APT41

Threat Actor updated 18 days ago (2024-11-29T14:38:01.410Z)
Download STIX
Preview STIX
APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activities have led to various aliases including WickedPanda, Barium, and Wicked Spider, among others. APT41's operations have been linked to multiple Chinese state-sponsored hacking groups such as Mustang Panda, APT10, and others. Some security vendors consider APT41 to be a collection of smaller subgroups operating on behalf of or at the behest of the Chinese government. The group's malicious activities have prompted investigations and legal actions from the US government, leading to the indictment of five alleged members of APT41 in 2020. More recently, APT41 has been tied to attacks targeting global logistics and utilities companies, as well as research entities in Taiwan. Additionally, the group has been linked to an ongoing mobile espionage campaign against targets in India and South Asia, utilizing an iOS implant named "LightSpy." Sophos, in collaboration with other cybersecurity firms, government bodies, and law enforcement agencies, investigated cyber attacks attributed to several China-linked APT groups, including APT41. These investigations revealed specific clusters of activity from December 2018 to November 2023 attributed to the group. In response to these threats, Sophos launched a counter-offensive effort dubbed "Pacific Rim," aiming to combat Chinese hacking groups like APT41 that have penetrated Sophos firewalls using overlapping sets of tactics, tools, and procedures since early 2020.
Description last updated: 2024-11-15T16:09:40.776Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Winnti is a possible alias for APT41. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such
6
Barium is a possible alias for APT41. Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according t
6
Wyrmspy is a possible alias for APT41. WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
4
DragonEgg is a possible alias for APT41. DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance
4
Wicked Panda is a possible alias for APT41. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a prominent threat actor in the cybersecurity landscape. This China state-sponsored group has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity Coordinati
4
Volt Typhoon is a possible alias for APT41. Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environments
4
Hoodoo is a possible alias for APT41. HOODOO, also known as APT41 and numerous other aliases, is a Chinese-origin cyber threat group recognized for its extensive cyber espionage and cybercrime campaigns. The group, which has potential ties to the Chinese government, targets various sectors with complex campaigns aimed at exfiltrating se
4
KEYPLUG is a possible alias for APT41. KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, spec
4
Blackfly is a possible alias for APT41. Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
3
Lightspy is a possible alias for APT41. LightSpy is a threat actor known for its sophisticated and malicious activities. It first gained attention in 2022 when it began deploying its namesake spyware, LightSpy, which has since evolved to possess extensive spying capabilities. The group has strategically enhanced its capabilities over time
3
Winnti Group is a possible alias for APT41. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers a
3
Earth Longzhi is a possible alias for APT41. Earth Longzhi, a suspected subgroup of the notorious APT41, has reemerged after months of inactivity and is now attacking organizations across various industries in Southeast Asia. This group had been on hiatus since its last campaign which ran from August 2021 to June 2022. Trend Micro's investigat
3
Redgolf is a possible alias for APT41. RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
2
Mustang Panda is a possible alias for APT41. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif
2
Axiom is a possible alias for APT41. Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi
2
Bronze Atlas is a possible alias for APT41. Bronze Atlas, also known as APT41, Winnti Group, or HOODOO, is a significant threat actor identified in the cybersecurity industry. The group has been involved in various malicious activities and has been tracked by Secureworks' Counter Threat Unit since at least 2007. According to Marc Burnard, a s
2
Earth Estries is a possible alias for APT41. Earth Estries, also known as Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286, is a sophisticated threat actor that has been conducting long-term espionage attacks against government entities and other targets since 2020. Originating from the People's Republic, Earth Estries ranks among the mo
2
Longzhi is a possible alias for APT41. Earth Longzhi, a subgroup within the notorious APT41 cyber espionage group, has re-emerged after months of dormancy, according to cybersecurity researchers at Trend Micro. The threat actor has been known for its malicious activities since 2020 and has recently targeted organizations in Taiwan, Thail
2
Earth Baku is a possible alias for APT41. Earth Baku, a threat actor linked to the China-associated APT group APT41, has emerged as a significant cybersecurity threat with operations extending beyond the Indo-Pacific region. Since late 2022, Earth Baku has expanded its malicious activities into Europe, the Middle East, and Africa. The group
2
Double Dragon is a possible alias for APT41. Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by t
2
Daggerfly is a possible alias for APT41. DaggerFly, also known as Evasive Panda and StormBamboo, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group is recognized for its cyber espionage activities against individuals and organizations in mainland China, Hong Kong, Macao, Nigeria
2
Brass Typhoon is a possible alias for APT41. Brass Typhoon, also known as APT41, Earth Baxia, and Wicked Panda, is a threat actor group originating from China that has been involved in numerous software-supply-chain attacks. This group was formerly identified as Barium, which had carried out more software-supply-chain attacks than any other gr
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
State Sponso...
