ZIRCONIUM

ZIRCONIUM is a China-linked threat actor tracked under multiple aliases including APT31, Bronze Vinewood, Chameleon, Judgement Panda/Judgment Panda, Red Keres, TA412, Violet Typhoon, and Webfans. The provided content links ZIRCONIUM to Microsoft’s Violet Typhoon naming and repeatedly references APT31 as the associated industry name. The actor is described as Chinese government-linked / China-based in the context of SharePoint exploitation reporting. Observed tradecraft in the provided content includes establishing persistence via a Registry Run key named "Dropbox Update Setup" for a malicious Python binary; using Dropbox as command and control to upload and download files, execute arbitrary commands, and exfiltrate stolen data via the Dropbox API; opening a Windows command shell on remote hosts; querying the Windows Registry for proxy settings; capturing processor architecture to register compromised hosts with C2; stealing credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome; and using AES256 with a SHA1-derived key to decrypt exploit code. The content also states that ZIRCONIUM has utilized an ORB (operational relay box) network composed of compromised SOHO routers, IoT devices, and leased VPS infrastructure to proxy traffic. The content further places Violet Typhoon among Chinese state-linked actors observed exploiting SharePoint vulnerabilities against internet-facing SharePoint servers, with Microsoft describing Violet Typhoon as a Chinese nation-state actor that has operated since 2015 and primarily conducts espionage against former government and military personnel, NGOs, think tanks, higher education, media, financial, and health sectors in the United States, Europe, and East Asia. The content also notes exploitation of SharePoint vulnerabilities by China-linked groups including Linen Typhoon and Violet Typhoon to steal intellectual property.