APT41

Threat Actor updated 13 days ago (2024-09-25T14:01:33.492Z)
Download STIX
Preview STIX
APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a significant threat actor attributed to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. It uses a wide range of malware, with at least 46 different code families and tools observed in its operations. APT41 is notable for its use of public cloud services for hosting malicious files and unique techniques such as LNK file attacks. There appears to be no direct connection to other known advanced persistent threat (APT) groups, though some overlap has been identified. The group's activities align closely with Chinese strategic interests, with theft of intellectual property linked to the "Made in China 2025" initiative being a prominent feature of their operations. In September 2023, experts testified before a House panel that APT41 had stolen hundreds of gigabytes of intellectual property. The U.S. Department of Justice indicted five Chinese nationals in 2020, alleging they were part of APT41 and had hacked more than 100 companies in the United States and abroad. More recently, security researchers have traced a breach at a Taiwanese government-affiliated research institute to APT41. Furthermore, it has been reported that the group has expanded its operations beyond the Indo-Pacific region to Europe, the Middle East, and Africa. The group continues to pose a significant threat, with NTT researchers identifying a campaign targeting Taiwanese government agencies, the Philippine military, and energy organizations in Vietnam as recently as July 2024.
Description last updated: 2024-09-25T13:18:43.406Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Barium is a possible alias for APT41. Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according t
6
Winnti is a possible alias for APT41. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the A
5
DragonEgg is a possible alias for APT41. DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance
4
Wyrmspy is a possible alias for APT41. WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
4
KEYPLUG is a possible alias for APT41. KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, spec
4
Wicked Panda is a possible alias for APT41. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a China state-sponsored threat actor identified by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center as one of the top cybersecurity threats. The group, which has been linked to multipl
4
Hoodoo is a possible alias for APT41. HOODOO, also known as APT41 and numerous other aliases, is a Chinese-origin cyber threat group recognized for its extensive cyber espionage and cybercrime campaigns. The group, which has potential ties to the Chinese government, targets various sectors with complex campaigns aimed at exfiltrating se
4
Winnti Group is a possible alias for APT41. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers a
3
Earth Longzhi is a possible alias for APT41. Earth Longzhi, a suspected subgroup of the notorious APT41, has reemerged after months of inactivity and is now attacking organizations across various industries in Southeast Asia. This group had been on hiatus since its last campaign which ran from August 2021 to June 2022. Trend Micro's investigat
3
Blackfly is a possible alias for APT41. Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
3
Mustang Panda is a possible alias for APT41. Mustang Panda, a known Chinese advanced persistent threat (APT) group, has been identified as the likely perpetrator behind a sophisticated, ongoing cyber-espionage campaign. The group, also known as Stately Taurus, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Camaro Dragon, has a 12-
2
Redgolf is a possible alias for APT41. RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
2
Volt Typhoon is a possible alias for APT41. Volt Typhoon, a threat actor group reportedly linked to China, has been identified as a significant cybersecurity concern due to its sophisticated techniques and apparent focus on critical infrastructure. The group's operations have been marked by strong operational security and the use of obfuscati
2
Longzhi is a possible alias for APT41. Earth Longzhi, a subgroup within the notorious APT41 cyber espionage group, has re-emerged after months of dormancy, according to cybersecurity researchers at Trend Micro. The threat actor has been known for its malicious activities since 2020 and has recently targeted organizations in Taiwan, Thail
2
Earth Baku is a possible alias for APT41. Earth Baku, a threat actor identified in the cybersecurity landscape, has been executing actions with malicious intent, posing significant challenges to cybersecurity defenses. This entity could comprise of a single person, a private company, or part of a government entity. Earth Baku is known for u
2
Double Dragon is a possible alias for APT41. Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by t
2
Lightspy is a possible alias for APT41. LightSpy, a notable threat actor in the cybersecurity landscape, has renewed its espionage campaign, primarily targeting South Asia. This group, which could be an individual, a private company, or part of a government entity, is known for executing actions with malicious intent. The latest wave of a
2
Brass Typhoon is a possible alias for APT41. Brass Typhoon, previously known as Barium, is a threat actor group originating from China. The group has been involved in numerous software-supply-chain attacks globally, making it one of the most active and threatening groups in this domain. Brass Typhoon uses sophisticated techniques and tools to
2
Daggerfly is a possible alias for APT41. DaggerFly, also known as Evasive Panda and StormBamboo, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group is renowned for its use of the custom MgBot malware framework, which it leverages to conduct cyberespionage activities against indi
2
Axiom is a possible alias for APT41. Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi
2
Bronze Atlas is a possible alias for APT41. Bronze Atlas, also known as APT41, Winnti Group, or HOODOO, is a significant threat actor identified in the cybersecurity industry. The group has been involved in various malicious activities and has been tracked by Secureworks' Counter Threat Unit since at least 2007. According to Marc Burnard, a s
2
Earth Estries is a possible alias for APT41. Earth Estries is a cyberespionage group, or threat actor, that has targeted government entities and tech firms across the globe, including in the US, Germany, South Africa, Asia, Malaysia, the Philippines, and Taiwan. While the exact origin of Earth Estries remains unclear, there are indications sug
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
State Sponso...
