{ "id": "23e9c36c-4322-48c5-ac65-128346ed11f3", "created_at": "2026-04-06T00:16:51.699312Z", "updated_at": "2026-04-10T13:12:44.094763Z", "deleted_at": null, "sha1_hash": "197dae55e54a435d5ae26508cea9c6dd907249a9", "title": "APT41 Chinese Cyber Threat Group | Espionage \u0026 Cyber Crime", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 416821, "plain_text": "APT41 Chinese Cyber Threat Group | Espionage \u0026 Cyber Crime\r\nBy Mandiant\r\nPublished: 2019-08-07 · Archived: 2026-04-05 13:11:15 UTC\r\nWritten by: Nalani Fraser, Fred Plan, Jacqueline O'Leary, Vincent Cannon, Raymond Leong, Dan Perez, Chi-en\r\nShen\r\nToday, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat\r\ngroup that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41\r\nis unique among tracked China-based actors in that it leverages non-public malware typically reserved for\r\nespionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is\r\nunusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous\r\ncyber crime and cyber espionage operations from 2014 onward.\r\nThe full published report covers historical and ongoing activity attributed to APT41, the evolution of the group’s\r\ntactics, techniques, and procedures (TTPs), information on the individual actors, an overview of their malware\r\ntoolset, and how these identifiers overlap with other known Chinese espionage operators. APT41 partially\r\ncoincides with public reporting on groups including BARIUM (Microsoft) and Winnti (Kaspersky, ESET,\r\nClearsky).\r\nWho Does APT41 Target?\r\nLike other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year\r\neconomic development plans. The group has established and maintained strategic access to organizations in the\r\nhealthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services,\r\nand news/media firms provide some indication that the group also tracks individuals and conducts surveillance.\r\nFor example, the group has repeatedly targeted call record information at telecom companies. In another instance,\r\nAPT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was\r\ntasked to reconnoiter the facility for security reasons.\r\nThe group’s financially motivated activity has primarily focused on the video game industry, where APT41 has\r\nmanipulated virtual currencies and even attempted to deploy ransomware. The group is adept at moving laterally\r\nwithin targeted networks, including pivoting between Windows and Linux systems, until it can access game\r\nproduction environments. From there, the group steals source code as well as digital certificates which are then\r\nused to sign malware. More importantly, APT41 is known to use its access to production environments to inject\r\nmalicious code into legitimate files which are later distributed to victim organizations. These supply chain\r\ncompromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.\r\nInterestingly, despite the significant effort required to execute supply chain compromises and the large number of\r\naffected organizations, APT41 limits the deployment of follow-on malware to specific victim systems by matching\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html\r\nPage 1 of 4\n\nagainst individual system identifiers. These multi-stage operations restrict malware delivery only to intended\r\nvictims and significantly obfuscate the intended targets. In contrast, a typical spear-phishing campaign’s desired\r\ntargeting can be discerned based on recipients' email addresses.\r\nA breakdown of industries directly targeted by APT41 over time can be found in Figure 1.\r\nFigure 1: Timeline of industries directly targeted by APT41\r\nProbable Chinese Espionage Contractors\r\nTwo identified personas using the monikers “Zhang Xuguang” and “Wolfzhi” linked to APT41 operations have\r\nalso been identified in Chinese-language forums. These individuals advertised their skills and services and\r\nindicated that they could be hired. Zhang listed his online hours as 4:00pm to 6:00am, similar to APT41\r\noperational times against online gaming targets and suggesting that he is moonlighting. Mapping the group’s\r\nactivities since 2012 (Figure 2) also provides some indication that APT41 primarily conducts financially\r\nmotivated operations outside of their normal day jobs.\r\nAttribution to these individuals is backed by identified persona information, their previous work and apparent\r\nexpertise in programming skills, and their targeting of Chinese market-specific online games. The latter is\r\nespecially notable because APT41 has repeatedly returned to targeting the video game industry and we believe\r\nthese activities were formative in the group’s later espionage operations.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html\r\nPage 2 of 4\n\nFigure 2: Operational activity for gaming versus non-gaming-related targeting based on observed operations since\r\n2012\r\nThe Right Tool for the Job\r\nAPT41 leverages an arsenal of over 46 different malware families and tools to accomplish their missions,\r\nincluding publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to\r\nthe group. The group often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files\r\nto initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs\r\nand deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds\r\nof systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers,\r\nand rootkits.\r\nAPT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their\r\nmalware and maintain persistence on select victim systems. The use of bootkits in particular adds an extra layer of\r\nstealth because the code is executed prior to the operating system initializing. The limited use of these tools by\r\nAPT41 suggests the group reserves more advanced TTPs and malware only for high-value targets.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html\r\nPage 3 of 4\n\nFast and Relentless\r\nAPT41 quickly identifies and compromises intermediary systems that provide access to otherwise segmented parts\r\nof an organization’s network. In one case, the group compromised hundreds of systems across multiple network\r\nsegments and several geographic regions in as little as two weeks.\r\nThe group is also highly agile and persistent, responding quickly to changes in victim environments and incident\r\nresponder activity. Hours after a victimized organization made changes to thwart APT41, for example, the group\r\ncompiled a new version of a backdoor using a freshly registered command-and-control domain and compromised\r\nseveral systems across multiple geographic regions. In a different instance, APT41 sent spear-phishing emails to\r\nmultiple HR employees three days after an intrusion had been remediated and systems were brought back online.\r\nWithin hours of a user opening a malicious attachment sent by APT41, the group had regained a foothold within\r\nthe organization's servers across multiple geographic regions.\r\nLooking Ahead\r\nAPT41 is a creative, skilled, and well-resourced adversary, as highlighted by the operation’s distinct use of supply\r\nchain compromises to target select individuals, consistent signing of malware using compromised digital\r\ncertificates, and deployment of bootkits (which is rare among Chinese APT groups).\r\nLike other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection\r\nand establishing access and away from direct intellectual property theft since 2015. This shift, however, has not\r\naffected the group's consistent interest in targeting the video game industry for financially motivated reasons. The\r\ngroup's capabilities and targeting have both broadened over time, signaling the potential for additional supply\r\nchain compromises affecting a variety of victims in additional verticals.\r\nAPT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys\r\nprotections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is\r\nalso possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations\r\nunderscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is\r\nexemplified by APT41.\r\nRead the report today to learn more.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" ], "report_names": [ "apt41-dual-espionage-and-cyber-crime-operation.html" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434611, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/197dae55e54a435d5ae26508cea9c6dd907249a9.pdf", "text": "https://archive.orkl.eu/197dae55e54a435d5ae26508cea9c6dd907249a9.txt", "img": "https://archive.orkl.eu/197dae55e54a435d5ae26508cea9c6dd907249a9.jpg" } }