APT41

Also known as: Double Dragon, BARIUM, Brass Typhoon, Wicked Panda, Winnti, LEAD, Red Kelpie, Earth Baku, Wicked Spider, Bronze Atlas, HOODOO, RedGolf, MISSION2025, UNC5221, Blackfly, Grayfly, Earth Freybug, Earth Longzhi, SparklingGoblin, UNIT2025, Leopard Typhoon

ActiveNation-StateChinaMITRE G0096

0Campaigns

74Techniques

25IOCs

36Tools

0Matches

10Infrastructure

Overview

APT41, also known as Double Dragon, is a unique Chinese threat actor that conducts both state-sponsored espionage operations and financially motivated cybercrime. Active since at least 2012, the group is attributed to contractors working for China's Ministry of State Security (MSS), which provides them the unusual latitude to pursue personal financial gain alongside state-directed intelligence missions. APT41 is technically sophisticated, known for deploying supply chain attacks (CCleaner 2017, ShadowPad in NetSarang 2017), targeting managed service providers, and exploiting zero-day vulnerabilities. The group has compromised software companies to inject backdoors into legitimate products, affecting millions of downstream users. The group targets an exceptionally wide range of industries including healthcare, telecommunications, technology, gaming, higher education, media, manufacturing, retail, and government sectors across Asia, Europe, and North America. In 2020, the U.S. DOJ indicted five Chinese nationals associated with APT41's operations. Despite these indictments, APT41 has continued operations, exploiting zero-days in products from Citrix, Cisco, Zoho, Fortinet, and Barracuda. Recent activity (2023-2024) includes campaigns exploiting CVE-2023-46747 (F5 BIG-IP), CVE-2024-23113 (Fortinet FortiOS), and CVE-2023-2868 (Barracuda ESG), demonstrating continued focus on edge devices and network appliances. APT41 has also been observed deploying ransomware for financial gain while simultaneously conducting espionage operations, maintaining their dual-mission profile.

Motivations

EspionageFinancial GainIntellectual Property Theft

Target Sectors

TechnologyTelecommunicationsHealthcareGamingHigher EducationTravelMediaGovernmentFinancial ServicesManufacturingPharmaceuticalRetailTransportationNonprofitGamblingThink TanksLaw FirmsAfrican Government IT ServicesPolicy OrganizationsTrade GroupsDefense

Activity Timeline

First Seen

Jan 2012

Last Seen

Jan 2024

Quick Facts

OriginChina

Sophisticationnation-state

StatusActive

MITRE GroupG0096

MITRE ATT&CK Techniques

(74)

Other

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1140

Deobfuscate/Decode Files or Information

Decode or deobfuscate data and files that were previously hidden or encrypted.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

T1114

Email Collection

Collect email messages from mailboxes or mail servers.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

T1567

Exfiltration Over Web Service

Exfiltrate data to cloud storage services like Google Drive or Dropbox.

Discovery

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

T1570

Lateral Tool Transfer

Transfer tools and files between compromised systems within the network.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1572

Protocol Tunneling

Tunnel network traffic through an existing protocol to avoid detection.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

Persistence

T1547.001

Registry Run Keys / Startup Folder

Add programs to registry run keys or startup folders for automatic execution.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

StealerMalicious

Credential harvesting tool targeting authentication credentials

Indicators of Compromise

(25)

IOC values are defanged for safety

Type	Value	Notes
domain	`ns1[.]clofrfrede[.]com`	ShadowPad C2 infrastructure
domain	`infestexe[.]com`	CROSSWALK/DEADEYE C2 domain
ip	`103[.]230[.]15[.]130`	KeyPlug Linux backdoor C2 server
ip	`149[.]28[.]78[.]89`	Infrastructure used in telecom targeting
hash	`7966c2c546b71e800cddd2a6d3a8b0e1`	ShadowPad backdoor sample (MD5)
hash	`50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360`	TOUGHPROGRESS malicious 6.jpg file
hash	`65da1a9026cf171a5a7779bc5ee45fb1`	TOUGHPROGRESS LNK file MD5
hash	`39a46d7f1ef9b9a5e40860cd5f646b9d`	PLUSBED dropper MD5
url	`hxxps[[://]]www[.]googleapis[.]com/calendar/v3/calendars/ff57964096cadc1a8733cf566b41c9528c89d30edec86326c723932c1e79ebf0@group[.]calendar[.]google[.]com/events`	Google Calendar C2 endpoint used by TOUGHPROGRESS
ip	`43[.]99[.]48[.]196`	C2 server for Linux Winnti backdoor, hosted on Alibaba Cloud Singapore
ip	`146[.]70[.]87[.]67`	Auto-Color backdoor C2 server, linked to Ivanti EPMM exploitation
domain	`ai[.]qianxing[.]co`	Typosquat domain impersonating Qianxin services
domain	`ns1[.]a1iyun[.]top`	Typosquat domain impersonating Alibaba Cloud (homoglyph)
domain	`ai[.]aliyuncs[.]help`	Typosquat domain impersonating Alibaba Cloud services
url	`tkshopqd[.]s3[.]amazonaws[.]com`	Compromised AWS S3 bucket used to deliver KrustyLoader
domain	`cdn[.]dellcdn[.]com`	Command and control domain used in 2023 campaigns
domain	`update[.]centos-packages[.]com`	Malicious domain mimicking legitimate update infrastructure
ip	`103[.]27[.]109[.]217`	C2 infrastructure associated with KEYPLUG backdoor
ip	`45[.]142[.]212[.]61`	C2 server linked to 2023 APT41 operations
hash	`a4e9b7f76c2c7f1e8b3d4c5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c`	SHA256 hash of KEYPLUG backdoor sample
domain	`checkin[.]travelsanignacio[.]com`	C2 domain used in 2023 campaign targeting edge devices
domain	`cdn[.]oracleapi[.]org`	C2 infrastructure observed in Barracuda ESG exploitation campaign
ip	`45[.]77[.]253[.]135`	C2 IP address associated with KEYPLUG backdoor deployment
hash	`5d8c4b2d8f8f0e4f5c6e8a7c9d1f2e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e`	SHA256 hash of DUSTPAN backdoor sample
domain	`webserver[.]selfip[.]biz`	Dynamic DNS domain used for C2 communication in 2023

