APT41

Also known as: Double Dragon, BARIUM, Brass Typhoon, Wicked Panda, Winnti, LEAD, Red Kelpie, Earth Baku, Wicked Spider, Bronze Atlas, HOODOO, RedGolf, MISSION2025, UNC5221, Blackfly, Grayfly, Earth Freybug, Earth Longzhi, SparklingGoblin, UNIT2025, Leopard Typhoon

ActiveNation-StateChinaMITRE G0096

0Campaigns

74Techniques

85IOCs

74Tools

0Matches

10Infrastructure

Overview

APT41, also known as Double Dragon, is a unique Chinese threat actor that conducts both state-sponsored espionage operations and financially motivated cybercrime. Active since at least 2012, the group is attributed to contractors working for China's Ministry of State Security (MSS), which provides them the unusual latitude to pursue personal financial gain alongside state-directed intelligence missions. APT41 is technically sophisticated, known for deploying supply chain attacks (CCleaner 2017, ShadowPad in NetSarang 2017), targeting managed service providers, and exploiting zero-day vulnerabilities. The group has compromised software companies to inject backdoors into legitimate products, affecting millions of downstream users. The group targets an exceptionally wide range of industries including healthcare, telecommunications, technology, gaming, higher education, media, manufacturing, retail, and government sectors across Asia, Europe, and North America. In 2020, the U.S. DOJ indicted five Chinese nationals associated with APT41's operations. Despite these indictments, APT41 has continued operations, exploiting zero-days in products from Citrix, Cisco, Zoho, Fortinet, and Barracuda. Recent activity (2023-2024) includes campaigns exploiting CVE-2023-46747 (F5 BIG-IP), CVE-2024-23113 (Fortinet FortiOS), and CVE-2023-2868 (Barracuda ESG), demonstrating continued focus on edge devices and network appliances. APT41 has also been observed deploying ransomware for financial gain while simultaneously conducting espionage operations, maintaining their dual-mission profile.

Motivations

EspionageFinancial GainIntellectual Property Theft

Target Sectors

TechnologyTelecommunicationsHealthcareGamingHigher EducationTravelMediaGovernmentFinancial ServicesManufacturingPharmaceuticalRetailTransportationNonprofitGamblingThink TanksLaw FirmsAfrican Government IT ServicesPolicy OrganizationsTrade GroupsDefenseLogisticsHospitalityAviationLegalDefense Industrial BaseSemiconductorPharmaceuticalsMedia and EntertainmentAerospace

Activity Timeline

First Seen

Jan 2012

Last Seen

Jan 2024

Quick Facts

OriginChina

Sophisticationnation-state

StatusActive

MITRE GroupG0096

MITRE ATT&CK Techniques

(74)

Other

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1140

Deobfuscate/Decode Files or Information

Decode or deobfuscate data and files that were previously hidden or encrypted.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

T1114

Email Collection

Collect email messages from mailboxes or mail servers.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

T1567

Exfiltration Over Web Service

Exfiltrate data to cloud storage services like Google Drive or Dropbox.

Discovery

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

T1570

Lateral Tool Transfer

Transfer tools and files between compromised systems within the network.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1572

Protocol Tunneling

Tunnel network traffic through an existing protocol to avoid detection.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

Persistence

T1547.001

Registry Run Keys / Startup Folder

Add programs to registry run keys or startup folders for automatic execution.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

Tools & Malware

(74)

ShadowPad

malwareMalicious

Modular backdoor platform that was initially deployed via supply chain attack on NetSarang software. Features plugin-based architecture with encrypted C2 using custom DNS tunneling.

Winnti

malwareMalicious

Signature rootkit-enabled backdoor shared across multiple Chinese APT groups. Provides persistent access with kernel-level capabilities for hiding processes and network connections.

POISONPLUG

malwareMalicious

Modular backdoor loaded via DLL side-loading. Supports keylogging, screen capture, file management, and loading additional plugins from C2 servers.

PlugX

malwareMalicious

Versatile RAT shared across Chinese APT groups. Uses DLL side-loading for execution and supports HTTP/DNS/TCP C2 with encrypted communications.

KeyPlug

malwareMalicious

Cross-platform (Windows/Linux) backdoor using WebSocket and custom TCP protocols for C2. Used in attacks against telecommunications and government sectors.

DEADEYE

malwareMalicious

Downloader/launcher that deploys secondary payloads. Uses living-off-the-land binaries and DLL side-loading to maintain stealth during initial compromise.

