APT41
Country: People's Republic of China Organization: Loosely connected private contractors operating on behalf of Chinaβs Ministry of State Security (MSS). Some have worked at Chengdu 404 Network Technology Objective: Espionage, Information theft, Financial crime (Page last updated: December 15, 2024)
Aliases (sorted alphabetically):
- APT41 (FBI, CISA, Cisco, EDTA, FireEye, Mandiant, Kaspersky, Malpedia, Unit 42, Zscaler)
- Axiom (Note: treated as a separate threat actor)
- BARIUM (formerly used by Microsoft)
- Blackfly (Symantec)
- Brass Typhoon (Microsoft)
- Bronze Atlas (SecureWorks)
- Double Dragon (Wikipedia)
- Earth Baku (Trend Micro)
- Grayfly (Symantec)
- Red Kelpie (PWC?)
- RedEcho (different threat actor from Recorded Future possible overlaps)
- Redfly (not used by Symantec, but linked via ShadowPad malware)
- RedGolf (officially used by Recorded Future)
- SparklingGoblin (ESET)
- TG-2633 (formerly used by SecureWorks)
- Wicked Panda (used by CrowdStrike to track espionage)
- Wicked Spider (used by CrowdStrike to track cybercrime)
- Winnti, Winnti Group (Kaspersky, ESET, Cybereason, PwC)
Subgroups
- Earth Longzhi (Trend Micro)
- Earth Freybug (Trend Micro)
- Lead (formerly used by Microsoft)
- Leopard Typhoon (Microsoft)
- Vanadinite (Dragos)
Identified Members
- Zhang Haoran (εΌ ζ΅©ηΆ): FBI Most Wanted
- Tan Dailin (θ°ζ΄ζ): FBI Most Wanted
- Jiang Lizhi (θη«εΏ): FBI Most Wanted
- Qian Chuan (ι±ε·): FBI Most Wanted
- Fu Qiang (δ»εΌΊ): FBI Most Wanted
Associated Company
Chengdu Si Lingsi (404) Network Technology Company Ltd. (ζι½εΈθιΆθη½η»η§ζζιε ¬εΈ)
Vulnerabilities Exploited
- CVE-2018-0824 (7.5 high, in CISA's KEV Catalog) Microsoft COM for Windows Remote Code Execution Vulnerability Source: Cisco
- CVE-2017-0199 (7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Sources: Clearsky, Fortinet, FireEye
- CVE-2019-3396 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability. Sources: FireEye, Fortinet
- CVE-2015-1641 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Fortinet
- CVE-2012-0158 (8.8 high, in CISA's KEV Catalog) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Fortinet, FireEye
- CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: FireEye
The following 7 vulnerabilities have the same source: U.S. DOJ
- CVE-2019-19781 (9.8 critical, in CISA's KEV Catalog) Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability Additional sources: FireEye, Fortinet
- CVE-2019-11510 (10.0 critical, in CISA's KEV Catalog) Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
- CVE-2019-16920 (9.8 critical, in CISA's KEV Catalog) D-Link Multiple Routers Command Injection Vulnerability
- CVE-2019-16278 (9.8 critical) Nostromo 1.9.6 Directory Traversal/ Remote Command Execution Vulnerability
- CVE-2019-1652 (7.2 high, in CISA's KEV Catalog) Cisco Small Business Routers Improper Input Validation Vulnerability. Additional source: FireEye
- CVE-2019-1653 (7.5 high, in CISA's KEV Catalog) Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability. Additional source: FireEye
- CVE-2020-10189 (9.8 critical, in CISA's KEV Catalog) Zoho ManageEngine Desktop Central File Upload Vulnerability. Additional sources: FireEye, Fortinet
The following 2 vulnerabilities have the same source: Mandiant
- CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).
- CVE-2021-44207 (8.1 high) Acclaim USAHERDS Hard-Coded Credentials Vulnerability
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
- December 12, 2024 β QiAnXin XLab: Glutton: A New Zero-Detection PHP Backdoor from Winnti Targets Cybercrimals
- November 12, 2024 β BlackBerry: LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign
- October 31, 2024 β Sophos: Pacific Rim: Inside the Counter-OffensiveβThe TTPs Used to Neutralize China-Based Threats
- August 04, 2024 β Trend Micro: A Dive into Earth Bakuβs Latest Campaign
- August 01, 2024 β Cisco Talos: APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
- July 18, 2024 β Mandiant: APT41 Has Arisen From the DUST
- July 11, 2024 β Zscaler: MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2
- July 10, 2024 β Zscaler: DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1
- June 10, 2024 β Technical University of Zurich (ETH Zurich): From Vegas to Chengdu: Hacking Contests Bug Bounties, and Chinaβs Offensive Cyber Ecosystem (research paper, PDF)
- May 29, 2024 β Natto Thoughts: APT41βs Reconnaissance Techniques and Toolkit: Nmap and What Else?
