{ "id": "4c4e2a96-6af2-4cdf-ab7d-5c9e13756918", "created_at": "2026-04-06T00:14:08.148276Z", "updated_at": "2026-04-10T13:11:57.721185Z", "deleted_at": null, "sha1_hash": "e7d8900175b2242db25ed76688908a1ada7aad59", "title": "France warns of APT31 cyberspies targeting French organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 814003, "plain_text": "France warns of APT31 cyberspies targeting French organizations\r\nBy Sergiu Gatlan\r\nPublished: 2021-07-21 · Archived: 2026-04-05 19:11:43 UTC\r\nToday, the French national cyber-security agency warned of an ongoing series of attacks against a large number of French\r\norganizations coordinated by the Chinese-backed APT31 hacking group.\r\n\"It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay\r\nboxes in order to perform stealth reconnaissance as well as attacks,\" ANSSI (Agence Nationale de la Sécurité des Systèmes\r\nd'Information) says in an alert bulletin issued today.\r\n\"As such, indicators of compromises (IOCs) are shared to help assess possible compromises (searches should start at the\r\nbeginning of 2021) and used in detection services.\"\r\nhttps://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOrganizations that detect any of the shared IOCs in their logs pointing at an attack potentially connected to this ongoing\r\nAPT31 campaign are urged to report the incident to ANSSI via email.\r\nAPT31 (also known as Zirconium and Judgment Panda) is a hacking group working at the behest of the Chinese\r\nGovernment known for its numerous espionage and information theft operations.\r\nThis threat has been linked in the past to the theft and repurposing of the EpMe NSA exploit years before Shadow Brokers\r\npublicly leaked it in April 2017.\r\nLast year, Microsoft observed APT31 attacks targeting the international affairs community and high-profile individuals\r\nassociated with the Joe Biden presidential campaign.\r\nAPT31 was also spotted by Google while targeting \"campaign staffers' personal emails with credential phishing emails and\r\nemails containing tracking links.\"\r\nChinese cyberespionage operations under the spotlight\r\nThese attacks come after the US and its allies, including the European Union, the United Kingdom, and NATO,\r\nhave formally accused China of this year's Microsoft Exchange hacking campaign.\r\nThe cyberattacks took place in early 2021 and targeted more than a quarter of a million Microsoft Exchange servers,\r\nbelonging to tens of thousands of organizations worldwide.\r\nThe Biden administration attributed \"with a high degree of confidence that malicious cyber actors affiliated with PRC’s\r\nMSS conducted cyber espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in\r\nearly March 2021.\"\r\nThe same day, the UK added that the Chinese Ministry of State Security (MSS) is behind Chinese state-backed hacking\r\ngroups tracked as APT40 and APT31.\r\nThe NSA, CISA, and FBI also issued a joint advisory with more than 50 tactics, techniques, and procedures (TTPs) Chinese\r\nstate-sponsored cyber actors have used in attacks against the US and allied networks.\r\nFour Ministry of State Security intelligence officers believed to be part of the APT40 threat group were also charged on the\r\nsame day by the Department of Justice regarding a multi-year campaign targeting governments and organizations from\r\ncritical sectors worldwide.\r\nhttps://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/\r\nhttps://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/" ], "report_names": [ "france-warns-of-apt31-cyberspies-targeting-french-organizations" ], "threat_actors": [ { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434448, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7d8900175b2242db25ed76688908a1ada7aad59.pdf", "text": "https://archive.orkl.eu/e7d8900175b2242db25ed76688908a1ada7aad59.txt", "img": "https://archive.orkl.eu/e7d8900175b2242db25ed76688908a1ada7aad59.jpg" } }