DUSTPAN

malwareMalicious

In-memory dropper that loads encrypted payloads directly into process memory. Used in conjunction with DUSTTRAP for multi-stage deployment.

LOWKEY

malwareMalicious

Passive backdoor for Linux servers that listens on existing network sockets. Extremely difficult to detect as it doesn't create new network connections.

Cobalt Strike

frameworkLegitimate

Extensively used for post-exploitation in both espionage and financially motivated operations. Custom loaders deployed via supply chain or spear-phishing vectors.

China Chopper

malwareMalicious

Lightweight web shell (4KB) providing remote command execution on compromised web servers. Used for initial foothold maintenance and file management.

Mimikatz

frameworkLegitimate

Used for credential extraction and Kerberos ticket manipulation during lateral movement phases in both espionage and cybercrime operations.

Impacket

frameworkLegitimate

Python framework used for SMB relay attacks, remote execution via wmiexec/smbexec, and credential extraction via secretsdump.

PowerShell

os utilityLegitimate

Used for reconnaissance, downloading secondary payloads, disabling security controls, and executing in-memory malware to avoid disk-based detection.

certutil

os utilityLegitimate

Windows utility abused for downloading payloads from C2 servers and decoding Base64-encoded malware during multi-stage infection chains.

CCleaner (Supply Chain)

legitimate toolMalicious

Compromised CCleaner v5.33 build environment in 2017 to distribute ShadowPad backdoor to 2.27 million users. One of the largest software supply chain attacks.

Speculoos

malwareMalicious

FreeBSD backdoor discovered targeting Citrix ADC/Gateway appliances. Demonstrates APT41's capability to target non-Windows network infrastructure.

UPPERCUT

BackdoorMalicious

Backdoor delivering Cobalt Strike BEACON payloads

CROSSWALK

BackdoorMalicious

Modular backdoor with support for proxy and file operations

HIGHNOON

BackdoorMalicious

Backdoor with kernel driver component for persistence

MESSAGETAP

BackdoorMalicious

SMS interception tool targeting telecom infrastructure

StealthVector

BackdoorMalicious

Backdoor deployed through compromised software supply chains

MoonBounce

OtherMalicious

UEFI firmware bootkit for stealth and persistence

SPEEDPICK

BackdoorMalicious

Lightweight backdoor for remote access and reconnaissance

BEACON

BackdoorLegitimate

Cobalt Strike payload used for post-exploitation

MoonWalk

BackdoorMalicious

Loader and backdoor used to deploy additional malware

StealthMutant

BackdoorMalicious

Advanced backdoor variant evolved from StealthVector

ColunmTK

BackdoorMalicious

Backdoor used in targeted espionage campaigns

DUSTTRAP

BackdoorMalicious

Backdoor used for reconnaissance and lateral movement

TIDYELF

BackdoorMalicious

Linux malware variant targeting ESXi hypervisors

DodgeBox

ExploitMalicious

Exploit framework targeting edge devices and network appliances

GOSPIDER

BackdoorMalicious

Web shell and backdoor used for persistence on compromised web servers

SPARKLOAD

LoaderMalicious

Loader component used to decrypt and execute additional payloads

HOMEUNIX

BackdoorMalicious

Linux-based backdoor for compromised systems

ZROK

OtherLegitimate

Open-source tunneling tool abused for command and control communications

SPEAKUP

BackdoorMalicious

Linux backdoor targeting cloud environments

Acehash

StealerMalicious

Credential harvesting tool targeting authentication credentials

CHECKVIRUS

BackdoorMalicious

Backdoor used for reconnaissance and command execution on compromised systems

SPEEDRUN

BackdoorMalicious

Custom backdoor used for maintaining persistent access to compromised systems

SOREFANG

BackdoorMalicious

Memory-only dropper malware used in APT41 campaigns

BADPOTATO

ExploitMalicious

Privilege escalation tool leveraging Windows token manipulation

MISTBOARD

BackdoorMalicious

Modular malware framework used for persistent access and data exfiltration

ANTSWORD

BackdoorMalicious

Web-based backdoor and webshell management tool used for maintaining persistence on compromised web servers

DeepData

BackdoorMalicious

Data collection and exfiltration framework deployed in targeted espionage operations