- May 22, 2024 β Natto Thoughts: Front Company or Real Business in Chinaβs Cyber Operations
- April 02, 2024 β Trend Micro: Earth Freybug Uses UNAPIMON for Unhooking Critical APIs (APT41 subgroup)
- February 28, 2024 β Natto Thoughts: i-SOON: Kicking off the Year of the Dragon with Good Luck β¦ or Not (more about association of i-SOON to Chengdu 404)
2023
- October 27, 2023 β Natto Thoughts: i-SOON: Another Company in the APT41 Network
- September 22, 2023 β Mandiant: Threat Trends: Unraveling WyrmSpy and DragonEgg Mobile Malware with Lookout
- September 12, 2023 β Symantec: Redfly: Espionage Actors Continue to Target Critical Infrastructure (tenuous link via ShadowPad trojan)
- July 19, 2023 β Lookout: Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41
- May 02, 2023 β Trend Micro: Attack on Security Titans: Earth Longzhi Returns With New Tricks (APT41 subgroup)
- April 01, 2023 β Google Cloud/Threat Analysis Group (TAG): April 2023 Threat Horizons Report (PDF, page 9: HOODOO Uses Public Tooling, Google Workspace to Target Taiwanese Media)
- March 30, 2023 β Recorded Future: With KEYPLUG, Chinaβs RedGolf Spies On, Steals From Wide Field of Targets (PDF)
- February 28, 2023 β Symantec: Blackfly: Espionage Group Targets Materials Technology
2022
- November 09, 2022 β Trend Micro: Hack the Real Box: APT41βs New Subgroup Earth Longzhi (APT41 subgroup)
- October 18, 2022 β Symantec: Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
- September 22, 2022 β U.S. Health and Human Services (HHS): APT41 and Recent Activity (PDF)
- September 14, 2022 β ESET: You never walk alone: The SideWalk backdoor gets a Linux variant
- August 22, 2022 β Mandiant: APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation (PDF)
- August 18, 2022 β Group-IB:
- July 24, 2022 β Intrusion Truth: Chinese APTs: Interlinked networks and side hustles
- July 23, 2022 β Intrusion Truth: The people behind Chengdu 404
- July 22, 2022 β Intrusion Truth: Chengdu 404
- July 21, 2022 β Intrusion Truth: The old school hackers behind APT41
- July 20, 2022 β Intrusion Truth: APT41: A Case Sudy [sic]
- May 02, 2022 β Cybereason:
- March 08, 2022 β Mandiant: Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
- February 15, 2022 β Secureworks: ShadowPad Malware Analysis
- January 20, 2022 β Kaspersky: MoonBounce: the dark side of UEFI firmware
2021
- October 05, 2021 β BlackBerry: Drawing a Dragon: Connecting the Dots to Find APT41
- September 21, 2021 β Recorded Future: China-Linked Group TAG-28 Targets Indiaβs βThe Times Groupβ and UIDAI (Aadhaar) Government Agency With Winnti Malware, available as PDF (tenuous connection via Winnti malware)
- September 09, 2021 β Symantec: Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
- August 24, 2021 β ESET: The SideWalk may be as dangerous as the CROSSWALK
- August 24, 2021 β Trend Micro: APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
- August 20, 2021 β CISA: Chinese State-Sponsored Cyber Operations: Observed TTPs (generalized Chinese threat activity)
- July 08, 2021 β Recorded Future: Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling (TAG-22 overlaps with Winnti, but is considered Aquatic Panda)
- July 01, 2021 β Avast: Backdoored Client from Mongolian CA MonPass
- June 10, 2021 β Group-IB: Big airline heist
- April 29, 2021 β NTT: The Operations of Winnti group (PDF)
- March 16, 2021 β Dragos: New ICS Threat Activity Group: VANADINITE (Winnti subgroup)
- March 10, 2021 β Intezer: New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
- March 08, 2021 β Mazaher Kianpour: Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property β The Case of APT41 (PDF)
- February 28, 2021 β Recorded Future: China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions, majority in PDF
- January 14, 2021 β Positive Technologies: Higaisa or Winnti? APT41 backdoors, old and new
2020
- November 11, 2020 β Microsoft: Hunting for Barium using Azure Sentinel
- October 20, 2020 β CISA: Potential for China Cyber Response to Heightened U.S.βChina Tensions (brief mention of APT41)
- September 29, 2020 β Positive Technologies: ShadowPad: new activity from the Winnti group
