analyst @ nohacky :~/threat-actors $
cat / threat-actors / violet-typhoon
analyst@nohacky:~/violet-typhoon.html
active threat profile
type nation-state
threat_level critical
status active
origin China
last_updated 2025-07-22
VT
violet-typhoon

Violet Typhoon

also known as: APT31 ZIRCONIUM Judgment Panda Bronze Vinewood Red Keres TA412 Altaire PerplexedGoblin

Violet Typhoon is a Chinese state-sponsored espionage group operating under the Hubei State Security Department's front company Wuhan Xiaoruizhi, with a 14-year documented history of targeting political officials, government institutions, democratic processes, dissidents, and organizations holding strategic intellectual property across more than a dozen countries. In March 2024, the US and UK jointly indicted seven of its operators and sanctioned its front company — and in July 2025, Microsoft confirmed the group as one of three China-nexus actors actively exploiting the ToolShell SharePoint zero-day chain.

attributed origin China (PRC) — Hubei Province
suspected sponsor Ministry of State Security — Hubei State Security Department (HSSD)
first observed ~2010
primary motivation Political intelligence / intellectual property theft
primary targets Government, Democratic Institutions, Defense, Technology, NGOs, Media
known campaigns 10+ documented
mitre att&ck group G0128
target regions North America, Europe, Asia-Pacific, Middle East
threat level CRITICAL

Overview

Violet Typhoon — tracked across the intelligence community as APT31, ZIRCONIUM, Judgment Panda, Bronze Vinewood, and Red Keres — is a Chinese state-sponsored espionage operation attributed to the Hubei State Security Department (HSSD), a provincial arm of China's Ministry of State Security. Unlike some Chinese APT clusters that function as loose contractor networks, Violet Typhoon has a clearly documented institutional structure: the HSSD established Wuhan Xiaoruizhi Science and Technology Company in 2010 as a purpose-built front organization to conduct offensive cyber operations, staffed by a mix of intelligence officers and contracted hackers.

The group's mission is primarily political intelligence — monitoring and disrupting individuals and organizations perceived as adversarial to Beijing's interests, while simultaneously acquiring intellectual property and trade secrets of strategic economic value. Over its operational history, Violet Typhoon has targeted sitting government officials, democratic institutions, political campaign staff, dissidents, journalists, human rights activists, and organizations with sensitive research or defense contracts. In a documented pattern, the group's targeting activity has closely tracked geopolitical events — intensifying around US elections, tensions over Taiwan and the South China Sea, and Hong Kong's democracy movement.

On March 25, 2024, the US Department of Justice unsealed indictments against seven APT31-linked individuals and the Treasury Department sanctioned Wuhan XRZ along with two named operatives — Zhao Guangzong and Ni Gaobin — in a coordinated action with the United Kingdom. The UK simultaneously attributed the 2021–2022 compromise of its Electoral Commission to APT31, as well as a reconnaissance campaign against UK parliamentarians. The State Department offered rewards of up to $10 million for information on the named individuals.

In July 2025, Microsoft confirmed Violet Typhoon as one of three China-nexus actors actively exploiting the ToolShell SharePoint vulnerability chain (CVE-2025-53770 / CVE-2025-53771) against internet-facing servers, with exploitation observed beginning July 7, 2025. The group's activity focused on web shell deployment and MachineKey material theft for persistent post-patch access. By December 2024, ESET observed APT31 deploying the NanoSlate espionage backdoor against a Central European government entity, and throughout 2024–2025, Positive Technologies documented a sustained campaign targeting Russian IT contractors with access to government networks — demonstrating the group's willingness to target geopolitical rivals as well as Western adversaries.

Target Profile

Violet Typhoon's targeting is among the broadest of any Chinese APT cluster, spanning political, economic, and civil society targets across multiple continents. The selection of targets closely mirrors Beijing's intelligence priorities at any given geopolitical moment.