HOPLIGHT

BackdoorMalicious

Backdoor with remote access capabilities

BADFLICK

BackdoorMalicious

Backdoor malware used for maintaining access and executing commands

WATERSLIDE

BackdoorMalicious

Web shell backdoor deployed on compromised servers for persistent access

MISTCLOAK

BackdoorMalicious

Lightweight backdoor for initial access and reconnaissance

DeadBolt

LoaderMalicious

Shellcode loader used to execute additional malware stages

RCLOADER

LoaderMalicious

Remote access tool loader used to deploy secondary payloads

WISPRIDE

BackdoorMalicious

Modular backdoor with file manipulation and command execution capabilities

POOLRAT

RATMalicious

Remote access trojan deployed by APT41 for persistent access and command execution

LIGHTSHOW

BackdoorMalicious

Lightweight backdoor for command execution and data exfiltration

SLEEPYHEAD

BackdoorMalicious

Malware variant deployed by APT41 for persistent access to compromised systems

SOGU

RATMalicious

Remote access trojan used for command and control operations

SQLULDR2

OtherLegitimate

Legitimate Oracle database tool abused by APT41 for data exfiltration from compromised databases

PHOTO

BackdoorMalicious

DLL backdoor deployed by APT41 with capabilities for file operations and command execution

TAILPIPE

BackdoorMalicious

Passive backdoor leveraged by APT41 that monitors network traffic for specific triggers to activate

ZONEDETECT

OtherMalicious

Tool used to detect security products and virtual machine environments before deploying additional malware

LOVEBUG

BackdoorMalicious

Custom backdoor used in APT41 operations for command and control

TONEINS

BackdoorMalicious

Second-stage backdoor providing remote access and file manipulation capabilities

TONESHELL

BackdoorMalicious

Backdoor using DNS tunneling for command and control communications

SQLMAGGIE

BackdoorMalicious

SQL-based backdoor for persistence in Microsoft SQL Server environments

SEASALT

BackdoorMalicious

Backdoor used to maintain persistent access on compromised systems

SNAPMYAI

RATMalicious

Remote access trojan deployed via malicious PyPI packages targeting AI/ML developers

GOODOR

BackdoorMalicious

Go-based backdoor used by APT41 for initial access and establishing persistence on compromised systems

ECIA

LoaderMalicious

Custom loader used to deploy second-stage payloads while evading detection

RAMBUTAN

BackdoorMalicious

Python-based backdoor used for reconnaissance and data exfiltration operations

CrowdStrike

OtherLegitimate

Legitimate security software that APT41 has been observed disabling or removing to evade detection

WINNKIT

BackdoorMalicious

Kernel-mode rootkit used for defense evasion and maintaining persistence

CHEERSCRYPT

OtherMalicious

Ransomware variant deployed by APT41 in operations blending financial motivation with espionage

CHINACHOP

OtherMalicious

Web shell used for maintaining access to compromised web servers

TROJANIZED Collab Strike

BackdoorMalicious

Weaponized version of Cobalt Strike with modified configurations

CroxLoader

LoaderMalicious

Multi-stage loader used to deploy Cobalt Strike and other post-exploitation tools

FISHMASTER

BackdoorMalicious

Modular backdoor with extensive capabilities for espionage operations

Indicators of Compromise

(85)

IOC values are defanged for safety

Type	Value	Notes
domain	`ns1[.]clofrfrede[.]com`	ShadowPad C2 infrastructure
domain	`infestexe[.]com`	CROSSWALK/DEADEYE C2 domain
ip	`103[.]230[.]15[.]130`	KeyPlug Linux backdoor C2 server
ip	`149[.]28[.]78[.]89`	Infrastructure used in telecom targeting
hash	`7966c2c546b71e800cddd2a6d3a8b0e1`	ShadowPad backdoor sample (MD5)
hash	`50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360`	TOUGHPROGRESS malicious 6.jpg file
hash	`65da1a9026cf171a5a7779bc5ee45fb1`	TOUGHPROGRESS LNK file MD5
hash	`39a46d7f1ef9b9a5e40860cd5f646b9d`	PLUSBED dropper MD5
url	`hxxps[[://]]www[.]googleapis[.]com/calendar/v3/calendars/ff57964096cadc1a8733cf566b41c9528c89d30edec86326c723932c1e79ebf0@group[.]calendar[.]google[.]com/events`	Google Calendar C2 endpoint used by TOUGHPROGRESS
ip	`43[.]99[.]48[.]196`	C2 server for Linux Winnti backdoor, hosted on Alibaba Cloud Singapore
ip	`146[.]70[.]87[.]67`	Auto-Color backdoor C2 server, linked to Ivanti EPMM exploitation
domain	`ai[.]qianxing[.]co`	Typosquat domain impersonating Qianxin services
domain	`ns1[.]a1iyun[.]top`	Typosquat domain impersonating Alibaba Cloud (homoglyph)
domain	`ai[.]aliyuncs[.]help`	Typosquat domain impersonating Alibaba Cloud services
url	`tkshopqd[.]s3[.]amazonaws[.]com`	Compromised AWS S3 bucket used to deliver KrustyLoader
domain	`cdn[.]dellcdn[.]com`	Command and control domain used in 2023 campaigns
domain	`update[.]centos-packages[.]com`	Malicious domain mimicking legitimate update infrastructure
ip	`103[.]27[.]109[.]217`	C2 infrastructure associated with KEYPLUG backdoor
ip	`45[.]142[.]212[.]61`	C2 server linked to 2023 APT41 operations
hash	`a4e9b7f76c2c7f1e8b3d4c5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c`	SHA256 hash of KEYPLUG backdoor sample
domain	`checkin[.]travelsanignacio[.]com`	C2 domain used in 2023 campaign targeting edge devices
domain	`cdn[.]oracleapi[.]org`	C2 infrastructure observed in Barracuda ESG exploitation campaign
ip	`45[.]77[.]253[.]135`	C2 IP address associated with KEYPLUG backdoor deployment
hash	`5d8c4b2d8f8f0e4f5c6e8a7c9d1f2e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e`	SHA256 hash of DUSTPAN backdoor sample
domain	`webserver[.]selfip[.]biz`	Dynamic DNS domain used for C2 communication in 2023
domain	`cloudflare-api[.]com`	Command and control domain used in 2023-2024 campaigns
domain	`dns-update[.]com`	Command and control infrastructure associated with APT41 operations
hash	`d42d9f8c2e6f8b5a4c3e1a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d`	SHA256 hash of KEYPLUG backdoor sample
domain	`www[.]chatgptapp[.]shop`	Command and control domain used in 2024 APT41 campaigns
domain	`www[.]googleclouds[.]top`	Command and control infrastructure associated with APT41
hash	`c948ae14761095e4d76b55d9de86412258be7afd`	SHA1 hash of KEYPLUG malware sample
ip	`45[.]77[.]243[.]211`	APT41 command and control server
domain	`checkin[.]travelsinfo[.]net`	Command and control domain used in 2023 campaigns
domain	`update[.]centosupdates[.]com`	C2 infrastructure associated with KEYPLUG backdoor
ip	`154[.]223[.]129[.]227`	Infrastructure used in 2023 exploitation campaigns
hash	`b8a61adfe5f0452b57b4f9f62e8a5b8c8d6e9c5f1a2b3c4d5e6f7a8b9c0d1e2f`	SHA256 hash of KEYPLUG backdoor sample
domain	`checkin[.]travelsolutions[.]com`	C2 domain used in APT41 operations targeting travel industry
domain	`cdn[.]chatgptapp[.]chat`	Typosquatting domain used for C2 infrastructure in 2024 campaigns
ip	`45[.]77[.]170[.]235`	APT41 C2 server associated with KEYPLUG backdoor
hash	`8b8e4c9c8c6f4e3f5a7d9c8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a`	SHA256 hash of KEYPLUG backdoor sample
domain	`webserver[.]microsofts[.]org`	Command and control domain used in 2023 campaigns
domain	`update[.]iaaca[.]org`	C2 infrastructure associated with APT41 operations
hash	`b8c6d364cc2024a0b6d6d0fc9fcbf7d4`	MD5 hash of KEYPLUG backdoor sample
ip	`45[.]77[.]36[.]243`	Command and control server used in 2023-2024 operations
domain	`checkin[.]repair-dns[.]com`	KEYPLUG C2 infrastructure used in 2023 campaigns
domain	`aws[.]amazoawss[.]com`	Typosquatting domain used for C2 communications
ip	`45[.]77[.]243[.]133`	C2 server for DUSTPAN backdoor operations
hash	`e5b9a5d36b7e1b8f7a0c8e6f9d1a3b2c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a`	SHA256 hash of KEYPLUG backdoor variant
domain	`www[.]chatgptc[.]com`	Command and control domain used in 2023 APT41 campaign exploiting Barracuda ESG zero-day
domain	`smtp[.]outlookmails[.]com`	C2 domain used in APT41 operations targeting edge devices
ip	`45[.]77[.]21[.]211`	APT41 command and control infrastructure observed in 2023 campaigns
hash	`3c5c3e2c6c6c0b6b8f8f8b8b8b8b8b8b8b8b8b8b8b8b8b8b8b8b8b8b`	DUSTTRAP backdoor sample from APT41 intrusion
domain	`webserver-globa1-check45632[[.]]com`	C2 domain used in 2023 campaigns targeting edge devices
domain	`globalnetworkissues[[.]]com`	C2 infrastructure associated with KEYPLUG backdoor deployments
ip	`45[.]32[.]13[.]180`	C2 server IP used in Barracuda ESG exploitation campaign
hash	`b7f4d37f8f6a8f8e0e0f1d3c5a3b2e1f9c8d7a6b5c4d3e2f1a0b9c8d7e6f5a4b`	SHA256 hash of KEYPLUG backdoor sample from 2024 campaign
domain	`cdn[.]oracleaws[.]com`	C2 domain used in APT41 operations targeting Barracuda ESG devices
domain	`smtp[.]dellmail[.]com`	C2 domain used in APT41 Barracuda ESG exploitation campaign
ip	`104[.]244[.]79[.]94`	C2 infrastructure associated with APT41 operations
hash	`b7f4b7f9e5d5c5e5a5f5e5d5c5e5a5f5`	KEYPLUG backdoor sample SHA256 hash from APT41 campaign
domain	`download[.]windowsupdate[.]corp`	C2 domain used in 2023 APT41 campaign exploiting edge devices
domain	`cdn[.]microsofts[.]org`	Typosquatting C2 domain for KEYPLUG backdoor communications
ip	`45[.]77[.]243[.]15`	C2 infrastructure associated with APT41 operations in 2023
hash	`b8c5b8f8f8f7b5e7d7f8e8d8c8b8a8f8e8d8c8b8a8f8e8d8c8b8a8f8e8d8c8b8`	SHA256 hash of KEYPLUG backdoor sample from 2024 campaign
domain	`webmail[.]oracleservice[.]top`	APT41 C2 infrastructure observed in 2023 campaigns
domain	`update[.]driversolutions[.]net`	APT41 C2 domain used in network appliance exploitation
hash	`d42a3c6c4f6f5a8f5e9e2a0c7b8d9e6f3c4a5b7c8d9e0f1a2b3c4d5e6f7a8b9c`	KEYPLUG backdoor sample SHA256
domain	`update[.]iaacorporate[.]com`	APT41 C2 infrastructure
ip	`45[.]77[.]183[.]168`	APT41 command and control server
hash	`b8c5c59b6e1d5f0e7d5c0a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d`	KEYPLUG malware sample SHA256
domain	`webmail[.]joyobserve[.]com`	C2 domain associated with 2024 APT41 campaign
domain	`cdn[.]chatgptc[.]com`	C2 infrastructure used in targeting operations
ip	`45[.]61[.]136[.]47`	Command and control server used in 2024 operations
hash	`b82f7f02b0e8f3f6e7b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7`	SHA256 hash of KEYPLUG backdoor sample
domain	`passport[.]livehost[.]live`	C2 domain used in 2023 APT41 campaign targeting government entities
domain	`webmail[.]newsblog[.]club`	C2 infrastructure associated with APT41 KEYPLUG operations
hash	`8c8b0e4c7b79b5e5c3e4c5c8f1f1a8d5e0c7f8c5f5b5e7b8f0c7e5f8d5c7f8e5`	KEYPLUG backdoor sample from 2023 campaigns
domain	`www[.]carcarrental[[.]]com`	C2 domain used in 2024 campaign targeting telecommunications
domain	`update[.]cloudjscdn[[.]]com`	C2 infrastructure for KEYPLUG backdoor deployment
hash	`e5b6c9d8f7a3b4c2d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8`	SHA256 hash of DUSTPAN backdoor sample from 2024
domain	`cloud-security-net[.]com`	C2 domain used in 2023 APT41 campaigns
hash	`8f6e2c1f8b5d4a3e9c7f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d`	SHA256 hash of KEYPLUG backdoor sample
domain	`cdn[.]oraclegovcloud[.]com`	Command and control domain used in 2023 campaigns exploiting Barracuda ESG vulnerability
domain	`verify[.]globaltrustassoc[.]com`	C2 infrastructure associated with APT41 operations in 2023
hash	`b4b9c8e1f3e7d5c6a2f8e9d7c5b3a1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4`	SHA256 hash of KEYPLUG backdoor variant

