Cybercriminals associated with the ART31 group have begun using Yandex.Disk as part of their attack chain, according to findings reported by News and corroborated by Positive Technologies, a security firm. This marks a shift in their preferred storage destinations, with earlier campaigns favoring international services such as Dropbox or OneDrive. The change signals evolving tactics as attackers explore multiple hosting options to reach victims and evade defenses.
The infection sequence starts with a malicious email containing a Word document that carries a macro. When the recipient opens the attachment, the document acts as bait and triggers the download of an executable. This executable then grants access to a malicious library and ultimately runs the payload on the victim’s machine. Security researchers describe the macro as the initial foothold that unlocks the subsequent stages of the compromise.
Experts from Positive Technologies note that the executable is designed to exploit a component of the Yandex.Browser. The module appears to be a vulnerable point that can be leveraged by attackers to execute commands and move laterally within the system. This finding highlights how a legitimate browser component can become a conduit for malicious activity if not properly safeguarded against exploitation.
As the operation unfolds, the malware uses Yandex.Disk to retrieve the necessary commands and updates, effectively embedding itself in a trusted cloud storage workflow. In this way, the threat actor leverages a familiar service to conceal the command-and-control traffic and to streamline the delivery of follow-up instructions to compromised hosts. The approach underscores how attackers blend seemingly ordinary tools with malicious code to complicate detection and response efforts.
Positive Technologies observed that the ART31 group has been active since early 2022, targeting a range of organizations across critical sectors. Among the affected entities were several media outlets and enterprises within the fuel and energy industries, expanding the scope of their reconnaissance and intrusion campaigns. The ongoing activity indicates a deliberate effort to exploit supply chains, reach high-value targets, and harvest data or disrupt operations where it may do the most damage.
Earlier reporting from various outlets noted that Russian threat actors have publicly asserted their interest in major manufacturing capabilities in the United States. While these claims underscore the geopolitical dimensions of cyber threats, the practical takeaway for defenders remains clear: vigilance and layered defenses are essential. Organizations should monitor for unfamiliar use of cloud storage in attack chains, scrutinize macro-enabled documents, and ensure that browser components cannot be repurposed for unauthorized access. Citations to security researchers and incident reports are attributed to Positive Technologies and related industry analyses. [Positive Technologies]