  • Government Officials and Political Staff: A primary focus. Documented targets include officials at the White House, US Departments of Justice, State, Treasury, and Commerce; US Senators and Representatives; senior officials' spouses; the US Naval Academy and Naval War College; and political campaign staff from both major US parties ahead of the 2020 election.
  • Democratic Institutions: The UK Electoral Commission was compromised between 2021 and 2022, exposing voter data for approximately 40 million people. UK parliamentarians were subjected to reconnaissance in a parallel campaign. Finnish parliament and New Zealand parliamentary systems were attributed to China-nexus actors in coordinated 2021 disclosures.
  • Defense and Managed Service Providers: The group targeted seven managed service providers between 2017 and 2019 as access vectors into downstream customer networks, alongside aerospace contractors and a 5G equipment provider. Accessing supply chain entry points is a consistent pattern.
  • Technology and Intellectual Property: FireEye's original characterization of APT31 centers on IP theft — specifically targeting data that gives organizations their competitive advantage. Technology companies, research institutions, and firms with proprietary engineering or defense-adjacent IP are persistent targets.
  • Dissidents and Civil Society: The group has targeted Hong Kong democracy activists, including those nominated for Nobel Peace Prizes, as well as journalists, human rights organizations, and critics of the Chinese government globally. This component of the mission is directly tied to domestic political priorities rather than foreign intelligence collection.
  • NGOs, Think Tanks, and Media: Organizations that shape policy opinion on China — research institutions, think tanks, international media — are targeted for both intelligence collection and, in some cases, to monitor and deter criticism of the PRC.

Tactics, Techniques & Procedures

Violet Typhoon is distinguished from many Chinese APT clusters by the sophistication of its email-based reconnaissance tradecraft and its increasingly sophisticated use of relay infrastructure to obscure attribution.

mitre id technique description
T1566.002 Spearphishing with Tracking Links Over 10,000 malicious emails were sent impersonating journalists and prominent news outlets. Embedded invisible tracking pixels and links exfiltrated the victim's location, IP address, device type, and network schema simply upon opening — enabling highly targeted follow-on attacks including router compromise.
T1190 Exploit Public-Facing Application Exploitation of internet-facing services including Microsoft SharePoint (ToolShell chain: CVE-2025-53770 / CVE-2025-53771 in July 2025), Exchange vulnerabilities, and zero-day exploits against enterprise software. In 2016, the group exploited a Windows zero-day (CVE-2017-0005 / "Jian") derived from Equation Group tooling.
T1090.003 Multi-hop Proxy / ORB Networks Violet Typhoon used the FLORAHOX ORB (Operational Relay Box) network — a mesh of compromised routers and Tor nodes — to proxy C2 traffic and obscure origin. Mandiant's 2024 analysis described this infrastructure pattern as enabling "IOC extinction," dramatically reducing the defensive value of static network indicators.
T1574.002 DLL Side-Loading Consistent use of DLL side-loading with legitimate signed binaries to execute malicious payloads. Documented in 2024–2025 Russian IT sector campaigns, including a Cobalt Strike loader (CloudyLoader) deployed via an LNK file triggering DLL side-loading from a RAR archive.
T1102 Web Service C2 Abuse C2 traffic routed through legitimate cloud services to blend with normal enterprise traffic. Observed services include Dropbox, GitHub, Yandex Cloud, and Microsoft OneDrive — a technique that bypasses perimeter controls relying on domain reputation.
T1505.003 Web Shell Deployment Web shells deployed to compromised servers for persistent command execution and lateral staging. Confirmed in ToolShell exploitation targeting SharePoint servers in July 2025.
T1078 Valid Account Abuse Following initial access, the group harvests and abuses valid credentials to expand access. Password collection from mailboxes and internal services documented in Russian IT sector intrusions, with dwell times exceeding one year in some cases before detection.
T1053 Scheduled Task / Persistence Registry run keys and scheduled tasks used for persistent execution across reboots. Combined with side-loading chains to re-establish access if individual components are detected and removed.

