APT41

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
APT41, also known as Winnti, Wicked Panda, Barium, Suckfly, Earth Freybug, and Daggerfly, is a sophisticated threat actor attributed to China that has been active since at least 2012. The group targets organizations across various sectors including public administration, professional services, scientific research, arts, entertainment, and recreation in at least 14 countries. APT41 has demonstrated a diverse arsenal of cyber capabilities, using at least 46 different code families and tools in their operations. They are known for their malicious activities ranging from cyber espionage campaigns, supply chain attacks, to financially motivated cybercrimes. The group's modus operandi includes the use of LNK file attacks, a technique borrowed from Higaisa, another threat actor. They have also targeted phantom DLLs like "wlbsctrl.dll" and "wbemcomn.dll," loaded by the Windows Management Instrumentation (WMI) provider host. This indicates a high level of technical proficiency and adaptability. In addition, APT41 is associated with malware such as Crosswalk, which appeared no later than 2017 and was mentioned for the first time in a FireEye report on the activities of APT41. Despite several of its members being indicted by the US, APT41 remains active and continues to pose a significant cybersecurity threat. Most recently, their activities were reported in December and September 2023. The group's activities occasionally overlap with other Chinese Advanced Persistent Threat (APT) groups, including Mustang Panda, APT10, and the Winnti Group. As such, continuous vigilance and proactive defense measures are required to mitigate the risks posed by this persistent and evolving threat actor.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Barium
5
Barium, also known as BRONZE ATLAS, APT41, TA415, and part of the Winnti Group, is a China-linked cyberespionage threat actor that has been active since at least 2007. Notable for its deployment of sophisticated malware such as ShadowPad and KEYPLUG, Barium has been implicated in numerous cyber atta
Winnti
5
Winnti is a threat actor group that has been active since at least 2007, primarily linked to China. It is also known as APT41, Axiom, Barium, Blackfly, and HOODOO. The group has been implicated in several high-profile cyberespionage campaigns targeting various sectors, including DAX companies such a
Wyrmspy
4
WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
DragonEgg
4
DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance
Wicked Panda
3
Wicked Panda, also known as APT41, Double Dragon, and Bronze Atlas, is a state-sponsored threat actor originating from China, recognized for its dual espionage and cybercrime operations. The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center has identified Wicke
Blackfly
3
Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
Winnti Group
3
The Winnti Group, a collective of several Chinese Advanced Persistent Threat (APT) groups including APT41, is renowned for its malicious cyber activities. First gaining notoriety for its attacks on computer game developers, the group has since been linked to high-level cyber espionage conducted by t
Double Dragon
2
Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by t
Lightspy
2
LightSpy is a threat actor known for its malicious activities, specifically targeting iOS devices with spyware. Initially documented in 2020 by Trend Micro and Kaspersky, LightSpy refers to an advanced iOS backdoor distributed via watering hole attacks through compromised news sites, particularly th
Daggerfly
2
DaggerFly, also known as Evasive Panda and Bronze Highland, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group primarily conducts cyber espionage operations against individuals in mainland China, Hong Kong, Macao, and Nigeria, as well as
Earth Longzhi
2
Earth Longzhi, a suspected subgroup of the infamous APT41 threat group, has resumed its malicious activities after several months of inactivity. This reemergence has seen the group target organizations across various industries in Southeast Asia, including government, healthcare, technology, and man
Hoodoo
2
Hoodoo, also known as APT41, Winnti, and Bronze Atlas, is a threat actor backed by the Chinese government that has been involved in multiple cyber-espionage campaigns. The group has targeted various entities globally, including a Taiwanese media organization and an Italian job search website. In Oct
Redgolf
2
RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
Axiom
2
Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi
Bronze Atlas
2
Bronze Atlas, also known as APT41, Winnti Group, or HOODOO, is a significant threat actor identified in the cybersecurity industry. The group has been involved in various malicious activities and has been tracked by Secureworks' Counter Threat Unit since at least 2007. According to Marc Burnard, a s
Earth Estries
2
Earth Estries is a cyberespionage group, or threat actor, that has targeted government entities and tech firms across the globe, including in the US, Germany, South Africa, Asia, Malaysia, the Philippines, and Taiwan. While the exact origin of Earth Estries remains unclear, there are indications sug
Volt Typhoon
2
Volt Typhoon, a threat actor associated with the Chinese government, has emerged as a significant cybersecurity concern. Known for their strong operational security and use of obfuscation techniques to hide their malware, this group has successfully compromised organizations across various sectors s
Longzhi
2
Earth Longzhi, a subgroup within the notorious APT41 cyber espionage group, has re-emerged after months of dormancy, according to cybersecurity researchers at Trend Micro. The threat actor has been known for its malicious activities since 2020 and has recently targeted organizations in Taiwan, Thail
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
State Sponso...
