A threat actor presumed to be of Chinese origin has been linked to a series of 10 attacks targeting Mongolia, Russia, Belarus, Canada, and the U.S. that involve the deployment of a RAT.

The intrusions have been attributed to an advanced persistent threat named APT31, which is tracked by the cybersecurity community under the monikers Zirconium, Judgement Panda, and Bronze Vinewood.

China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages

FireEye Statement

Malware dropper that was used to facilitate the attacks, including the retrieval of next-stage encrypted payloads from a remote command-and-control server, which are subsequently decoded to execute the backdoor. Exfiltration of sensitive data and even deleting data from the hijacked machine.

The malware’s similarities to that of a trojan named DropboxAES RAT that was put to use by the same threat group last year and relied on Dropbox for its C2 communications, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and the mechanism employed to delete the espionage tool.

The revealed similarities with earlier versions of malicious samples described by researchers,suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular.