsenal of nation-state hacking groups since at least April 2018, when Akamai mentioned APT abuse in\r\na report [PDF] on the UPnProxy technique.\r\nOn another note, APT31 was also one of the two Chinese hacking groups, together with APT40, that the US and\r\nits allies accused on Monday of orchestrating a hacking campaign against Microsoft Exchange servers earlier this\r\nyear.\r\nThe Record understands that APT31 used proxy meshes made of home routers as a way to scan the internet and\r\nthen launch and disguise its attacks against Exchange email servers earlier this year; however, the technique was\r\nalso used for other operations as well.\r\nhttps://therecord.media/chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks\r\nhttps://therecord.media/chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://therecord.media/chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks"
	],
	"report_names": [
		"chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks"
	],
	"threat_actors": [
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dc7ee503-9494-4fb6-a678-440c68fd31d8",
			"created_at": "2022-10-25T16:07:23.349177Z",
			"updated_at": "2026-04-10T02:00:04.552639Z",
			"deleted_at": null,
			"main_name": "APT 31",
			"aliases": [
				"APT 31",
				"Bronze Vinewood",
				"G0128",
				"Judgment Panda",
				"Red Keres",
				"RedBravo",
				"TA412",
				"Violet Typhoon",
				"Zirconium"
			],
			"source_name": "ETDA:APT 31",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"GrewApacha",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Roarur",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446659,
	"ts_updated_at": 1775792242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db0c34fc010514830667727cff3549183fa4c4ad.pdf",
		"text": "https://archive.orkl.eu/db0c34fc010514830667727cff3549183fa4c4ad.txt",
		"img": "https://archive.orkl.eu/db0c34fc010514830667727cff3549183fa4c4ad.jpg"
	}
}