Hoodoo

Threat Actor updated a year ago (2024-11-29T14:13:24.872Z)

Download STIX

Preview STIX

HOODOO, also known as APT41 and numerous other aliases, is a Chinese-origin cyber threat group recognized for its extensive cyber espionage and cybercrime campaigns. The group, which has potential ties to the Chinese government, targets various sectors with complex campaigns aimed at exfiltrating sensitive data and financial gain. HOODOO's operations have been noted for their use of publicly accessible tooling like Cobalt Strike and other "pentest" software, as seen in their implementation of GC2, rather than building their own unique tools. In October 2022, Google's Threat Analysis Group (TAG) successfully disrupted a campaign run by HOODOO. This campaign targeted a Taiwanese media organization through phishing emails containing links to a password-protected file hosted on Drive. Previously, in July 2022, HOODOO used GC2 to target an Italian job search website, demonstrating the group's diverse range of targets. A subgroup within APT41, known as Earth Longzhi, was identified by Trend Micro as being responsible for a specific intrusion set. This highlights the complexity and multi-faceted nature of HOODOO's operations. Despite successful disruption efforts by entities such as Google's TAG, the continuing activities of HOODOO and its subgroups present an ongoing cyber threat.

Description last updated: 2024-09-20T18:17:25.299Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT41 is a possible alias for Hoodoo. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Google

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The threatActor Wicked Spider is associated with Hoodoo.	Unspecified	2

Source Document References

Information about the Hoodoo Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy
Yori	a year ago	Uncovering an undetected KeyPlug implant attacking industries in Italy - Yoroi
Yori	a year ago	Uncovering an undetected KeyPlug implant attacking industries in Italy - Yoroi
Securityaffairs	a year ago	APT41: The threat of KeyPlug against Italian industries
CERT-EU	2 years ago	The Hindu Morning Digest: January 5, 2024
CERT-EU	2 years ago	Google sheets & drive traffic along with this process in your network, means your are hacked
CERT-EU	2 years ago	Si ves tráfico de hojas de cálculo y Google drive junto con este proceso en su red, significa que está hackeado
DARKReading	2 years ago	APT41 Taps Google Red Teaming Tool in Targeted Info-Stealing Attacks
CERT-EU	2 years ago	Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics - GIXtools