Barium

Threat Actor updated 3 months ago (2024-08-14T09:52:18.540Z)
Download STIX
Preview STIX
Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according to a Microsoft complaint, Barium deployed ShadowPad malware to steal intellectual property and personally identifiable information (PII). The group is part of the larger APT41 collective, which includes other subgroups like Wicked Panda, Winnti, SuckFly, and more. These groups have been involved in extensive data theft, compromising trade secrets, intellectual property, and sensitive data from organizations in the US and several other countries. Barium and its associated groups are strongly linked with the use of Winnti malware implant, an advanced persistent threat (APT) tool used for large-scale cyber-espionage operations. This malware has been employed by both BARIUM and LEAD activity groups. A notable incident occurred between May 2021 and February 2022 when Barium infiltrated six U.S. state government networks using KEYPLUG, a backdoor tool disclosed by Google-owned Mandiant. Earlier, on March 2, 2021, just hours before Microsoft released a patch, the Winnti Group (another name for Barium) compromised the email servers of an oil company and a construction equipment company based in East Asia. To counter these threats, tools like Windows Defender ATP are instrumental in helping network security professionals deal with intrusions from activity groups like LEAD and BARIUM. Although these groups are not known for large-scale spear-phishing, their sophisticated tactics pose significant risks to organizational cybersecurity. Microsoft Threat Intelligence continually tracks activity groups such as LEAD and BARIUM, documenting their tactics, techniques, procedures, and the tools they use to facilitate attacks, thereby aiding in the development of effective defensive strategies.
Description last updated: 2024-08-14T08:43:21.156Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT41 is a possible alias for Barium. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi
6
Winnti is a possible alias for Barium. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such
5
Redgolf is a possible alias for Barium. RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
2
Axiom is a possible alias for Barium. Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Apt
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Wyrmspy Malware is associated with Barium. WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without useUnspecified
2
The DragonEgg Malware is associated with Barium. DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance Unspecified
2
Source Document References
Information about the Barium Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
4 months ago
DARKReading
4 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Secureworks
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago
Recorded Future
2 years ago