APT41

Overview

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries. Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.

Targets

Automotive · Business · Cryptocurrency · Education · Energy · Finance · Healthcare · High-Tech · Intergovernmental · Media · Pharmaceuticals · Private sector · Retail · Services · Telecommunications · Travel

Regions

China · France · Hong Kong · India · Italy · Japan · Myanmar · Netherlands · Singapore · South Africa · South Korea · Switzerland · Thailand · Turkey · United Kingdom · United States

Capabilities

• Supply-chain compromise — ATT&CK T1195.002
• Exploitation of public-facing / client applications — ATT&CK T1190, T1203
• Custom malware/implant development — ATT&CK: 18 attributed custom malware families

TTPs — 82 techniques across 15 tactics

Tools & malware (32)

ASPXSpy · BITSAdmin · PlugX · Impacket · gh0st RAT · netstat · PowerSploit · ZxShell · KEYPLUG · Ping · LightSpy · DUSTPAN · Net · ipconfig · sqlmap · China Chopper · ShadowPad · MESSAGETAP · Mimikatz · certutil · njRAT · Empire · Cobalt Strike · pwdump · BLACKCOFFEE · MOPSLED · ROCKBOOT · dsquery · Winnti for Linux · DUSTTRAP · Derusbi · ftp

Reporting (3)

• How Microsoft names threat actors — Microsoft
• Big airline heist APT41 likely behind a third-party attack on Air India — Rostovcev, N
• 2020 Global Threat Report — Crowdstrike