Espionage
Android
Chinese
Exploit
Rootkit
Vulnerability
Linux
China
Loader
Exploits
Cybercrime
Windows
Symantec
Phishing
Google
Spyware
Rat
Zero Day
Health
State Sponso...
ISOON
Ios
Ransomware
Mandiant
Sophos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ShadowPad Malware is associated with APT41. ShadowPad is a sophisticated malware, known for its use in supply chain attacks, particularly against government entities in South Asia. This modular backdoor, which has been active for approximately seven years, is popular among Chinese threat actors. It was notably used as the payload in an attackUnspecified
6
The ZxShell Malware is associated with APT41. ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among oUnspecified
5
The PlugX Malware is associated with APT41. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lancefly Threat Actor is associated with APT41. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
5
The GALLIUM Threat Actor is associated with APT41. Gallium, also known as Alloy Taurus, is a threat actor group that has been associated with significant cyber-espionage campaigns and is believed to have ties with China. The group has been linked to multiple intrusion sets targeting network devices, including routers and servers. Gallium notably tarUnspecified
3
The I-Soon Threat Actor is associated with APT41. i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently initUnspecified
3
The APT31 Threat Actor is associated with APT41. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis byUnspecified
3
The Earth Freybug Threat Actor is associated with APT41. Earth Freybug is a threat actor that has been active since at least 2012, engaging in cyber espionage and financially motivated activities. It's considered a subset of APT41, a collective of Chinese threat groups known by various names such as Winnti, Wicked Panda, Barium, and Suckfly. Earth Freybugis related to
2
The APT10 Threat Actor is associated with APT41. APT10, also known as Menupass, is a sophisticated threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). This group has been associated with numerous cyber espionage campaigns targeting various sectors globally. Recent analysis suggests a link between APT10 and oUnspecified
2
The APT1 Threat Actor is associated with APT41. APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to takis related to
2
The Redfly Threat Actor is associated with APT41. RedFly, a threat actor group known for its malicious activities, has emerged as a significant cybersecurity concern. The group's operations are characterized by their strategic execution and targeted focus, often resulting in substantial security breaches. Threat actors like RedFly pose a significanUnspecified
2
The Emerald Sleet Threat Actor is associated with APT41. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research publicUnspecified
2
The Thallium Threat Actor is associated with APT41. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activiUnspecified
2
The Lazarus Group Threat Actor is associated with APT41. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitatiUnspecified
2
The Apt43 Threat Actor is associated with APT41. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELAUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2021-44207 Vulnerability is associated with APT41. CVE-2021-44207 is a significant software vulnerability that was exploited by APT41, a prolific Chinese state-sponsored espionage group known for targeting both public and private sector organizations. This flaw in the USAHerds web application's design or implementation mirrors a previously reported Unspecified
2
The CVE-2021-44228 Vulnerability is associated with APT41. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attemptedUnspecified
2
Source Document References
Information about the APT41 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
7 days ago
DARKReading
a month ago
Securityaffairs
a month ago
InfoSecurity-magazine
2 months ago
BankInfoSecurity
2 months ago
DARKReading
3 months ago
Checkpoint
3 months ago
DARKReading
3 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
Fortinet
3 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Checkpoint
4 months ago