Skip to content

G0096 APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.4 Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.36

Item Value
ID G0096
Associated Names Wicked Panda, Brass Typhoon, BARIUM
Version 4.2
Created 23 September 2019
Last Modified 11 June 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Wicked Panda 1
Brass Typhoon 5
BARIUM 5

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation.12
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account APT41 used built-in net commands to enumerate local administrator groups.7
enterprise T1087.002 Domain Account APT41 used built-in net commands to enumerate domain administrator users.7
enterprise T1098 Account Manipulation -
enterprise T1098.007 Additional Local or Domain Groups APT41 has added user accounts to the User and Admin groups.3
enterprise T1583 Acquire Infrastructure -
enterprise T1583.007 Serverless APT41 DUST used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control.11
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning APT41 used the Acunetix SQL injection vulnerability scanner in target reconnaissance operations, as well as the JexBoss tool to identify vulnerabilities in Java applications.7
enterprise T1595.003 Wordlist Scanning APT41 leverages various tools and frameworks to brute-force directories on web servers.7
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.8
enterprise T1071.002 File Transfer Protocols APT41 used exploit payloads that initiate download via ftp.8
enterprise T1071.004 DNS APT41 used DNS for C2 communications.36
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT41 created a RAR archive of targeted files for exfiltration.3 Additionally, APT41 used the makecab.exe utility to both download tools, such as NATBypass, to the victim network and to archive a file for exfiltration.9
enterprise T1560.003 Archive via Custom Method During C0017, APT41 hex-encoded PII data prior to exfiltration.12
enterprise T1119 Automated Collection APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information.11
enterprise T1197 BITS Jobs APT41 used BITSAdmin to download and install payloads.81
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT41 created and modified startup files for persistence.36 APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.8
enterprise T1037 Boot or Logon Initialization Scripts APT41 used a hidden shell script in /etc/rc.d/init.d to leverage the ADORE.XSECbackdoor and Adore-NG rootkit.4
enterprise T1110 Brute Force APT41 performed password brute-force attacks on the local admin account.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT41 leveraged PowerShell to deploy malware families in victims’ environments.38
enterprise T1059.003 Windows Command Shell APT41 used cmd.exe /c to execute commands on remote machines.3
APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.8
enterprise T1059.004 Unix Shell APT41 used Linux shell commands for system survey and information gathering prior to exploitation of vulnerabilities such as CVE-2019-19871.8
enterprise T1059.007 JavaScript During C0017, APT41 deployed JScript web shells on compromised systems.12
enterprise T1586 Compromise Accounts -
enterprise T1586.003 Cloud Accounts APT41 DUST used compromised Google Workspace accounts for command and control.11
enterprise T1136 Create Account -
enterprise T1136.001 Local Account APT41 has created user accounts.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service APT41 modified legitimate Windows services to install malware backdoors.36 APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.8
enterprise T1555 Credentials from Password Stores APT41 has obtained information about accounts, lists of employees, and plaintext and hashed passwords from databases.7
enterprise T1555.003 Credentials from Web Browsers APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.7
enterprise T1486 Data Encrypted for Impact APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.3 APT41 also used Microsoft Bitlocker to encrypt workstations and Jetico’s BestCrypt to encrypt servers.9
enterprise T1213 Data from Information Repositories -
enterprise T1213.003 Code Repositories APT41 cloned victim user Git repositories during intrusions.7
enterprise T1213.006 Databases APT41 DUST collected data from victim Oracle databases using SQLULDR2.11
enterprise T1005 Data from Local System APT41 has uploaded files and data from a compromised host.6
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol or Service Impersonation During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.12