Espionage
Exploit
Rootkit
Vulnerability
Android
China
Linux
Chinese
Exploits
Loader
Cybercrime
Windows
Rat
Google
Mandiant
Zero Day
Phishing
Health
State Sponso...
ISOON
Symantec
Ransomware
Spyware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ShadowPad Malware is associated with APT41. ShadowPad is a modular malware that has been utilized by various Chinese threat actors since at least 2017. It's a malicious software designed to infiltrate computer systems, often without the user's knowledge, and can cause significant damage by stealing personal information, disrupting operations,Unspecified
6
The ZxShell Malware is associated with APT41. ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among oUnspecified
5
The PlugX Malware is associated with APT41. PlugX is a malicious software (malware) known for its stealthy operations. It has been linked to several cyberattacks, and its use has been attributed to various threat groups, including Winnti and MustangPanda. The malware leverages DLL side-loading to remain undetected, making it a potent tool in Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lancefly Threat Actor is associated with APT41. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
5
The GALLIUM Threat Actor is associated with APT41. Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle EasUnspecified
3
The I-Soon Threat Actor is associated with APT41. i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently initUnspecified
3
The Redfly Threat Actor is associated with APT41. RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significanUnspecified
2
The Earth Freybug Threat Actor is associated with APT41. Earth Freybug is a threat actor that has been active since at least 2012, engaging in cyber espionage and financially motivated activities. It's considered a subset of APT41, a collective of Chinese threat groups known by various names such as Winnti, Wicked Panda, Barium, and Suckfly. Earth Freybugis related to
2
The Emerald Sleet Threat Actor is associated with APT41. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research publicUnspecified
2
The Thallium Threat Actor is associated with APT41. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activiUnspecified
2
The Lazarus Group Threat Actor is associated with APT41. The Lazarus Group, a threat actor commonly associated with North Korea, has been implicated in numerous cyber attacks and exploitations over the years. This group is known for its sophisticated techniques and high-profile targets, including the infamous $600 million Ronin sidechain exploit in 2022. Unspecified
2
The Apt43 Threat Actor is associated with APT41. APT43, also known as Kimsuky, is a North Korean state-sponsored Advanced Persistent Threat (APT) group that poses significant concerns for various sectors, notably the U.S. healthcare and public health sector. This group conducts intelligence collection and has been known to use cybercrime to fund eUnspecified
2
The APT1 Threat Actor is associated with APT41. APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to takis related to
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2021-44207 Vulnerability is associated with APT41. CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported Unspecified
2
The CVE-2021-44228 Vulnerability is associated with APT41. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attemptedUnspecified
2
Source Document References
Information about the APT41 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
13 days ago
Checkpoint
13 days ago
DARKReading
16 days ago
BankInfoSecurity
22 days ago
BankInfoSecurity
a month ago
Securityaffairs
a month ago
Fortinet
a month ago
DARKReading
a month ago
Securityaffairs
2 months ago
DARKReading
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
DARKReading
2 months ago
Securityaffairs
2 months ago
Checkpoint
2 months ago
Securityaffairs
2 months ago
DARKReading
2 months ago
DARKReading
3 months ago
Checkpoint
3 months ago
DARKReading
3 months ago