APT41

Also known as: Double Dragon, BARIUM, Brass Typhoon, Wicked Panda, Winnti, LEAD, Red Kelpie, Earth Baku

ActiveNation-StateChinaMITRE G0096

0Campaigns

46Techniques

5IOCs

22Tools

0Matches

6Infrastructure

Overview

APT41, also known as Double Dragon, is a unique Chinese threat actor that conducts both state-sponsored espionage operations and financially motivated cybercrime. Active since at least 2012, the group is attributed to contractors working for China's Ministry of State Security (MSS), which provides them the unusual latitude to pursue personal financial gain alongside state-directed intelligence missions. APT41 is technically sophisticated, known for deploying supply chain attacks (CCleaner 2017, ShadowPad in NetSarang 2017), targeting managed service providers, and exploiting zero-day vulnerabilities. The group has compromised software companies to inject backdoors into legitimate products, affecting millions of downstream users. The group targets an exceptionally wide range of industries including healthcare, telecommunications, technology, gaming, and higher education across 14+ countries. In 2020, the U.S. DOJ indicted five Chinese nationals associated with APT41's operations. Despite these indictments, APT41 has continued operations, recently exploiting zero-days in Citrix, Cisco, and Zoho products.

Motivations

EspionageFinancial GainIntellectual Property Theft

Target Sectors

TechnologyTelecommunicationsHealthcareGamingHigher EducationTravelMediaGovernmentFinancial ServicesManufacturingPharmaceuticalRetailTransportationNonprofit

Activity Timeline

First Seen

Jan 2012

Last Seen

Jan 2024

Quick Facts

OriginChina

Sophisticationnation-state

StatusActive

MITRE GroupG0096

MITRE ATT&CK Techniques

(46)

Other

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1140

Deobfuscate/Decode Files or Information

Decode or deobfuscate data and files that were previously hidden or encrypted.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Discovery

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

T1570

Lateral Tool Transfer

Transfer tools and files between compromised systems within the network.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1572

Protocol Tunneling

Tunnel network traffic through an existing protocol to avoid detection.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

Persistence

T1547.001

Registry Run Keys / Startup Folder

Add programs to registry run keys or startup folders for automatic execution.

Tools & Malware

(22)

ShadowPad

malwareMalicious

Modular backdoor platform that was initially deployed via supply chain attack on NetSarang software. Features plugin-based architecture with encrypted C2 using custom DNS tunneling.

Winnti

malwareMalicious

Signature rootkit-enabled backdoor shared across multiple Chinese APT groups. Provides persistent access with kernel-level capabilities for hiding processes and network connections.

POISONPLUG

malwareMalicious

Modular backdoor loaded via DLL side-loading. Supports keylogging, screen capture, file management, and loading additional plugins from C2 servers.

PlugX

malwareMalicious

Versatile RAT shared across Chinese APT groups. Uses DLL side-loading for execution and supports HTTP/DNS/TCP C2 with encrypted communications.

KeyPlug

malwareMalicious

Cross-platform (Windows/Linux) backdoor using WebSocket and custom TCP protocols for C2. Used in attacks against telecommunications and government sectors.

DEADEYE

malwareMalicious

Downloader/launcher that deploys secondary payloads. Uses living-off-the-land binaries and DLL side-loading to maintain stealth during initial compromise.

DUSTPAN

malwareMalicious

In-memory dropper that loads encrypted payloads directly into process memory. Used in conjunction with DUSTTRAP for multi-stage deployment.

LOWKEY

malwareMalicious

Passive backdoor for Linux servers that listens on existing network sockets. Extremely difficult to detect as it doesn't create new network connections.

Cobalt Strike

frameworkLegitimate

Extensively used for post-exploitation in both espionage and financially motivated operations. Custom loaders deployed via supply chain or spear-phishing vectors.

China Chopper

malwareMalicious

Lightweight web shell (4KB) providing remote command execution on compromised web servers. Used for initial foothold maintenance and file management.

Mimikatz

frameworkLegitimate

Used for credential extraction and Kerberos ticket manipulation during lateral movement phases in both espionage and cybercrime operations.

Impacket

frameworkLegitimate

Python framework used for SMB relay attacks, remote execution via wmiexec/smbexec, and credential extraction via secretsdump.

PowerShell

os utilityLegitimate

Used for reconnaissance, downloading secondary payloads, disabling security controls, and executing in-memory malware to avoid disk-based detection.

certutil

os utilityLegitimate

Windows utility abused for downloading payloads from C2 servers and decoding Base64-encoded malware during multi-stage infection chains.

CCleaner (Supply Chain)

legitimate toolMalicious

Compromised CCleaner v5.33 build environment in 2017 to distribute ShadowPad backdoor to 2.27 million users. One of the largest software supply chain attacks.

Speculoos

malwareMalicious

FreeBSD backdoor discovered targeting Citrix ADC/Gateway appliances. Demonstrates APT41's capability to target non-Windows network infrastructure.

UPPERCUT

BackdoorMalicious

Backdoor delivering Cobalt Strike BEACON payloads

CROSSWALK

BackdoorMalicious

Modular backdoor with support for proxy and file operations

HIGHNOON

BackdoorMalicious

Backdoor with kernel driver component for persistence

MESSAGETAP

BackdoorMalicious

SMS interception tool targeting telecom infrastructure

StealthVector

BackdoorMalicious

Backdoor deployed through compromised software supply chains

MoonBounce

OtherMalicious

UEFI firmware bootkit for stealth and persistence

Indicators of Compromise

(5)

IOC values are defanged for safety

Type	Value	Notes
domain	`ns1[.]clofrfrede[.]com`	ShadowPad C2 infrastructure
domain	`infestexe[.]com`	CROSSWALK/DEADEYE C2 domain
ip	`103[.]230[.]15[.]130`	KeyPlug Linux backdoor C2 server
ip	`149[.]28[.]78[.]89`	Infrastructure used in telecom targeting
hash	`7966c2c546b71e800cddd2a6d3a8b0e1`	ShadowPad backdoor sample (MD5)

Infrastructure

(6)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`ns1[.]clofrfrede[.]com` ShadowPad C2 infrastructure	c2	offline	Apr 2, 2026
`infestexe[.]com` CROSSWALK/DEADEYE C2 domain	c2	offline	Apr 2, 2026
`103[.]230[.]15[.]130` KeyPlug Linux backdoor C2 server	ip	active	Apr 2, 2026
`149[.]28[.]78[.]89` Infrastructure used in telecom targeting	ip	offline	Apr 2, 2026
`thetavaluemetrics[.]com`	domain	active	Apr 2, 2026
`www[.]googleapis[.]com`	domain	ip_changed	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(8)

MITRE ATT&CK - APT41

https://attack.mitre.org/groups/G0096/

Mandiant - APT41: A Dual Espionage and Cyber Crime Operation

https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation

U.S. DOJ - Seven International Cyber Defendants Charged

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged

KEYPLUG Backdoor: APT41's Pivotal Tool for Cyber Espionage

https://www.group-ib.com/blog/apt41-keyplug/

APT41: A Dual Espionage and Cyber Crime Operation

https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation

Chinese APT41 Hackers Target Android Devices with WyrmSpy, DragonEgg Spyware

https://thehackernews.com/2023/07/chinese-apt41-hackers-target-android.html

MoonBounce: the dark side of UEFI firmware

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

Double Dragon APT41, a dual espionage and cyber crime operation

https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html