Barium

Threat Actor updated 25 days ago (2024-08-14T09:52:18.540Z)

Download STIX

Preview STIX

Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according to a Microsoft complaint, Barium deployed ShadowPad malware to steal intellectual property and personally identifiable information (PII). The group is part of the larger APT41 collective, which includes other subgroups like Wicked Panda, Winnti, SuckFly, and more. These groups have been involved in extensive data theft, compromising trade secrets, intellectual property, and sensitive data from organizations in the US and several other countries. Barium and its associated groups are strongly linked with the use of Winnti malware implant, an advanced persistent threat (APT) tool used for large-scale cyber-espionage operations. This malware has been employed by both BARIUM and LEAD activity groups. A notable incident occurred between May 2021 and February 2022 when Barium infiltrated six U.S. state government networks using KEYPLUG, a backdoor tool disclosed by Google-owned Mandiant. Earlier, on March 2, 2021, just hours before Microsoft released a patch, the Winnti Group (another name for Barium) compromised the email servers of an oil company and a construction equipment company based in East Asia. To counter these threats, tools like Windows Defender ATP are instrumental in helping network security professionals deal with intrusions from activity groups like LEAD and BARIUM. Although these groups are not known for large-scale spear-phishing, their sophisticated tactics pose significant risks to organizational cybersecurity. Microsoft Threat Intelligence continually tracks activity groups such as LEAD and BARIUM, documenting their tactics, techniques, procedures, and the tools they use to facilitate attacks, thereby aiding in the development of effective defensive strategies.

Description last updated: 2024-08-14T08:43:21.156Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT41	6	APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
Winnti	5	The Winnti Group is a sophisticated threat actor that has been active since at least 2007, first identified by Kaspersky in 2013. This collective of Chinese nation-state hackers is known for its advanced cyberespionage capabilities and its unique strategy of targeting legitimate software supply chai
Redgolf	2	RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
Axiom	2	Axiom is a recognized threat actor, also known as a hacking team, that has been associated with malicious activities. The group has ties to the Chinese intelligence apparatus and has operated under various names such as Winnti, PassCV, APT17, LEAD, BARIUM, Wicked Panda, and GREF. The naming conventi

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Windows

Apt

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Wyrmspy	Unspecified	2	WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without use
DragonEgg	Unspecified	2	DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance

Source Document References

Information about the Barium Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	China's APT41 Targets Taiwan Research Institute for Cyber Espionage
DARKReading	2 months ago	China's APT41 Targets Global Logistics, Utilities Companies
CERT-EU	6 months ago	Hacking firm I-Soon data leak revealed Chinese gov hacking capabilities
CERT-EU	7 months ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Air India
CERT-EU	9 months ago	Researchers Unmask Sandman APT's Hidden Link to China-Based KEYPLUG Backdoor
CERT-EU	10 months ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Air India
Securityaffairs	a year ago	Redfly group infiltrated an Asian national grid as long as six months
MITRE	2 years ago	Exchange servers under siege from at least 10 APT groups \| WeLiveSecurity
MITRE	2 years ago	Detecting threat actors in recent German industrial attacks with Windows Defender ATP - Microsoft Security Blog
CERT-EU	a year ago	NATO countries targeted by Winter Vivern via Zimbra vulnerability
CERT-EU	a year ago	Cyber Security Week In Review: July 21, 2023
BankInfoSecurity	a year ago	Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU	a year ago	Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware
CERT-EU	a year ago	Hackers target Pakistani government, bank and telecom provider with China-made malware
Secureworks	2 years ago	ShadowPad Malware Analysis
CERT-EU	a year ago	Massive 3CX Supply-Chain Hack Targeted Cryptocurrency Firms
MITRE	2 years ago	Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan
CERT-EU	a year ago	Windows, Linux systems subjected to Chinese state-backed cyberattacks
MITRE	2 years ago	Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
Recorded Future	a year ago	With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets \| Recorded Future