Espionage
Android
Rootkit
Exploit
Cybercrime
Chinese
China
Vulnerability
Windows
Symantec
Phishing
Google
Spyware
Zero Day
Health
State Sponso...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ShadowPadUnspecified
5
ShadowPad is a modular backdoor malware that has been utilized by multiple Chinese threat groups since 2017. It was used as the payload in a supply chain attack targeting South Asian governments, as detailed in a VB2023 paper. The malware's operations are often facilitated through legitimate utiliti
ZxShellUnspecified
5
ZXShell is a notorious malware, often associated with other malicious software such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, and STEW. It has been utilized by various Advanced Persistent Threat (APT) groups, including APT27 and APT20, for
KEYPLUGUnspecified
3
Keyplug is a malicious software (malware) utilized by Chinese state-sponsored threat operation RedGolf, also known as APT41, Wicked Panda, Bronze Atlas, and Barium. This malware, first reported by Mandiant, was used in attacks against various U.S. state government networks from May 2021 to February
PlugXUnspecified
2
PlugX is a sophisticated malware predominantly used by various Chinese Advanced Persistent Threat (APT) groups like PKPLUG, but also found in the hands of non-Chinese threat actors due to its circulation in underground hacking communities. This modular backdoor has evolved through different stages,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LanceflyUnspecified
5
Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication secto
GALLIUMUnspecified
3
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Lazarus GroupUnspecified
2
The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in a series of sophisticated cyber-attacks and illegal activities. The group is known for its exploitation activities aimed at establishing kernel read/write primitives. A notable attack orchestrated by the
Apt43Unspecified
2
APT43, also known as Kimsuky, is a North Korean state-sponsored advanced persistent threat (APT) group that has been actively involved in cybercrime and espionage. The group has been implicated in a series of attacks exploiting vulnerabilities, which have drawn the attention of various cybersecurity
I-SoonUnspecified
2
i-SOON, a threat actor believed to be operating out of China, has come into the limelight due to a significant data leak. The leaked documents provide an inside view of i-SOON's operations, revealing its role in executing cyberespionage campaigns on behalf of various Chinese government agencies. Thi
Earth Freybugis related to
2
Earth Freybug is a threat actor that has been active since at least 2012, engaging in cyber espionage and financially motivated activities. It's considered a subset of APT41, a collective of Chinese threat groups known by various names such as Winnti, Wicked Panda, Barium, and Suckfly. Earth Freybug
Mustang PandaUnspecified
2
Mustang Panda, also known as Earth Preta, Camaro Dragon, Bronze President, TA416, and Stately Taurus, is a China-aligned Advanced Persistent Threat (APT) group that has been active since at least 2012. The group has targeted various entities across the globe, including government organizations, thin
APT1is related to
2
APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to tak
RedflyUnspecified
2
RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significan
Emerald SleetUnspecified
2
Emerald Sleet, a North Korea-affiliated advanced persistent threat (APT) group, has emerged as a significant cybersecurity concern. The group leverages OpenAI’s ChatGPT, the same technology that underpins Microsoft's Copilot, to enhance its malicious activities. These activities include spear-phishi
ThalliumUnspecified
2
Thallium, also known as Kimsuky, Velvet Chollima, and APT43, is a North Korean state-sponsored threat actor or hacking group that has been active since 2012. Tracked by the Cybereason Nocturnus Team and other security researchers, this cyber espionage group is believed to operate on behalf of the No
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-44207Unspecified
2
CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported
CVE-2021-44228Unspecified
2
CVE-2021-44228, also known as the Log4Shell vulnerability, is a software flaw in Apache's Log4j logging library. This vulnerability allows for remote code execution, making it a significant security concern. Despite numerous attempts by Advanced Persistent Threat (APT) actors to exploit this vulnera
Source Document References
Information about the APT41 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
5 months ago
A Summary of APT41 Targeting U.S. State Governments
MITRE
a year ago
MESSAGETAP: Who’s Reading Your Text Messages? | Mandiant
CERT-EU
8 months ago
Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
DARKReading
a year ago
APT41 Taps Google Red Teaming Tool in Targeted Info-Stealing Attacks
CERT-EU
a year ago
中芯數據發現 APT41 駭客春節期間出手蓄謀已久的新一波攻擊
DARKReading
a year ago
APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics
BankInfoSecurity
10 months ago
Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU
a year ago
Higaisa or Winnti? APT41 backdoors, old and new
MITRE
a year ago
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
Securityaffairs
10 months ago
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group
DARKReading
10 months ago
China's APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware
DARKReading
a year ago
China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP
CERT-EU
a year ago
ZATAZ » L’OSINT pour démystifier les attaques de logiciels espions
CERT-EU
a year ago
後門程式
MITRE
a year ago
Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
CERT-EU
10 months ago
Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware
CERT-EU
8 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU
10 months ago
Why Should You Care About Chinese APTs and Nation State Attacks? | Lookout
CERT-EU
7 months ago
LightSpy iPhone Spyware Linked to Chinese APT41 Group