- September 18, 2020 β Trend Micro: U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
- September 17, 2020 β Symantec: APT41: Indictments Put Chinese Espionage Group in the Spotlight
- September 16, 2020 β U.S. Department of Justice: Seven International Cyber Defendants, Including βApt41β Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally (ATTRIBUTION)
- Indictment: United States of America v. Zhang Haoran, Tan Dailin (PDF)
- September 16, 2020 β FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities (PDF)
- June 11, 2020 β Zscaler: The Return of the Higaisa APT (see Positive Technologies link from January 14, 2021)
- June 04, 2020 β Malwarebytes: New LNK attack tied to Higaisa APT discovered (see Positive Technologies link from January 14, 2021)
- May 21, 2020 β ESET: No βGame overβ for the Winnti Group
- May 06, 2020 β Trend Micro: Targeted Ransomware Attack Hits Taiwan Organizations
- April 20, 2020 β QuoIntelligence: WINNTI GROUP: Insights From the Past
- April 13, 2020 β Unit 42: APT41 Using New Speculoos Backdoor to Target Organizations Globally
- March 25, 2020 β FireEye: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
- February ??, 2020 β PwC: Cyber Threats 2019: A Year in Retrospect (PDF, page 10)
- January 31, 2020 β ESET: Winnti Group targeting universities in Hong Kong
- January 31, 2020 β Tagesschau (German news): Deutsches Chemieunternehmen gehackt (German language, archive of dead link. English translated title: βGerman chemical company hackedβ)
2019
- October 31, 2019 β FireEye: MESSAGETAP: Whoβs Reading Your Text Messages?
- October 21, 2019 β ESET: Winnti Group's skip-2.0: A Microsoft SQL Server backdoor
- October 15, 2019 β FireEye: LOWKEY: Hunting for the Missing Volume Serial ID
- October 14, 2019 β ESET: Connecting the dots: Exposing the arsenal and methods of the Winnti Group, with whitepaper PDF
- September 14, 2019 β VMware: CB TAU Threat Intelligence Notification: Winnti Malware 4.0
- August 19, 2019 β FireEye: GAME OVER: Detecting and Stopping an APT41 Operation
- August 07, 2019 β FireEye: APT41: A Dual Espionage and Cyber Crime Operation, available as PDF
- July 24, 2019 β Bayerischer Rundfunk (BR): Winnti: Attacking the Heart of the German Industry
- May 29, 2019 β Intezer: HiddenWasp Malware Stings Targeted Linux Systems (link to Winnti malware)
- May 16, 2019 β Lab52: Winnti Group: Geostrategic and TTP (Tactics, Techniques and Procedures)
- May 15, 2019 β Chronicle: Winnti: More than just Windows and Gates
- April 23, 2019 β Kaspersky: Operation ShadowHammer: a high-profile supply chain attack
- March 25, 2019 β Kaspersky: Operation ShadowHammer
- March 11, 2019 β ESET: Gaming industry still in the scope of attackers in Asia
2018
- June 13, 2018 β Microsoft: Microsoft Corporation v. John Does 1-2 (PDF, Case 1:17-cv-01224-TSE-MSN. Proposed default judgment and order for permanent injunction)
- May 03, 2018 β 401 TRG: Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
2017
- September 21, 2017 β ESET: CConsiderations on the CCleaner incident (later attributed to Winnti by ESET on May 20, 2020)
- August 15, 2017 β Kaspersky: ShadowPad in corporate networks (attributed to Winnti by PwC in 2019)
- July 18, 2017 β Clearsky: Recent Winnti Infrastructure and Samples
- April 19, 2017 β Trend Micro: Examining a Possible Member of the Winnti Group
- March 22, 2017 β Trend Micro: Winnti Abuses GitHub for C&C Communications
2016
- October 18, 2016 β BlackBerry: Digitally Signed Malware Targeting Gaming Companies (links PassCV APT to Winnti)
2015
- October 05, 2015 β VSEC: Initial Winnti analysis against Vietnam game company (archive of dead link)
- June 22, 2015 β Kaspersky: Games are over: Winnti is now targeting pharmaceutical companies (links Winnti to Axiom)
- April 07, 2015 β Novetta: Operation SMN β Winnti Update (archive of dead link), Winnti Analysis (PDF, archive of dead link)
2013
- April 15, 2013 β Kaspersky: Winnti returns with PlugX
- April 11, 2013 β Kaspersky:
- Winnti. More than just a game, available as PDF (ORIGIN OF WINNTI NAME)
- The Winnti honeypot β luring intruders
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat