{
	"id": "832eea13-3b9f-4ee8-b6c1-57374865e0ce",
	"created_at": "2026-04-06T00:21:29.409451Z",
	"updated_at": "2026-04-10T03:32:21.036865Z",
	"deleted_at": null,
	"sha1_hash": "2b5903bb538ee1f1d736f5d66fe197527ab5328a",
	"title": "U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 326416,
	"plain_text": "U.S. Justice Department Charges APT41 Hackers over Global\r\nCyberattacks\r\nBy By: Trend Micro Sep 18, 2020 Read time: 4 min (1005 words)\r\nPublished: 2020-09-18 · Archived: 2026-04-05 17:55:03 UTC\r\nOn September 16, 2020, the United States Justice Department announced that it was charging five Chinese\r\ncitizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global\r\nhacking campaign went after a diverse range of targets, from video game companies and telecommunications\r\nenterprises to universities and non-profit organizations. The five individuals were reportedly connected to the\r\nhacking group known as APT41. At the time of writing, they remain fugitives, but two Malaysian citizens have\r\nbeen arrested for aiding the hackers. \r\nThree related indictments unsealed by the Justice Department laid out the group's wide range of malicious\r\nactivities, including crypto-jacking and ransomware attacks. Most of the activities appear to have been done for\r\nprofit, but some were for espionage purposes. \r\nJustice officials say that the group's intrusions allowed the hackers to steal source code, customer account data,\r\nand personally identifiable information (PII). Other notable activities include defrauding video game companies\r\nby manipulating in-game resources, and launching a ransomware attack on the network of a non-profit\r\norganization dedicated to combating global poverty.\r\nThe hackers used publicly available exploits and common vulnerabilities, which are listed in the official report.\r\nThey also employed sophisticated hacking techniques to gain and maintain access to the victim's computer\r\nnetworks.  The official report outlined how the team used \"supply chain attacks\" in which they compromised\r\nsoftware providers and modified the code they were giving their customers. This also allowed the threat actors to\r\ncompromise the customers and spread their influence further. \r\nThis is not the first time that APT41 activities have been scrutinized — the group has been active for some time.\r\nJust last May, Trend Micro connected the group to ransomware attacks on Taiwanese organizations. The new\r\nransomware family, which we dubbed ColdLock, is potentially destructive as it appears to target databases and\r\nemail servers for encryption.\r\nThe attack chain of ransomware incidents in Taiwan\r\nThe Trend Micro Research team investigated the ColdLock ransomware attack, which actually targeted the energy\r\nindustry in Taiwan. The ransomware attack chain is outlined in Figure 1; however, we currently do not know the\r\ninitial arrival vector of this threat into a potential victim's network. Our analysis focused on the way the attacker\r\nspreads the ransomware to infect as many machines as possible. \r\n1. The threat actor enters a victim's network environment and obtains the account username and password of\r\nthe company headquarters' active directory server.\r\nhttps://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html\r\nPage 1 of 4\n\n2. After logging in to the active directory server, the threat actor modifies the active directory server group\r\npolicy object — this includes a request that all domain account members create a scheduled task and\r\nexecute the malware.  \r\n3. In the final step, the other subsidiary active directory servers and all the endpoint machines will download\r\nthe scheduled task and execute the ransomware.\r\nFigure.1 The attacker uses an Active Directory (AD) scheduled task to deploy the ransomware in\r\nthe customer environment.\r\nScheduled tasks play a very important role in this incident. The threat actors use a scheduled task command to\r\nspread and infect a victim's environment. The screenshot in Figure 2 shows how the threat actor uses SMB and\r\ninternal IIS Web Service to copy \"lc.tmp\" (the main ransomware loader in this incident) to other victims' host\r\nmachines. After that, the PowerShell command executes the main ransomware loader.