{ "id": "598b5fa9-1d1b-4b27-8adb-80f4921c1bc7", "created_at": "2026-04-06T00:17:56.619522Z", "updated_at": "2026-04-10T03:32:21.401531Z", "deleted_at": null, "sha1_hash": "95be0778ca3c32f268b3136e48ef9cb843c316d5", "title": "China's APT41 Manages Library of Breached Certificates", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40975, "plain_text": "China's APT41 Manages Library of Breached Certificates\r\nBy Phil Muncaster\r\nPublished: 2021-11-18 · Archived: 2026-04-05 23:21:22 UTC\r\nA freelance Chinese APT group is actively managing a library of compromised code-signing digital certificates to\r\nsupport cyber-espionage attacks targeting supply chain vendors, according to Venafi.\r\nThe security vendor’s latest research report details the work of APT41, an unusual group in that it\r\nhas previously been observed carrying out attacks for both traditional state-sponsored cyber-espionage\r\nand personal financial gain.\r\nVenafi claimed that using the certificates and keys that authenticate pieces of code are a key part of its tactics.\r\nAPT41 is reportedly managing a library of these certs and keys – some purchased from underground\r\nmarketplaces, some obtained from other Chinese attack groups and some stolen by APT41 itself.\r\nThis shared resource allows members of the group to select the appropriate certificate for their needs,\r\n“dramatically” improving success rates, according to Venafi.\r\nThese attacks, conducted in support of China’s long-term economic, military and political goals – are often\r\ndirected at the digital supply chain, allowing easy compromise of downstream customers.\r\n“Code-signing machine identities allow malicious code to appear authentic and evade security controls. The\r\nsuccess of attacks using this model over the past decade has created a blueprint for sophisticated attacks that have\r\nbeen highly successful because they are very difficult to detect,” explained Venafi threat intelligence specialist\r\nYana Blachman.\r\n“Since targeting the Windows software utility CCleaner in 2018 and Asus LiveUpdate in 2019, APT41’s methods\r\ncontinue to improve. Every software provider should be aware of this threat and take steps to protect their\r\nsoftware development environments.”\r\nOnce the targeted downstream organization is compromised via secondary malware, APT41 then moves laterally\r\nacross networks, using stolen credentials and reconnaissance tools to steal IP and customer data, the report\r\nclaimed.\r\nAPT41 was responsible for one of the most widespread Chinese cyber campaigns of recent years when\r\nit exploited Citrix and Zoho endpoints at scores of global organizations across multiple verticals.\r\nhttps://www.infosecurity-magazine.com/news/chinas-apt41-manages-library/\r\nPage 1 of 2\n\nSource: https://www.infosecurity-magazine.com/news/chinas-apt41-manages-library/\r\nhttps://www.infosecurity-magazine.com/news/chinas-apt41-manages-library/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.infosecurity-magazine.com/news/chinas-apt41-manages-library/" ], "report_names": [ "chinas-apt41-manages-library" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434676, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95be0778ca3c32f268b3136e48ef9cb843c316d5.pdf", "text": "https://archive.orkl.eu/95be0778ca3c32f268b3136e48ef9cb843c316d5.txt", "img": "https://archive.orkl.eu/95be0778ca3c32f268b3136e48ef9cb843c316d5.jpg" } }