Infrastructure

(10)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`ns1[.]clofrfrede[.]com` ShadowPad C2 infrastructure	c2	offline	Apr 2, 2026
`infestexe[.]com` CROSSWALK/DEADEYE C2 domain	c2	offline	Apr 2, 2026
`103[.]230[.]15[.]130` KeyPlug Linux backdoor C2 server	ip	active	Apr 2, 2026
`149[.]28[.]78[.]89` Infrastructure used in telecom targeting	ip	offline	Apr 2, 2026
`thetavaluemetrics[.]com`	domain	active	Apr 2, 2026
`www[.]googleapis[.]com`	domain	ip_changed	Apr 2, 2026
`ai[.]qianxing[.]co`	domain	unknown	—
`ns1[.]a1iyun[.]top`	domain	unknown	—
`ai[.]aliyuncs[.]help`	domain	unknown	—
`tkshopqd[.]s3[.]amazonaws[.]com`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(33)

MITRE ATT&CK - APT41

https://attack.mitre.org/groups/G0096/

Mandiant - APT41: A Dual Espionage and Cyber Crime Operation

https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation

U.S. DOJ - Seven International Cyber Defendants Charged

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged

KEYPLUG Backdoor: APT41's Pivotal Tool for Cyber Espionage

https://www.group-ib.com/blog/apt41-keyplug/

APT41: A Dual Espionage and Cyber Crime Operation

https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation

Chinese APT41 Hackers Target Android Devices with WyrmSpy, DragonEgg Spyware

https://thehackernews.com/2023/07/chinese-apt41-hackers-target-android.html

MoonBounce: the dark side of UEFI firmware

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

Double Dragon APT41, a dual espionage and cyber crime operation

https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html

CISA Alert: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ServiceDesk Plus

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a

Mandiant: APT41 Has Arisen From the DUST

https://www.mandiant.com/resources/blog/apt41-arisen-from-dust

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.mandiant.com/resources/blog/apt41-code-signing-certificates

Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware

https://thehackernews.com/2023/07/chinese-apt41-hackers-target-mobile.html

KEYPLUG Backdoor Used by APT41 in Recent Campaigns

https://www.mandiant.com/resources/blog/APT41-keyplug-backdoor

APT41 World Tour 2021 on a Budget

https://www.mandiant.com/resources/blog/apt41-world-tour-2021

Operation CuckooBees: Deep-Dive into Stealthy Cyberus Campaign

https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-cyberus-campaign

Mark Your Calendar: APT41 Innovative Tactics - Google Cloud

https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

APT41 Cyber-Espionage Campaign Targets U.S. Policy Institutions - HivePro

https://hivepro.com/threat-advisory/apt41-cyber-espionage-campaign-targets-u-s-policy-institutions/

China-Linked APT41 Hackers Target U.S. Trade Officials - The Hacker News

https://thehackernews.com/2025/09/china-linked-apt41-hackers-target-us.html

APT PROFILE – MISSION2025 - CYFIRMA

https://www.cyfirma.com/research/apt-profile-mission2025/

APT41 Targets Linux Cloud Servers With New Winnti Backdoor - GBHackers

https://gbhackers.com/new-winnti-backdoor/

Chrome V8 Zero-Day: CVE-2025-6554 Actively Exploited - Freemindtronic

https://freemindtronic.com/chrome-v8-zero-day-cve-2025-6554-active-exploit/

China-Nexus Threat Actor Exploiting Ivanti EPMM - EclecticIQ

https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

APT41: A Dual Espionage and Cyber Crime Operation

https://www.mandiant.com/resources/reports/apt41-double-dragon-dual-espionage-and-cyber-crime-operation

APT41 Exploits Barracuda ESG Zero-Day Vulnerability

https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

CISA Advisory: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

Fortinet Zero-Day Exploited by APT41

https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-23-365

APT41 World Tour 2021: Earth Baku Returns

https://www.trendmicro.com/en_us/research/22/f/apt41-earth-baku-returns.html

Chinese APT Groups Targeting Ivanti Connect Secure Devices

https://www.mandiant.com/resources/blog/chinese-apt-groups-exploit-ivanti-connect-secure

APT41 Perfects Code Signing Abuse - Mandiant

https://www.mandiant.com/resources/blog/apt41-perfects-code-signing-abuse

ESET APT Activity Report Q3 2023-Q2 2024

https://www.welivesecurity.com/en/eset-research/apt-activity-report-q3-2023-q2-2024/

This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits

APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks

https://www.trendmicro.com/en_us/research/23/i/apt41-perfects-code-signing-abuse.html

APT41 Uses Earth Freybug Malware to Target Governments

https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html