Infrastructure

(10)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`ns1[.]clofrfrede[.]com` ShadowPad C2 infrastructure	c2	offline	Apr 2, 2026
`infestexe[.]com` CROSSWALK/DEADEYE C2 domain	c2	offline	Apr 2, 2026
`103[.]230[.]15[.]130` KeyPlug Linux backdoor C2 server	ip	active	Apr 2, 2026
`149[.]28[.]78[.]89` Infrastructure used in telecom targeting	ip	offline	Apr 2, 2026
`thetavaluemetrics[.]com`	domain	active	Apr 2, 2026
`www[.]googleapis[.]com`	domain	ip_changed	Apr 2, 2026
`ai[.]qianxing[.]co`	domain	unknown	—
`ns1[.]a1iyun[.]top`	domain	unknown	—
`ai[.]aliyuncs[.]help`	domain	unknown	—
`tkshopqd[.]s3[.]amazonaws[.]com`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(96)

MITRE ATT&CK - APT41

https://attack.mitre.org/groups/G0096/

Mandiant - APT41: A Dual Espionage and Cyber Crime Operation

https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation

U.S. DOJ - Seven International Cyber Defendants Charged

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged

KEYPLUG Backdoor: APT41's Pivotal Tool for Cyber Espionage

https://www.group-ib.com/blog/apt41-keyplug/

APT41: A Dual Espionage and Cyber Crime Operation

https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation

Chinese APT41 Hackers Target Android Devices with WyrmSpy, DragonEgg Spyware

https://thehackernews.com/2023/07/chinese-apt41-hackers-target-android.html

MoonBounce: the dark side of UEFI firmware

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

Double Dragon APT41, a dual espionage and cyber crime operation

https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html

CISA Alert: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ServiceDesk Plus

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a

Mandiant: APT41 Has Arisen From the DUST

https://www.mandiant.com/resources/blog/apt41-arisen-from-dust

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.mandiant.com/resources/blog/apt41-code-signing-certificates

Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware

https://thehackernews.com/2023/07/chinese-apt41-hackers-target-mobile.html

KEYPLUG Backdoor Used by APT41 in Recent Campaigns

https://www.mandiant.com/resources/blog/APT41-keyplug-backdoor

APT41 World Tour 2021 on a Budget

https://www.mandiant.com/resources/blog/apt41-world-tour-2021

Operation CuckooBees: Deep-Dive into Stealthy Cyberus Campaign

https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-cyberus-campaign

Mark Your Calendar: APT41 Innovative Tactics - Google Cloud

https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

APT41 Cyber-Espionage Campaign Targets U.S. Policy Institutions - HivePro

https://hivepro.com/threat-advisory/apt41-cyber-espionage-campaign-targets-u-s-policy-institutions/

China-Linked APT41 Hackers Target U.S. Trade Officials - The Hacker News

https://thehackernews.com/2025/09/china-linked-apt41-hackers-target-us.html

APT PROFILE – MISSION2025 - CYFIRMA

https://www.cyfirma.com/research/apt-profile-mission2025/

APT41 Targets Linux Cloud Servers With New Winnti Backdoor - GBHackers

https://gbhackers.com/new-winnti-backdoor/

Chrome V8 Zero-Day: CVE-2025-6554 Actively Exploited - Freemindtronic

https://freemindtronic.com/chrome-v8-zero-day-cve-2025-6554-active-exploit/

China-Nexus Threat Actor Exploiting Ivanti EPMM - EclecticIQ

https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

APT41: A Dual Espionage and Cyber Crime Operation

https://www.mandiant.com/resources/reports/apt41-double-dragon-dual-espionage-and-cyber-crime-operation

APT41 Exploits Barracuda ESG Zero-Day Vulnerability

https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

CISA Advisory: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

Fortinet Zero-Day Exploited by APT41

https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-23-365

APT41 World Tour 2021: Earth Baku Returns

https://www.trendmicro.com/en_us/research/22/f/apt41-earth-baku-returns.html

Chinese APT Groups Targeting Ivanti Connect Secure Devices

https://www.mandiant.com/resources/blog/chinese-apt-groups-exploit-ivanti-connect-secure

APT41 Perfects Code Signing Abuse - Mandiant

https://www.mandiant.com/resources/blog/apt41-perfects-code-signing-abuse

ESET APT Activity Report Q3 2023-Q2 2024

https://www.welivesecurity.com/en/eset-research/apt-activity-report-q3-2023-q2-2024/

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.trendmicro.com/en_us/research/23/i/apt41-perfects-code-signing-abuse.html

APT41 Uses Earth Freybug Malware to Target Governments

https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html

APT41 World Wide

https://www.mandiant.com/resources/reports/apt41-world-wide

Earth Longzhi Returns: Exploiting CVE-2023-32315

https://www.trendmicro.com/en_us/research/23/j/earth-longzhi-returns.html

Double Dragon APT41, a dual espionage and cyber crime operation

https://www.fireeye.com/current-threats/apt-groups/apt-41.html

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.sentinelone.com/labs/apt41-perfects-code-signing-abuse-to-escalate-supply-chain-attacks/

APT41 World Tour 2021 on a NEAR Protocol

https://www.mandiant.com/resources/blog/apt41-us-state-governments

Chinese APT Groups Exploiting CVE-2023-46747 in F5 BIG-IP

https://www.mandiant.com/resources/blog/china-nexus-espionage-f5-big-ip

APT41 Compromises Networks via Advanced Custom Malware

https://www.trendmicro.com/en_us/research/24/a/earth-freybug.html

Chinese Cyberespionage Group APT41 Targets Gambling Industry

https://www.trendmicro.com/en_us/research/24/b/chinese-cyberespionage-group-apt41-targets-gambling-industry.html

APT41 Perfects Code Signing Abuse and Demonstrates Sophisticated Threat

https://www.trellix.com/en-us/about/newsroom/stories/research/apt41-perfects-code-signing-abuse.html

APT41: A Dual Espionage and Cyber Crime Operation - FireEye

https://www.mandiant.com/resources/reports/apt41-dual-espionage-and-cyber-crime-operation

KEYPLUG Backdoor Used by APT41

https://www.mandiant.com/resources/blog/session-hijacking-keyplug-backdoor

APT41 Compromises Networks via F5 BIG-IP Vulnerability

https://www.mandiant.com/resources/blog/apt41-compromises-networks-via-f5-vulnerability

Chinese Espionage Group APT41 Struck Hundreds of Companies

https://www.trendmicro.com/en_us/research/21/l/apt41-earth-baku-returns.html

APT41 Has Arisen From the DUST

https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust

APT41: Double Dragon APT Group Analysis

https://www.recordedfuture.com/apt41-double-dragon-apt-group

Chinese APT Groups Targeting Southeast Asian Government Institutions

https://www.trendmicro.com/en_us/research/24/a/chinese-apt-groups-targeting-southeast-asian-government-institut.html

Earth Freybug Uses UNAPIMON for Unhooking Critical APIs

https://www.trendmicro.com/en_us/research/24/c/earth-freybug.html

Chinese Espionage Group APT41 Strikes Again

https://www.sentinelone.com/labs/chinese-espionage-group-apt41-strikes-again/

APT41 Leverages Google Command and Control

https://www.mandiant.com/resources/blog/apt41-google-command-control

CISA Alert: APT Actors Exploiting CVE-2024-23113 in FortiOS

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a

APT41 World Tour 2021 on a Big Data Platform

https://www.trendmicro.com/en_us/research/23/c/apt41-campaign-targeting-bigdata-platform.html

Earth Longzhi Resurfaces with New Techniques and Targets

https://www.trendmicro.com/en_us/research/24/b/earth-longzhi.html

Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques

https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques

Chinese APT Groups Target Semiconductor Industry - Mandiant 2024

https://www.mandiant.com/resources/blog/chinese-groups-target-semiconductor-industry

APT41 Leverages Google Services for C2 Communication - Mandiant 2024

https://www.mandiant.com/resources/blog/apt41-google-c2

Chinese APT41 Group Compromised Telecommunications Providers to Track Individuals

https://www.fireeye.com/blog/threat-research/2019/08/apt41-targeting-telecommunications.html

APT41 Chinese Threat Group Exploiting CVE-2024-23113

https://www.mandiant.com/resources/blog/chinese-nexus-espionage-fortinet-cve-2024-23113

Chinese APT41 Hackers Target Global Orgs in Latest Espionage Attack

https://symantec-enterprise-blogs.security.com/threat-intelligence/apt41-espionage-attack-2024

Chinese Espionage Group APT41 Strikes Again: Targets Telecommunications

https://www.sentinelone.com/labs/chinese-espionage-group-apt41-strikes-again-targets-telecommunications/