\r\nhttps://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html\r\nPage 2 of 4\n\nFigure 2. How a scheduled task delivers the malware to a victim's environment\r\nThe right tool for the job\r\nBefore the ransomware attack, the attacker was likely already hiding in the victims' environments for some time.\r\nWe found the same customized loaders installed as Windows services in every victim's environment, and those\r\ninfected machines were in positions that allowed them to reach other machines under the subnets. \r\nThe loaders decrypted the next-stage payloads, which were either embedded inside itself or stored on the disk as\r\nseparate files. The next-stage payloads were CobaltStrike in this series of incidents. After the loader and payload\r\npairs were successfully installed, the attacker started poking around the environments with tools like password\r\ndumpers and HTTP tunneling tools — then the ransomware attacks were launched one month later. \r\nMore than just a single occurrence\r\nDuring the investigation, we discovered more incidents that are possibly related to the one discussed above. We\r\ndid this by checking the indicator overlap and the C\u0026C infrastructure overlap. Based on the distribution of the\r\nlinked indicators, the attacker(s) appears to be interested in energy, retail, and telecom companies, mainly in\r\nSoutheast Asia. They mostly conduct espionage activities — lurking in the environments for a long period and\r\npacking the data that interested them. They also seem to be updating the backdoors and toolsets they use. \r\nPossible link to Chinese espionage\r\nThe C\u0026C server 104[.]233[.]224[.]227 was hosted under a small hosting service with only 64 IPs under it. The IP\r\nrange was registered to an address in Inner Mongolia, China. The C\u0026C server was abandoned several days after\r\nthe incidents, and now the IP is hosting a Simplified-Chinese site.\r\nTrend Micro Solutions\r\nSophisticated hacking groups have versatile tools and are persistent threats. Users should deploy more robust and\r\nproactive defenses to be adequately protected against these groups. The following Trend Micro Solutions are\r\nrecommended:\r\nTrend Micro XDR for Users: Applies AI and analytics for earlier detection of threats across endpoints and\r\nother layers of the system\r\nTrend Micro Apex One™: Provides actionable insights, expanded investigative capabilities, and\r\ncentralized visibility across the network.\r\nTrend Micro™ Deep Discovery™ Email Inspector: Detects, blocks, and analyzes malicious email\r\nattachments through custom sandboxing and other detection techniques\r\nTo help defend users against APT41 specifically, we have developed an assessment tool that can scan endpoints\r\nfor file-based indicators collected from global intelligence sources. \r\nIndicators of Compromise\r\nSHA-1 Malware Family\r\nhttps://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html\r\nPage 3 of 4\n\n2367326f995cb911c72baadc33a3155f8f674600 NTDSDump\r\n75e49120a0238749827196cebb7559a37a2422f8 COLDLOCK\r\n5b9b7fb59f0613c32650e8a3b91067079bcb2fc2 COLDLOCK\r\ne7aa8f55148b4548ef1ab9744bc3d0e67588d5b7 COLDLOCK\r\nad6783c349e98c2b4a8ce0b5c9207611309adca7 COBALTSTRIKE\r\n29cc0ff619f54068ce0ab34e8ed3919d13fa5ee9 COLDLOCK\r\n2051f0a253eced030539a10ebc3e6869b727b8a9 COLDLOCK\r\na2046f17ec4f5517636ea331141a4b5423d534f0 COLDLOCK\r\n03589dffe2ab72a0de5e9dce61b07e44a983d857 COBALTSTRIKE\r\n9d6feb6e246557f57d17b8df2b6d07194ad66f66 COLDLOCK\r\n28d172e374eebc29911f2152b470528fc695662e PWDDUMPER\r\n574fb6a497c032f7b9df54bc4669d1eb58d78fb4 ASPSHELL\r\n*One of the sources for this table is the original report from the U.S. Justice Department\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html\r\nhttps://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html"
	],
	"report_names": [
		"u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html"
	],
	"threat_actors": [
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434889,
	"ts_updated_at": 1775791941,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b5903bb538ee1f1d736f5d66fe197527ab5328a.pdf",
		"text": "https://archive.orkl.eu/2b5903bb538ee1f1d736f5d66fe197527ab5328a.txt",
		"img": "https://archive.orkl.eu/2b5903bb538ee1f1d736f5d66fe197527ab5328a.jpg"
	}
}