Home/ Threat Actors/ ZIRCONIUM

🌐ZIRCONIUM

🌐 ZIRCONIUM is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 29 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0128) ↗

14Use cases

0Articles

29Techniques

0IOCs

About this actor (MITRE)

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)

Known aliases

ZIRCONIUMAPT31Violet Typhoon

Top techniques

T1012 · Query Registry T1016 · System Network Configuration Discovery T1027.002 · Software Packing

All other tracked techniques

T1033 · System Owner/User Discovery T1036 · Masquerading T1036.004 · Masquerade Task or Service T1041 · Exfiltration Over C2 Channel T1059.003 · Windows Command Shell T1059.006 · Python T1068 · Exploitation for Privilege Escalation T1082 · System Information Discovery T1090.003 · Multi-hop Proxy T1102.002 · Bidirectional Communication T1105 · Ingress Tool Transfer T1124 · System Time Discovery T1140 · Deobfuscate/Decode Files or Information T1204.001 · Malicious Link T1218.007 · Msiexec T1547.001 · Registry Run Keys / Startup Folder T1555.003 · Credentials from Web Browsers T1566.002 · Spearphishing Link T1567.002 · Exfiltration to Cloud Storage T1573.001 · Symmetric Cryptography T1583.001 · Domains T1583.006 · Web Services T1584.008 · Network Devices T1598 · Phishing for Information T1598.003 · Spearphishing Link T1665 · Hide Infrastructure

Detection use cases (14)

ZIRCONIUM/APT31 Dropbox API C2 & exfil from non-browser LOLBin (DropboxAES / RPipeCommander) AI · profile SΣ ZIRCONIUM/APT31 spearphishing-link → msiexec /i HTTP install chain AI · profile S 1Password activity from Tor exit node MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match