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging APT41 DUST involved exporting data from Oracle databases to local CSV files prior to exfiltration.11
enterprise T1030 Data Transfer Size Limits APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.7
enterprise T1140 Deobfuscate/Decode Files or Information During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.12
enterprise T1484 Domain or Tenant Policy Modification -
enterprise T1484.001 Group Policy Modification APT41 used scheduled tasks created via Group Policy Objects (GPOs) to deploy ransomware.4
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms APT41 has used DGAs to change their C2 servers monthly.3
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography APT41 DUST used HTTPS for command and control.11
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features APT41 leveraged sticky keys to establish persistence.3
enterprise T1480 Execution Guardrails -
enterprise T1480.001 Environmental Keying APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system’s volume serial number.10
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.12
enterprise T1041 Exfiltration Over C2 Channel During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.12
enterprise T1567 Exfiltration Over Web Service During C0017, APT41 used Cloudflare services for data exfiltration.12
enterprise T1567.002 Exfiltration to Cloud Storage APT41 DUST exfiltrated collected information to OneDrive.11
enterprise T1190 Exploit Public-Facing Application APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central through unsafe deserialization, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.8 APT41 leveraged vulnerabilities such as ProxyLogon exploitation or SQL injection for initial access.7 APT41 exploited CVE-2021-26855 against a vulnerable Microsoft Exchange Server to gain initial access to the victim network.9
enterprise T1203 Exploitation for Client Execution APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.3
enterprise T1133 External Remote Services APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.3
enterprise T1008 Fallback Channels APT41 used the Steam community page as a fallback mechanism for C2.3
enterprise T1083 File and Directory Discovery APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.8
enterprise T1574 Hijack Execution Flow During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.12
enterprise T1574.001 DLL APT41 has used search order hijacking to execute malicious payloads, such as Winnti for Windows.1 APT41 has also used legitimate executables to perform DLL side-loading of their malware.3
enterprise T1574.006 Dynamic Linker Hijacking APT41 has configured payloads to load via LD_PRELOAD.1
enterprise T1562 Impair Defenses -
enterprise T1562.006 Indicator Blocking APT41 developed a custom injector that enables an Event Tracing for Windows (ETW) bypass, making malicious processes invisible to Windows logging.7
enterprise T1656 Impersonation APT41 impersonated an employee at a video game developer company to send phishing emails.4
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.3
enterprise T1070.003 Clear Command History APT41 attempted to remove evidence of some of its activity by deleting Bash histories.3
enterprise T1070.004 File Deletion APT41 deleted files from the system.37
enterprise T1105 Ingress Tool Transfer APT41 used certutil to download additional files.816 APT41 downloaded post-exploitation tools such as Cobalt Strike via command shell following initial access.7 APT41 has uploaded Procdump and NATBypass to a staging directory and has used these tools in follow-on activities.9
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging APT41 used a keylogger called GEARSHIFT on a target system.3
enterprise T1570 Lateral Tool Transfer APT41 uses remote shares to move and remotely execute payloads during lateral movemement.7
enterprise T1680 Local Storage Discovery During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems.12
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service APT41 has created services to appear as benign system tools.6
enterprise T1036.005 Match Legitimate Resource Name or Location APT41 attempted to masquerade their files as popular anti-virus software.36
enterprise T1112 Modify Registry APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.36
enterprise T1104 Multi-Stage Channels APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.8
enterprise T1599 Network Boundary Bridging APT41 used NATBypass to bypass firewall restrictions and to access compromised systems via RDP.9
enterprise T1046 Network Service Discovery APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.3