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.trendmicro.com/en_us/research/24/e/apt41-perfects-code-signing-abuse.html

APT41 World Tour 2021

https://www.fireeye.com/blog/threat-research/2021/03/apt41-initiates-global-intrusion-campaign.html

Chinese Espionage Group APT41 Strikes Gambling Sector

https://www.recordedfuture.com/chinese-group-apt41-known-for-cyber-espionage

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.mandiant.com/resources/blog/apt41-code-signing-abuse

Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation

https://www.fireeye.com/current-threats/apt-groups/rpt-apt41.html

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.trendmicro.com/en_us/research/23/h/apt41-perfects-code-signing-abuse.html

Earth Freybug Uses UNAPIMON for Unhooking Critical APIs

https://www.trendmicro.com/en_us/research/24/e/earth-freybug.html

APT41 Exploits F5 BIG-IP for Persistent Access

https://www.fortinet.com/blog/threat-research/apt41-analysis

CISA Alert: APT41 Targeting Network Edge Devices

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation

https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.trendmicro.com/en_us/research/23/d/apt41-perfects-code-signing-abuse.html

APT41 Double Trouble - Mandiant Summit 2024

https://www.mandiant.com/resources/reports/apt41-double-trouble

APT41 Deploys PlugX and KEYPLUG Variants - Trend Micro 2024

https://www.trendmicro.com/en_us/research/24/b/apt41-deploying-plugx-and-keyplug-variants.html

APT41 Targeting Citrix NetScaler Devices

https://www.mandiant.com/resources/blog/apt41-citrix-netscaler-devices

APT41 Compromises Networks Via F5 BIG-IP Vulnerability

https://www.sentinelone.com/labs/apt41-compromises-networks-via-f5-big-ip-vulnerability/

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.trendmicro.com/en_us/research/23/h/apt41-perfects-code-signing-abuse-to-escalate-supply-chain-attac.html

APT41 World Tour 2021 on a Tight Schedule - Sentinelone

https://www.sentinelone.com/labs/apt41-world-tour-2021-on-a-tight-schedule/

APT41's Double Threat: Espionage and Ransomware in 2024

https://www.mandiant.com/resources/blog/apt41-dual-espionage-ransomware

Earth Freybug: APT41's Latest Campaign Targets Telecom and Government

https://www.trendmicro.com/en_us/research/24/c/earth-freybug-apt41-campaign.html

APT41 Compromises Networks in Multiple Industry Sectors

https://www.mandiant.com/resources/blog/apt41-compromises-networks

APT41: Double Dragon APT

https://www.sentinelone.com/labs/apt41-double-dragon-apt/

Earth Baku: An APT Group Targeting Indo-Pacific Countries

https://www.trendmicro.com/en_us/research/24/a/earth-baku-an-apt-group-targeting-indo-pacific-countries.html

Earth Longzhi Returns: APT41 Targets Taiwan

https://www.trendmicro.com/en_us/research/24/e/earth-longzhi-apt41.html

USCYBERCOM Tweet on APT41 Malware Samples

https://twitter.com/CNMF_VirusAlert/status/1319676745969446913

Seven International Cyber Defendants, Including Apt41 Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer

Double Dragon: APT41, a dual espionage and cyber crime operation - FireEye

https://www.mandiant.com/resources/reports/apt41-double-dragon

Chinese APT Groups Spotted Targeting Key Cambodian Organizations - Recorded Future

https://www.recordedfuture.com/chinese-apt-groups-target-cambodian-organizations

Double Dragon APT41, a dual espionage and cyber crime operation

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

Google Threat Intelligence Group: APT41 Perfects Code Signing Abuse

https://cloud.google.com/blog/topics/threat-intelligence/apt41-perfects-code-signing-abuse

CISA Alert: APT Actors Exploit Multiple Vulnerabilities

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a

Chinese APT Groups Target India and Hong Kong Using New DUSTTRAP Malware

https://www.recordedfuture.com/chinese-apt-groups-target-india-hong-kong-using-new-dusttrap

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.mandiant.com/resources/blog/apt41-code-signing-certificate-abuse

Chinese Espionage Group APT41 Likely Compromised Taiwanese Government-Affiliated Institute

https://www.mandiant.com/resources/blog/chinese-espionage-group-apt41

Double Dragon APT41, a dual espionage and cyber crime operation

https://content.fireeye.com/apt-41/rpt-apt41