Threat Actor Profile
High APT
Description

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)

Confidence Score
90%
Known Aliases
ZIRCONIUM APT31 Violet Typhoon
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (29)
T1090.003 - Multi-hop Proxy
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1665 - Hide Infrastructure
Command and Control
T1555.003 - Credentials from Web Browsers
Credential Access
T1027.002 - Software Packing
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.007 - Msiexec
Defense Evasion
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1124 - System Time Discovery
Discovery
T1059.003 - Windows Command Shell
Execution
T1059.006 - Python
Execution
T1204.001 - Malicious Link
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1566.002 - Spearphishing Link
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1598 - Phishing for Information
Reconnaissance
T1598.003 - Spearphishing Link
Reconnaissance
T1583.001 - Domains
Resource Development
T1583.006 - Web Services
Resource Development
T1584.008 - Network Devices
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['ZIRCONIUM', 'APT31', 'Violet Typhoon'],
 'created': '2021-03-24T15:48:17.731Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a '
                'threat group operating out of China, active since at least '
                '2017, that has targeted individuals associated with the 2020 '
                'US presidential election and prominent leaders in the '
                'international affairs community.(Citation: Microsoft '
                'Targeting Elections September 2020)(Citation: Check Point '
                'APT31 February 2021)',
 'external_references': [{'external_id': 'G0128',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0128'},
                         {'description': '(Citation: Check Point APT31 '
                                         'February 2021)',
                          'source_name': 'APT31'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Violet Typhoon'},
                         {'description': 'Burt, T. (2020, September 10). New '
                                         'cyberattacks targeting U.S. '
                                         'elections. Retrieved March 24, 2021.',
                          'source_name': 'Microsoft Targeting Elections '
                                         'September 2020',
                          'url': 'https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/'},
                         {'description': 'Itkin, E. and Cohen, I. (2021, '
                                         'February 22). The Story of Jian – '
                                         'How APT31 Stole and Used an Unknown '
                                         'Equation Group 0-Day. Retrieved '
                                         'March 24, 2021.',
                          'source_name': 'Check Point APT31 February 2021',
                          'url': 'https://research.checkpoint.com/2021/the-story-of-jian/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}],
 'id': 'intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b',
 'modified': '2025-10-15T20:39:25.843Z',
 'name': 'ZIRCONIUM',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.3'}
Quick Actions
Related TTPs (29)
Multi-hop Proxy
Command and Control
Bidirectional Communication
Command and Control
Ingress Tool Transfer
Command and Control
Symmetric Cryptography
Command and Control
Hide Infrastructure
Command and Control
View All 29 TTPs
Back to Threat Actors
Dashboard Home