APT41

APT41 is a China-linked, state-sponsored threat actor that has also been associated with financially motivated activity. The content identifies numerous aliases including Winnti, BARIUM, HOODOO, Aquatic Panda, Wicked Panda, Brass Typhoon, Bronze Atlas, Bronze University, Charcoal Typhoon, Chromium, Double Dragon, Grayfly, Blackfly, Earth Lusca, RedHotel, and Winnti Group/Winnti Umbrella. The content also notes subgroups or related clusters including Blackfly and Grayfly, with Blackfly described as primarily focused on cybercrime and Grayfly on cyberespionage; Earth Freybug is described as a subset of APT41, and Earth Longzhi as a new subgroup of APT41. The content states that Mandiant has tracked APT41 since 2014 and that the group has been active since at least 2012. It describes APT41 as overlapping with other Chinese hacking groups including BARIUM and Winnti, and notes operational, TTP, and toolset overlaps with other China-nexus clusters such as Earth Lusca. The content also characterizes APT41 as part of a broader interconnected Chinese intrusion ecosystem rather than necessarily a single discrete group. Targets mentioned in the content include gaming and non-gaming organizations, a Taiwanese media organization, an Italian job search company, software developers, and victims in the United States, Netherlands, Russia, China, Germany, and Taiwan. Taiwan’s National Security Bureau named APT41 among Chinese groups involved in sustained targeting of Taiwan’s critical infrastructure, including energy, healthcare, communications, government, and technology sectors. Tradecraft and tooling directly mentioned in the content include use of ShadowPad, Winnti malware, GOODLUCK, DEADEYE, KEYPLUG, DUSTTRAP, BrowserGhost, Cobalt Strike, China Chopper, rootkits, bootkits, ransomware, JScript web shells, and the GC2 (Google Command and Control) red teaming framework. The content also associates APT41 with supply-chain attacks involving CCleaner, ShadowPad, and ShadowHammer, and states that the group uses supply-chain and watering-hole attacks. In one 2022 campaign, Google reported APT41 abused GC2 in attacks against a Taiwanese media organization and an Italian job search company, using Google Drive-hosted password-protected files to deliver the GC2 agent and using Google Sheets/Drive for tasking, payload delivery, and exfiltration. Techniques explicitly described in the content include command execution via cmd.exe and WMI/WMIEXEC; persistence via batch files, Startup file modification, an HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key, and PowerSploit; PowerShell execution; deployment of JScript web shells; file masquerading as antivirus software; use of stolen or leveraged code-signing certificates; collection of machine information, personally identifiable information, account information, employee lists, plaintext and hashed passwords, browser credentials, and local Windows security event logs; querying registry values to identify RDP ports and network configurations; collecting MAC addresses; remote system discovery using MiPing; and deletion of files and artifacts for cleanup. The content also states APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, Windows Credential Editor, YSoSerial.NET, ConfuserEx, and BadPotato. The content further links APT41 to ShadowPad-centric infrastructure and xDll activity attributed to the Winnti group, describing Winnti/APT41/BARIUM/AXIOM as a China-linked state-sponsored group whose interests include espionage and financial gain.