APT31 is long known to use Operational Relay Boxes (ORBs) and compromise routers.
This report examines in detail their only publicly known router implant, dubbed “SoWaT”
The implant is capable to function as RAT, a tunnel and a proxy.
Extensive verification and double-encryption procedures signal a TA trying to evade even the most capable defender
The implant’s code reveals a long development history, most likely over several years
APT31, aka Zirconiu…