enterprise T1135 Network Share Discovery APT41 used the net share command as part of network reconnaissance.36
enterprise T1027 Obfuscated Files or Information APT41 used VMProtected binaries in multiple intrusions.8
enterprise T1027.002 Software Packing APT41 uses packers such as Themida to obfuscate malicious files.7
enterprise T1027.013 Encrypted/Encoded File APT41 DUST used encrypted payloads decrypted and executed in memory.11
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.3
enterprise T1588.003 Code Signing Certificates APT41 DUST used stolen code signing certificates to sign DUSTTRAP malware and components.11
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory APT41 has used hashdump, Mimikatz, Procdump, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.369
enterprise T1003.002 Security Account Manager APT41 extracted user account data from the Security Account Managerr (SAM), making a copy of this database from the registry using the reg save command or by exploiting volume shadow copies.7
enterprise T1003.003 NTDS APT41 used ntdsutil to obtain a copy of the victim environment ntds.dit file.7
enterprise T1069 Permission Groups Discovery APT41 used net group commands to enumerate various Windows user groups and permissions.7
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.3
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.3
enterprise T1055 Process Injection APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.3
enterprise T1090 Proxy APT41 used a tool called CLASSFON to covertly proxy network communications.3
enterprise T1012 Query Registry APT41 queried registry values to determine items such as configured RDP ports and network configurations.7
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol APT41 used RDP for lateral movement.31 APT41 used NATBypass to expose local RDP ports on compromised systems to the Internet.9
enterprise T1021.002 SMB/Windows Admin Shares APT41 has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, then executes files through Windows Management Instrumentation (WMI).19
enterprise T1018 Remote System Discovery APT41 has used MiPing to discover active systems in the victim network.9
enterprise T1496 Resource Hijacking -
enterprise T1496.001 Compute Hijacking APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.34
enterprise T1014 Rootkit APT41 deployed rootkits on Linux systems.31
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT41 used a compromised account to create a scheduled task on a system.31
enterprise T1596 Search Open Technical Databases -
enterprise T1596.005 Scan Databases APT41 uses the Chinese website fofa.su, similar to the Shodan scanning service, for passive scanning of victims.7
enterprise T1593 Search Open Websites/Domains -
enterprise T1593.002 Search Engines APT41 DUST involved use of search engines to research victim servers.11
enterprise T1594 Search Victim-Owned Websites APT41 DUST involved access of external victim websites for target development.11
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell APT41 DUST involved use of web shells such as ANTSWORD and BLUEBEAM for persistence.11
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.36
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File APT41 used compiled HTML (.chm) files for targeting.3
enterprise T1218.011 Rundll32 APT41 has used rundll32.exe to execute a loader.1
enterprise T1082 System Information Discovery APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information.7
enterprise T1016 System Network Configuration Discovery APT41 collected MAC addresses from victim machines.36
enterprise T1049 System Network Connections Discovery APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.36
enterprise T1033 System Owner/User Discovery APT41 has executed whoami commands, including using the WMIEXEC utility to execute this on remote machines.37
enterprise T1569 System Services -
enterprise T1569.002 Service Execution APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.86
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash APT41 uses tools such as Mimikatz to enable lateral movement via captured password hashes.7
enterprise T1078 Valid Accounts APT41 used compromised credentials to log on to other systems.31
enterprise T1102 Web Service APT41 DUST used compromised Google Workspace accounts for command and control.11
enterprise T1102.001 Dead Drop Resolver APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.3
enterprise T1047 Windows Management Instrumentation APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.36 APT41 has executed files through Windows Management Instrumentation (WMI).9

