{ "id": "1dee7771-d75e-45a9-bffb-0c2a08367347", "created_at": "2026-04-06T00:09:17.312159Z", "updated_at": "2026-04-10T13:11:25.000826Z", "deleted_at": null, "sha1_hash": "ef66b368a288b8f74739f0fd36f54c8c7b11730c", "title": "APT41: Indictments Put Chinese Espionage Group in the Spotlight", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43215, "plain_text": "APT41: Indictments Put Chinese Espionage Group in the Spotlight\r\nBy About the Author\r\nArchived: 2026-04-05 19:25:59 UTC\r\nThe U.S. government has charged seven men in relation to hundreds of cyber attacks against organizations in the\r\nU.S. and multiple other countries in Asia and Europe. Two of the men, who were based in Malaysia, were arrested\r\nand their extradition to the U.S. has been requested. The other five are based in China and remain at large.\r\nThe attacks were attributed to a China-linked organization dubbed APT41 and involved a combination of\r\nintellectual property theft and financially motivated cyber crime. While some of our peers monitor APT41 as a\r\nsingle operation, Symantec regards it as two distinct actors: Grayfly and Blackfly.\r\nGrayfly\r\nGrayfly has been particularly active in recent years, mounting high volume espionage attacks against\r\norganizations spread across Asia, Europe, and North America. They are interested in a wide range of sectors,\r\nincluding food, financial, healthcare, hospitality, manufacturing, telecoms, and government. It is known for using\r\nthe Barlaiy/POISONPLUG and Crosswalk/ProxIP (Backdoor.Motnug) malware families in its attacks. Victims are\r\nfrequently compromised by exploiting public facing web servers.\r\nIn recent attacks, Symantec has seen Grayfly deploy Backdoor.Motnug against targeted organizations in\r\nconjunction with publicly available Cobalt Strike malware. Backdoor.Motnug provides the attackers with\r\ncomprehensive remote access to the network and creates proxy connections allowing access to hard-to-reach\r\nsegments of a target network. In one attack against a telecoms provider, Grayfly was seen using an internal tool\r\ncapable of interacting with an SMS database, demonstrating that intelligence gathering was the motive of the\r\nattack.\r\nProsecutors in the U.S. have charged three Chinese men – Jiang Lizhi, Qian Chuan, and Fu Qiang – with\r\ninvolvement in attacks that involve Grayfly tools and tactics. The trio are based in the Chinese city of Chengdu\r\nand all hold senior positions in a company called Chengdu 404. The company describes itself as a network\r\nsecurity specialist and claims to employ a team of white hat hackers who can perform penetration testing along\r\nwith “offensive” and “defensive” security operations. \r\nThe indictment alleges that the three men were also involved in attacks against over 100 different organizations in\r\nthe U.S., South Korea, Japan, India, Taiwan, Hong Kong, Malaysia, Vietnam, India, Pakistan, Australia, the\r\nUnited Kingdom, Chile, Indonesia, Singapore, and Thailand. Jiang was said to have a “working relationship” with\r\nthe Chinese Ministry of State Security which would provide him and his associates with a degree of state\r\nprotection.\r\nBlackfly\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage\r\nPage 1 of 3\n\nBlackfly has been active since at least 2010 and is known for attacks involving the PlugX/Fast\r\n(Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad) malware\r\nfamilies. The group is best known for its attacks on the computer gaming industry. However, Symantec has also\r\nobserved attacks on the semiconductor, telecoms, materials manufacturing, pharmaceutical, media and\r\nadvertising, hospitality, natural resources, fintech, and food sectors.\r\nRecent Blackfly activity observed by Symantec saw the group deploy a slightly modified version of the Winnti\r\nmalware against a telecoms organization in Taiwan. A feature of the attack was their use of the names of security\r\nvendors in naming files in an attempt to avoid raising suspicions. A dropper was signed with an invalid certificate\r\nwith the subject \"McAfee, Inc.\"  The dropper then delivered several DLLs with file names that referenced\r\nSymantec software. The attackers had not compromised Symantec software, and were not leveraging it in the\r\nattack.\r\nIn a separate indictment, prosecutors allege that two Malaysian nationals – Wong Ong Hua and Ling Yang Ching –\r\nwere involved in attacks that involved Blackfly tools and tactics. Wong is the founder and CEO of a company\r\ncalled Sea Gamer Mall, while Ling is its chief product officer and a shareholder. The duo are alleged to have\r\ncollaborated with other attackers to mount a string of attacks against computer game companies in order to obtain\r\nin-game digital items, such as currencies, and then selling them for profit.\r\nThe link between Grayfly and Blackfly\r\nWhile Grayfly and Blackfly appear to be distinct operations, the indictments allege that there is a link between the\r\ntwo groups. Two Chinese men – Zhang Haoran and Tan Dailin – are charged in a third indictment with\r\ncollaborating with both groups. The two men are reported to have worked for a time at Chengdu 404, the company\r\nthat prosecutors identify as linked to Grayfly attacks. However, they are also alleged to have collaborated with the\r\ncharged Blackfly actors in order to make additional money by mounting attacks on computer gaming companies.\r\nThe indictment alleges that in several instances, they used their unauthorized access to gaming company networks\r\nto kick other attackers off the network, effectively eliminating their competition.\r\nUnwelcome attention\r\nGrayfly and Blackfly have been prolific attackers in recent years and, while it remains to be seen what impact the\r\ncharges will have on their operations, the publicity surrounding the indictments will certainly be unwelcome\r\namong attackers who wish to maintain a low profile. Symantec remains committed to tracking the activity of these\r\ngroups in order to protect our customers from their attacks.\r\nProtection/Mitigation\r\nSymantec products protect against threats discussed in this blog with the following detections:\r\nBackdoor.Motnug\r\nBackdoor.Korplug\r\nBackdoor.Winnti\r\nBackdoor.Shadowpad\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage\r\nPage 2 of 3\n\nIndicators of Compromise\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], "report_names": [ "apt41-indictments-china-espionage" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434157, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef66b368a288b8f74739f0fd36f54c8c7b11730c.pdf", "text": "https://archive.orkl.eu/ef66b368a288b8f74739f0fd36f54c8c7b11730c.txt", "img": "https://archive.orkl.eu/ef66b368a288b8f74739f0fd36f54c8c7b11730c.jpg" } }