Known Campaigns

Confirmed or highly attributed operations linked to Violet Typhoon across its operational history.

ToolShell SharePoint Exploitation 2025

Microsoft confirmed Violet Typhoon as one of three China-nexus actors exploiting the ToolShell SharePoint zero-day chain (CVE-2025-53770 / CVE-2025-53771) beginning July 7, 2025, prior to public disclosure. The group deployed web shells to compromised servers and exfiltrated MachineKey material — cryptographic keys used to forge authentication tokens and maintain access independent of patching. Attribution confirmed publicly by Microsoft on July 22, 2025.

Read full briefing
Russian IT Sector Espionage Campaign 2022–2025

Positive Technologies documented a sustained campaign from late 2022 through 2025 targeting Russian IT companies serving as contractors and integrators for government agencies, as well as organizations in the Czech Republic. The group used spearphishing with RAR/LNK delivery chains, Cobalt Strike (CloudyLoader), and cloud C2 via Yandex Cloud and OneDrive. Dwell times exceeded one year in at least one intrusion, with operators timing activity to weekends and holidays to reduce detection.

UK Electoral Commission & Parliamentary Targeting 2021–2022

The UK National Cyber Security Centre assessed with high confidence that APT31 compromised the Electoral Commission between 2021 and 2022, gaining unauthorized access to voter registration data for approximately 40 million people. In a parallel campaign, APT31 conducted reconnaissance against UK parliamentarians' email accounts. The UK government publicly attributed both operations in March 2024 alongside the US DOJ indictments, with coordinated sanctions on Wuhan XRZ, Zhao Guangzong, and Ni Gaobin.

US Government & Election Targeting 2010–2023

Documented across the March 2024 DOJ indictment, APT31 operators sent over 10,000 tracking emails to officials across the White House, Departments of Justice, State, Treasury, and Commerce, congressional legislators from both parties, and campaign staff ahead of the 2020 election. In some cases the targeting extended to spouses of senior officials. Confirmed stolen data included telephone call records, cloud storage contents, and email archives, with surveillance of some accounts sustained for years.

Managed Service Provider Supply Chain Access 2017–2019

APT31 systematically targeted seven managed service providers between 2017 and 2019 as access vectors into downstream customer networks. The tactic reflects an upstream-compromise strategy — targeting providers that hold privileged access to multiple downstream organizations rather than attacking high-value targets directly. The DOJ indictment also documented concurrent targeting of a 5G equipment provider and aerospace contractors.

Tools & Malware

Violet Typhoon deploys a combination of purpose-built custom malware, shared Chinese APT tools, and commodity frameworks. The DOJ indictment named four malware families explicitly.

  • RAWDOOR: A custom backdoor created and used by APT31, named in the March 2024 DOJ indictment. Establishes secure connections with adversary-controlled servers to receive and execute commands on victim machines.
  • Trochilus RAT: A remote access trojan capable of file management, credential theft, remote shell access, and process manipulation. Used for persistent post-compromise access and lateral movement.
  • EvilOSX: A macOS-targeting RAT, reflecting the group's cross-platform capability and willingness to target non-Windows systems when required by the target environment.
  • DropDoor / DropCat: Malware families named in the DOJ indictment, used to establish and maintain access to compromised networks.
  • NanoSlate: An espionage backdoor observed by ESET in a December 2024 campaign targeting a Central European government entity. Represents continued tool development and modernization of the group's implant repertoire.
  • Cobalt Strike (cracked): A cracked version of Cobalt Strike Beacon is used for post-exploitation activities. In recent Russian IT sector campaigns, a custom loader (CloudyLoader) was used to deploy it via DLL side-loading from LNK-triggered archives.
  • Cloud C2 Channels: C2 and exfiltration routed through Dropbox, GitHub, Yandex Cloud, and Microsoft OneDrive to blend traffic with legitimate enterprise activity and evade domain-reputation-based controls.
  • FLORAHOX ORB Network: Infrastructure rather than malware — a mesh of compromised home routers and relay nodes used to proxy C2 traffic through Tor and legitimate endpoints, dramatically reducing the attribution value of static network indicators.

