APT41: a well-documented and highly active threat group. APT41: (a.k.a. Double Dragon, BARIUM, Winnti)

China: It’s believed to be state-sponsored, likely tied to China’s Ministry of State Security (MSS).

APT41 is unique in that it blends state-sponsored espionage with financially motivated cybercrime. It uses both sophisticated custom malware and publicly available tools.

Based on the MITRE ATT&CK Framework:

TTP Category Techniques Used
Initial Access Spear-phishing emails, watering hole attacks, supply chain compromises
Execution PowerShell command-line interface, DLL side-loading.
Persistence Registry run keys scheduled tasks, web shells
Privilege Escalation Exploiting local vulnerabilities credential dumping
Defense Evasion Signed binaries process injection, obfuscated scripts
Credential Access Mimikatz LSASS memory scraping
Discovery Network scanning account discovery, system info enumeration
Lateral Movement Remote desktop, SMB, Windows Admin Shares
Exfiltration Encrypted channels custom C2 over HTTPS/DNS
Impact Ransomware deployment deletion of logs

APT41 has attacked a wide range of sectors across multiple continents.

  1. United States United Kingdom
  2. France
  3. India
  4. South Korea
  5. Singapore
  6. Australia
  7. Many others
  1. Healthcare
  2. Telecommunications
  3. Manufacturing
  4. Education
  5. Gaming
  6. Government agencies
  7. Pharmaceuticals
  8. Technology providers
  9. Financial services

They are known for:

  1. Espionage against political targets
  2. Intellectual property theft
  3. Targeting COVID-19 research institutions during the pandemic

Tool/Malware Purpose