Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actors

Crosswalk

Crosswalk is a modular backdoor associated with the China-linked threat ecosystem around APT41 and related clusters. The provided reporting explicitly attributes CROSSWALK to APT41, describes it as a primary backdoor used by UNC3569, and notes strong similarities between CROSSWALK and the SideWalk/ScrambleCross backdoor family, suggesting shared development lineage. Crosswalk has also been referenced as part of the broader Winnti/APT41 tooling set and as a more tightly controlled tool used after earlier widespread malware distribution involving PlugX and ShadowPad.

Observed tradecraft includes DLL side-loading for persistence and execution. In UNC3569 intrusions, CROSSWALK was deployed after exploitation of known n-day vulnerabilities in internet-facing products from vendors including Apache, Microsoft, IBM, VMware, and Oracle. Reporting states UNC3569 commonly used OXEEYE and SIDESTEP during post-exploitation and then installed backdoors including DRAFTGRAPH, CROSSWALK, and the custom GRAYRABBIT for remote control. The malware has also been stored alongside SIDESTEP, OXEEYE, DRAFTGRAPH, and GRAYRABBIT in cloud-hosted infrastructure, including OneDrive-abusing operations.

Crosswalk is linked in the content to PRC-nexus activity targeting organizations worldwide, with sectors including government, education, technology, finance, media, telecommunications, airlines, heavy industry, and energy. Separate reporting ties APT41 activity involving Crosswalk to compromises of software, hardware, telecommunications, social media, video game, nonprofit, university, think tank, and government targets, as well as Hong Kong pro-democracy figures. The content also notes overlap between infrastructure used by actors such as UNC3569 and other China-aligned clusters, and that GRAYRABBIT was found on infrastructure associated with PeckBirdy activity where Crosswalk had previously been deployed alongside DRAFTGRAPH.

High-confidence related references in the content include aliases and variants such as CROSSWALK and ScrambleCross being described as a variant of CROSSWALK. The content does not provide a standalone Crosswalk-specific IOC set, but directly associates it with DLL side-loading, APT41/UNC3569 operations, and co-deployment with DRAFTGRAPH, GRAYRABBIT, SIDESTEP, and OXEEYE.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT41

To maintain persistence, the group has been observed to perform DLL side loading techniques to launch malware such as HK Door, Crosswalk, and others.

via fortinet threat signalfortiguard.fortinet.com
UNC3569

A primary backdoor – DRAFTGRAPH, CROSSWALK or the custom GRAYRABBIT – is included in the attack to offer other remote control features.

via virusbulletinvirusbulletin.com
SparklingGoblin

...the SideWalk backdoor shares multiple similiarities with CROSSWALK, which is a modular backdoor attributed to APT41...

via eset welivesecurity blogwelivesecurity.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.006Web ServicesEvidence1

UNC3569 leverages cloud services like OneDrive for operational infrastructure and strategic cloud storage to complement operations. In one example, a DRAFTGRAPH sample... was configured to abuse OneDrive as its C2 server.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

Since 2021, UNC3569 has exploited popular n-day CVEs in widely used software, such as CVE-2021-44228 and CVE‑2022-21587, to gain access to target organizations.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

UNC3569’s command-and-control (C2) infrastructure reveals patterns in server configurations and subdomain usage. These C&C servers are multifunctional, hosting various malware controllers and serving as distribution points for malware.

T1105Ingress Tool TransferEvidence1

UNC3569 used BEACON stager samples to download additional payloads from GitHub accounts. This allowed the attacker to easily switch payloads as needed.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
the hacker newsNews
Jan 27, 2026
China-Linked Hackers Have Used the PeckBirdy JavaScript C2 Framework Since 2023

Tooling mentioned as being deployed alongside GRAYRABBIT by UNC3569 after exploiting N-day vulnerabilities; no functional details provided in the content.

Read more
sentinelone labsNews
Feb 22, 2024
LABScon Replay | Chasing Shadows | The Rise of a Prolific Espionage Actor | SentinelOne

An advanced malware tool referenced as part of the actor’s more controlled dissemination of tooling.

Read more
securelistNews
Jan 20, 2022
MoonBounce: the dark side of UEFI firmware | Securelist

APT41-associated malware family described by Mandiant; ScrambleCross/SideWalk is characterized here as a variant of CROSSWALK.

Read more
eset welivesecurity blogNews
Aug 24, 2021
The SideWalk may be as dangerous as the CROSSWALK

Modular backdoor with architectural similarities to SideWalk (threading model, data layout, anti-tampering, proxy handling, module install/uninstall/execute). Reported as attributed to APT41 in prior public reporting.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.