Stealthy Espionage: China-linked APT31 Targets Russian IT through Cloud Services

Recent research by Positive Technologies has exposed a long-running espionage campaign by the China-linked advanced persistent threat group APT31, also known as Altaire, Violet Typhoon, Judgement Panda, and others, against the Russian IT sector, especially companies that integrate solutions for government agencies. China-Linked APT31

This campaign is particularly advanced given the fact that APT31 uses legitimate cloud services, such as Yandex Cloud and Microsoft OneDrive, for C2 and data exfiltration-an approach to help attackers evade detection by blending into regular network traffic. China-Linked APT31

Moreover, the group takes advantage of various, custom, and publicly available tools to keep up the persistence for a long time. These include scheduled tasks masquerading as Chrome or Yandex Disk and backdoors like CloudSorcerer, OneDriveDoor, and COFFProxy.

This stealthiness has allowed them to stay hidden in the networks of their victims for months or years, siphoning away passwords, internal documents, and other sensitive information. redsecuretech.co.uk+1

Fileless Phishing: Matrix Push C2 Abuses Browser Notifications

Threat actors are exploiting built-in features of browsers with a new command-and-control (C2) platform called Matrix Push C2. Matrix Push C2

This “fileless” framework tricks users into subscribing to browser notifications, often through social engineering on harmful or compromised websites. Once subscribed, attackers send fake alerts (e.g., “Verify login,” “Update browser”) that look like real system messages and include familiar branding and logos. 

If the user clicks on these alerts, they are redirected to phishing pages or malware sites. The attacker’s dashboard also lets them see who clicked, which notifications users interacted with, and even track installed browser extensions, such as crypto wallets. 
Notably, Matrix Push C2 is being sold as malware-as-a-service (MaaS), with subscription options that range from monthly to yearly, allowing less-skilled threat actors to access this complex attack.

CISA Alarm: Critical Oracle Identity Manager Zero-Day Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning: a zero-day vulnerability in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited. CISA Warns

This vulnerability enables remote, unauthorized attackers to execute code, thus bypassing authentication through a bug in Oracle’s URL filter.

Once exploited, the attackers can compile malicious Groovy code that executes at compile time, thus yielding a potent foothold. Given the severity (CVSS 9.8), CISA has added this to the Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by December 12, 2025.

What These Threats Indicate about the Current Cyber Landscape

In relation to one another, all three of these incidents have highlighted some troubling trends in the cyber threat landscape of 2025:

•             Cloud infrastructure is being weaponized: APT31’s use of trusted cloud services for C2 and data theft illustrates how threat actors are increasingly abusing trusted platforms instead of spinning up blatant infrastructure.

•             Browser-based attacks are evolving: The Matrix Push C2 indicates attackers don’t always needed to rely on file-based malware – they can exploit browser functionality to deliver phishing content and maintain a persistent hold.

•             Critical enterprise vulnerabilities are still a top target: The Oracle Identity Manager zero-day indicates that sophisticated attackers are still targeting high value enterprise systems, and that zero-days in trusted software represent a serious risk that could be consequential for a large number of organizations.

These changes are demonstrating the need for modern, layered cyber defenses that provide more than traditional antivirus, or firewall tools.

How Sprit Network Can Address These Risks

At Sprit Network, we are paying close attention to these emerging threat vectors, and we are able to assist organizations in defending against them.

Threat Intelligence & Monitoring

• Our threat intelligence services that are powered by cyberthreat researchers, are able to detect unusual cloud-based C2 patterns (like used by APT31) and will monitor for suspicious use of platforms like Yandex Cloud, or OneDrive.
• We monitor emerging MaaS platforms (such as Matrix Push C2), and provide our clients with real-world IOCs

Secure Configuration & Zero-Day Response

• Through our vulnerability management program, we help clients prioritize and remediate critical vulnerabilities, including zero-days like CVE-2025-61757, through generating customized patching timelines to align with CISA triage guidance.
• We deploy runtime protection and application layer monitoring to detect anomalous behavior, such as abnormal Groovy script compilation or API abuse.

Browser Security Enhancement

• We are able to implement browser security policies (via group policy, MDM, or other tools) to restrict or audit notification permissions, further reducing exposure to fileless push-notification attack methods.
• Our endpoint security solutions afford behavioral detection to identify suspicious redirect flows, unauthorized dashboard connections, or click phishing attempts that are triggered via notifications

Incident Response & Forensics

• If compromise is suspected, for instance due to APT31-like persistence, forensic investigations, attack chain mappings, and removal of backdoors such as CloudSorcerer or OneDriveDoor are conducted by Sprit Network’s incident responders.
• We assist with building and testing recovery plans so that when a zero-day exploit or phishing attack occurs, your organization can act quickly to contain the breach and minimize damage.

Conclusion

The November 2025 cyber threat landscape continues to evolve in concerning ways: from state-linked espionage groups such as APT31 hiding in plain sight via the cloud, to crimeware actors innovating with browser-based, fileless phishing through Matrix Push C2, and to ongoing zero-day vulnerabilities continuing to be leveraged in high-stakes environments, such as the one in Oracle Identity Manager.

These developments should constitute a wake-up call that legacy defenses are no longer sufficient. What’s required now for organizations is proactive, intelligence-driven, and multilayered cyber defense strategies.

That’s where Sprit Network comes in. Our blend of threat intelligence, vulnerability management, browser hardening, and incident response ensures your organization stays ahead of modern threats-not just reacting, but anticipating.

Whether you’d like to learn more about how Sprit Network can help your team defend against these emerging risks or would like to schedule a consultation tailored to your needs, please don’t hesitate to reach out.