Software

ID Name References Techniques
S0073 ASPXSpy 3 Web Shell:Server Software Component
S0190 BITSAdmin 8 BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0069 BLACKCOFFEE 3 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Multi-Stage Channels Process Discovery Dead Drop Resolver:Web Service Bidirectional Communication:Web Service
S0160 certutil 8 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0020 China Chopper APT41 used the China Chopper web shell as a persistence mechanism on compromised Microsoft Exchange servers.93 Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0154 Cobalt Strike 86 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S1052 DEADEYE 12 Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Execution Guardrails NTFS File Attributes:Hide Artifacts Masquerade Task or Service:Masquerading Native API Encrypted/Encoded File:Obfuscated Files or Information Embedded Payloads:Obfuscated Files or Information Msiexec:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery
S0021 Derusbi 3 Audio Capture Unix Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery Timestomp:Indicator Removal File Deletion:Indicator Removal Keylogging:Input Capture Non-Application Layer Protocol Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Screen Capture Regsvr32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Video Capture
S0105 dsquery 12 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery System Information Discovery
S1158 DUSTPAN DUSTPAN has been used by APT41 in various campaigns since at least 2021.1411 Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information Embedded Payloads:Obfuscated Files or Information Portable Executable Injection:Process Injection
S1159 DUSTTRAP DUSTTRAP is used by APT41.11 Domain Account:Account Discovery Local Account:Account Discovery Application Window Discovery Windows Command Shell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Domain Trust Discovery Exfiltration Over C2 Channel File and Directory Discovery Group Policy Discovery Indicator Removal Clear Windows Event Logs:Indicator Removal Network Share Connection Removal:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Log Enumeration Network Share Discovery Encrypted/Encoded File:Obfuscated Files or Information Embedded Payloads:Obfuscated Files or Information Process Discovery Process Injection Query Registry Remote System Discovery Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Time Discovery System Checks:Virtualization/Sandbox Evasion
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism SID-History Injection:Access Token Manipulation Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Windows Service:Create or Modify System Process Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain or Tenant Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow DLL:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0095 ftp 8 Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0032 gh0st RAT 3 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0357 Impacket APT41 used Impacket to dump LSA secrets on one of the domain controllers in the victim network.9 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0100 ipconfig 6 System Network Configuration Discovery
S1051 KEYPLUG 12 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Non-Application Layer Protocol Encrypted/Encoded File:Obfuscated Files or Information Proxy System Time Discovery Dead Drop Resolver:Web Service
S1185 LightSpy 13 Web Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Archive Collected Data Audio Capture Audio Capture Boot or Logon Initialization Scripts Browser Information Discovery Command and Scripting Interpreter Keychain:Credentials from Password Store Keychain:Credentials from Password Stores Data Destruction Data from Local System Drive-By Compromise Endpoint Denial of Service Execution Guardrails Exfiltration Over C2 Channel Exfiltration Over C2 Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Ingress Tool Transfer Ingress Tool Transfer Location Tracking Masquerading Native API Network Service Discovery Network Service Scanning Non-Standard Port Encrypted/Encoded File:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Obfuscated Files or Information Phishing Process Discovery Process Discovery Process Injection Contact List:Protected User Data Call Log:Protected User Data SMS Messages:Protected User Data Screen Capture Screen Capture Shared Modules SMS Control Software Discovery Software Discovery Stored Application Data System Information Discovery System Information Discovery Wi-Fi Discovery:System Network Configuration Discovery System Network Configuration Discovery System Network Connections Discovery Video Capture
S0443 MESSAGETAP 161 Archive via Custom Method:Archive Collected Data Automated Collection Local Data Staging:Data Staged Deobfuscate/Decode Files or Information File and Directory Discovery File Deletion:Indicator Removal Network Sniffing System Network Connections Discovery
S0002 Mimikatz 36 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S1221 MOPSLED 17 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Non-Application Layer Protocol Encrypted/Encoded File:Obfuscated Files or Information Web Service Dead Drop Resolver:Web Service
S0039 Net 3 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat 3 System Network Connections Discovery
S0385 njRAT 3 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Encrypted/Encoded File:Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0097 Ping 36 Remote System Discovery
S0013 PlugX APT41 used a variant of PlugX to connect to Windows and Linux systems via SSH and Samba/CIFS.43 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Reflective Code Loading Replication Through Removable Media Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery MSBuild:Trusted Developer Utilities Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0194 PowerSploit 3 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0006 pwdump 3 Security Account Manager:OS Credential Dumping
S0112 ROCKBOOT 3 Bootkit:Pre-OS Boot
S0596 ShadowPad 315 DNS:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Indicator Removal Ingress Tool Transfer Local Storage Discovery Modify Registry Non-Application Layer Protocol Fileless Storage:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Scheduled Transfer System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S0225 sqlmap 7 Exploit Public-Facing Application
S0430 Winnti for Linux 1 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Non-Application Layer Protocol Encrypted/Encoded File:Obfuscated Files or Information Rootkit Traffic Signaling
S0412 ZxShell 3 Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Local Account:Create Account Windows Service:Create or Modify System Process Data from Local System Endpoint Denial of Service Exploit Public-Facing Application File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Disable or Modify Tools:Impair Defenses Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Modify Registry Native API Network Service Discovery Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Proxy Query Registry VNC:Remote Services Remote Desktop Protocol:Remote Services Screen Capture Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery System Service Discovery Service Execution:System Services Video Capture

References

  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  2. FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019. 

  3. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  4. Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024. 

  5. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  6. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. 

  7. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024. 

  8. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. 

  9. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024. 

  10. Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved September 12, 2024. 

  11. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  12. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  13. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025. 

  14. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024. 

  15. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021. 

  16. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  17. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.