Indicators of Compromise

Select publicly disclosed indicators from documented Violet Typhoon campaigns. Currency is not guaranteed — validate against live intel feeds before operational use.

warning

Violet Typhoon's deliberate use of ORB networks and legitimate cloud services for C2 means traditional network-based IOCs are of limited operational value. Behavioral detection is more reliable than static indicator blocking for this actor.

indicators of compromise
file spinstall0.aspx (ToolShell web shell — deployed to SharePoint LAYOUTS directory, July 2025)
technique Tracking pixel / invisible link in email → IP + device fingerprint exfiltration prior to targeted follow-on attack
infrastructure FLORAHOX ORB network — Tor-routed compromised router mesh used for C2 proxying
c2 channel Yandex Cloud / Microsoft OneDrive (legitimate services abused for encrypted C2 and exfiltration)
hash (sha256) c3056e39f894ff73bba528faac04a1fc86deeec57641ad882000d7d40e5874be (RAWDOOR dropper — HarfangLab, April 2024)

Mitigation & Defense

Violet Typhoon's combination of sophisticated email tradecraft, supply chain targeting, and relay infrastructure requires a defense strategy that goes beyond perimeter controls and static IOC blocking.

  • Email Security — Track and Detonate: The group's tracking pixel technique exfiltrates victim data before any payload is delivered. Implement email gateway controls that strip or sandbox remote-loaded content, block invisible tracking elements, and alert on emails impersonating media organizations or prominent journalists targeting sensitive staff.
  • Patch Internet-Facing Services Immediately: SharePoint ToolShell (July 2025), Exchange vulnerabilities, and edge appliance CVEs have all been exploited by this group. Rapid patching of internet-facing infrastructure is the primary control. For organizations that ran unpatched SharePoint during the ToolShell window, rotate ASP.NET machine keys immediately.
  • Harden Managed Service Provider Relationships: Given the group's documented MSP supply chain strategy, organizations using managed IT providers should audit the access those providers have, enforce MFA on all privileged paths, and monitor for anomalous access originating from provider infrastructure.
  • Behavioral Detection Over Static IOCs: The FLORAHOX ORB network and legitimate cloud C2 channels make static IP and domain blocking largely ineffective against this actor. Prioritize behavioral analytics — anomalous POST requests to cloud storage APIs, unexpected scheduled tasks, DLL side-loading chains, and unusual outbound HTTPS patterns from servers.
  • MFA on All External Access: Violet Typhoon extensively harvests and abuses credentials. MFA on all externally accessible services — email, VPNs, cloud portals, remote access tools — significantly reduces the value of stolen credential material.
  • Router and Home Device Security: The DOJ indictment documented the group compromising targets' home routers after harvesting location and IP data from tracking emails. High-value individuals (senior officials, executives, researchers) should ensure home network equipment is patched, default credentials are changed, and UPnP is disabled.
  • Monitor for Cloud Storage Exfiltration: Alert on unusual volumes of data uploaded to Yandex, OneDrive, Dropbox, or GitHub from server or workstation processes. Outbound data flows to these services from non-user-initiated processes warrant investigation.
analyst note

Violet Typhoon is notable for combining broad population-level email surveillance with highly targeted follow-on intrusion — the tracking email campaign is effectively a reconnaissance pipeline that feeds individual targeting decisions. Organizations in the political, policy, and government spaces should treat any unsolicited email from a "journalist" or "news outlet" as a potential APT31 probe. The group also operates across both Western and non-Western targets (including Russia), demonstrating that it is not geographically constrained by the usual China-vs-West framing — it targets whoever holds intelligence value for Beijing at any given moment.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile