APT41: The Complete Guide to China's Dual-Purpose Cyber Threat Group (Espionage & Crime)

The Unique Threat of APT41

APT41, also known as Barium, Winnti, Wicked Panda, Brass Typhoon, Double Dragon, Bronze Atlas, Earth Baku, and HOODOO, represents one of the most versatile and dangerous cyber threat groups in the world. What makes APT41 truly unique is its dual nature: APT41 is a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations.

Unlike other nation-state groups like APT28 or APT29 from Russia, APT33 from Iran, or even Lazarus Group from North Korea, APT41 doesn’t just focus on one mission. They’re hackers who work for the Chinese government while simultaneously running their own criminal side hustles. This makes them incredibly unpredictable and difficult to defend against.

APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

Historical Background and Evolution

The Early Years (2012-2014)

APT41 has been active since at least 2012, though some researchers trace individual members’ activities back even further. During these formative years, the group focused primarily on financially motivated operations, particularly targeting the video game industry.

FireEye has been observing individual members of APT41 who have been conducting primarily financially motivated operations since 2012, before expanding into likely state-sponsored activity. Evidence suggests that these two motivations were balanced concurrently from 2014 onward.

The Dual-Mission Era (2014-2019)

From 2014, something interesting happened: APT41 began conducting state-sponsored espionage while continuing their criminal activities. This wasn’t a pivot—it was an addition to their operations.

Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China’s Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors.

But they never stopped their financially motivated hacking. The video game industry remained a favorite target for personal profit.

The Indictments (2019-2020)

APT41’s activities eventually caught the attention of U.S. law enforcement. On August 15, 2019, a Grand Jury in the District of Columbia returned an indictment against Chinese nationals ZHANG Haoran and TAN Dailin on charges including Unauthorized Access to Protected Computers, Aggravated Identity Theft, Money Laundering, and Wire Fraud. On August 11, 2020, a Grand Jury returned an indictment against Chinese nationals QIAN Chuan, FU Qiang, and JIANG Lizhi.

These indictments revealed the front company: Chengdu 404 Network Technology Company. The defendants allegedly conducted supply chain attacks to gain unauthorized access to networks throughout the world, targeting hundreds of companies representing a broad array of industries including social media, telecommunications, government, defense, education, and manufacturing. These victims included companies in Australia, Brazil, Germany, India, Japan and Sweden.

Modern Operations (2020-2025)

The indictments didn’t slow APT41 down. The Chinese advanced persistent threat (APT) actor tracked as Winnti targeted at least 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China against the backdrop of four different campaigns in 2021.

By 2023-2024, the group was operating at an unprecedented scale, with sophisticated new malware and innovative command-and-control techniques.

The Dual Nature: Espionage Meets Crime

This is what makes APT41 absolutely fascinating from a threat intelligence perspective. They’re essentially leading double lives.

State-Sponsored Espionage Activities

APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

Strategic Intelligence Collection:

Healthcare and pharmaceutical research
High-tech intellectual property
Telecommunications infrastructure
Government and defense capabilities
Strategic economic intelligence

These activities clearly support Chinese national interests and align with China’s strategic development goals, particularly the “Made in China 2025” initiative.

Financially Motivated Criminal Operations

The group’s financially motivated activity has primarily focused on the video game industry, where APT41 has manipulated virtual currencies and even attempted to deploy ransomware.

Criminal Activities Include:

Manipulation of in-game virtual currencies
Theft of video game source code
Digital certificate theft and abuse
Ransomware deployment
Sale of stolen credentials and data
Cryptocurrency theft

The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments. From there, the group steals source code as well as digital certificates which are then used to sign malware.

The Blurred Line

APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41.

This relationship suggests several possibilities:

The Chinese government provides protection for their criminal activities
APT41 members moonlight as criminals while working government contracts
Criminal profits fund espionage operations, reducing state costs
The Chinese government considers the arrangement mutually beneficial

Supply Chain Attacks: APT41’s Signature Move

APT41 has become infamous for their sophisticated supply chain compromises. These attacks represent the pinnacle of their technical capabilities and strategic thinking.

The CCleaner Attack (2017)

In March 2017, the hugely popular computer cleaning software called CCleaner was compromised by an attacker to help distribute their malicious code to unsuspecting victims that used CCleaner as a trustworthy tool. It was a devastatingly successful attack, which reportedly led to approximately 1.6 million downloads of the infected copy of CCleaner.

Attack Methodology:

Compromised CCleaner’s parent company network
Injected ShadowPad malware into the application
Used legitimate digital signatures
Targeted specific high-value organizations
Successfully compromised 11 targeted companies

The attackers compromised the maker of CCleaner’s network to inject their software, known as ShadowPad, into the application. The attackers were specifically targeting a smaller group of companies and some eleven of those targeted were successfully compromised by the backdoored CCleaner application.

The Sophistication: What made this attack remarkable was the precision targeting within the massive distribution. APT41 infected 1.6 million users but was only interested in specific targets—they had embedded MAC address checks to ensure the second-stage payload only deployed on intended victims’ systems.

Operation ShadowHammer: The ASUS Attack (2019)

This was even more audacious than CCleaner.

In late January 2019, Kaspersky Lab researchers discovered what appeared to be a new attack on a large manufacturer in Asia. Researchers named it “Operation ShadowHammer”. We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques.

Attack Timeline:

Initial compromise: 2018
Discovery: January 2019
Affected systems: Over 1 million ASUS customers
Highly targeted second stage: Only 600+ specific MAC addresses

The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”). The goal of the attack was to surgically target an unknown pool of users, who were identified by their network adapters’ MAC addresses.

Technical Details: To achieve this, the attackers had hardcoded a list of MAC addresses into the trojanized samples and the list was used to identify the intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from more than 200 samples used in the attack.

The Build Process Compromise: Similar to CCleaner, the compile machine was compromised and the CRT runtime modified. While in the CCleaner case the TLS initialization function was modified, in this case the crtExitProcess has been modified.

The Code Signing Certificate Arsenal

APT41 has perfected the abuse of code signing certificates—a technique that’s become their calling card.

APT41 is reportedly managing a library of these certs and keys – some purchased from underground marketplaces, some obtained from other Chinese attack groups and some stolen by APT41 itself. This shared resource allows members of the group to select the appropriate certificate for their needs, “dramatically” improving success rates.

Why This Matters: Code signing machine identities allow malicious code to appear authentic and evade security controls. The success of attacks using this model over the last decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect.

Other Supply Chain Victims:

NetSarang server management tool (ShadowPad)
Various video game companies
Software development environments across multiple vendors
Digital certificate authorities

More importantly, APT41 is known to use its access to production environments to inject malicious code into legitimate files which are later distributed to victim organizations. These supply chain compromise tactics have also been characteristic of APT41’s best known and most recent espionage campaigns.

APT41’s Modern Arsenal (2023-2025)

APT41 continuously develops and deploys new malware. Let’s look at their latest tools.

TOUGHPROGRESS: Google Calendar C2 (2024-2025)

This is perhaps APT41’s most innovative recent development.

Google on Wednesday disclosed that the Chinese state-sponsored threat actor known as APT41 leveraged a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). The tech giant, which discovered the activity in late October 2024, said the malware was hosted on a compromised government website and was used to target multiple other government entities.

How It Works: TOUGHPROGRESS is designed to read and write events with an attacker-controlled Google Calendar, and extract the commands specified in them for subsequent execution. The results of the execution are written back to another Calendar event from where they can be accessed by the attackers.

The Attack Chain: APT41 launched this campaign using spear-phishing emails that directed victims to a ZIP archive hosted on a compromised government website. The archive contained a Windows shortcut (LNK) file disguised as a PDF, along with several JPG images—two of which were actually malicious in nature.

Inside the Archive: The ZIP file includes a directory and a Windows shortcut (LNK) that masquerades as a PDF document. The directory features what appear to be seven different images of arthropods (from “1.jpg” to “7.jpg”).

When the victim clicks the LNK file:

PLUSDROP decrypts and executes the next stage
PLUSINJECT uses process hollowing to inject code into legitimate svchost.exe
TOUGHPROGRESS deploys and begins communicating with Google Calendar

Why Google Calendar? Using a legitimate cloud service like Google Calendar makes C2 traffic appear normal. TOUGHPROGRESS creates zero minute events with encrypted content embedded in the event descriptions. These contain either system data exfiltrated from the host or attacker commands to be executed.

This is brilliant operational security: traffic to Google Calendar looks completely legitimate and is unlikely to be blocked.

DodgeBox and MoonWalk (2024)

The China-linked advanced persistent threat (APT) group codenamed APT41 is suspected to be using an “advanced and upgraded version” of a known malware called StealthVector to deliver a previously undocumented backdoor dubbed MoonWalk. The new variant of StealthVector has been designated DodgeBox by Zscaler ThreatLabz, which discovered the loader strain in April 2024.

DodgeBox Capabilities:

AES Cipher Feedback (AES-CFB) mode encryption for configuration
Environmental checks to ensure correct target
Privilege validation for maximum access
Salted FNV1a hash for DLL and function names
Attempts to disable Windows Control Flow Guard (CFG)

What sets DodgeBox apart from other malware is its unique algorithms and techniques. Notably, DodgeBox employs a salted FNV1a hash for DLL and function names. This salted hash helps it evade static detections, and also allows different DodgeBox samples to use distinct values for the same DLL and function.

MoonWalk Features: MoonWalk shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication.

DUSTTRAP and DUSTPAN Campaign (2023-2024)

In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims’ networks since 2023.

The Attack Infrastructure: Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE) to achieve persistence, deliver additional payloads, and exfiltrate data of interest.

DUSTPAN: DUSTPAN is an in-memory dropper written in C/C++ that decrypts and executes an embedded payload. Different variations of DUSTPAN may also load an external payload off disk from a hard-coded file path encrypted in the Portable Executable (PE) file.

DUSTTRAP: APT41 escalated its tactics by deploying the DUSTTRAP dropper. Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account.

Data Exfiltration: Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis.

The Google Workspace Abuse: The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access, but this shows APT41’s willingness to abuse any cloud service for their operations.

DeepData Framework (2024)

A newly discovered Windows-based surveillance toolkit targeting South Asia.

Researchers at BlackBerry spotted the new malware toolkit earlier this year and have dubbed it “DeepData Framework.” Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Plugin Capabilities: Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths.

Deployment Method: DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. The command and control address is also specified as a command line argument, as are the requested plugins to be run or data to extract. The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution.

VOLDEMORT Malware (2024)

In October 2024, Proofpoint published a report attributing the VOLDEMORT malware family to APT41.

Since at least August 2024, we have observed APT41 using free web hosting tools for distributing their malware. This includes VOLDEMORT, DUSTTRAP, TOUGHPROGRESS and likely other payloads as well.

The Full Malware Portfolio

APT41’s malware arsenal includes: dragonegg, wyrmspy, messagetap, biopass, coldlock, crackshot, dboxagent, easynight, highnoon, jumpall, serialvlogger, pinegrove, acehash, crosswalk, dusttrap, gearshift, lowkey, moonbounce, moonwalk, skip20, keyplug, poisonplug, chinachopper, blackcoffee, derusbi, zxshell, toughprogress, shadowpad, plugx, and cobalt_strike.

Tactics, Techniques, and Procedures (TTPs)

Initial Access

Spear Phishing

APT41 sent spear phishing emails containing a link to the ZIP archive hosted on the exploited government website.

The group crafts highly targeted lures:

Government document themes
Export/import declarations
Business proposals
Job opportunities in targeted sectors

Exploiting Public-Facing Applications

Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. They described the attacks as “the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years”.

Commonly Exploited Vulnerabilities:

Citrix NetScaler/ADC (CVE-2019-19781)
Cisco routers
Zoho ManageEngine Desktop Central
Various internet-facing applications

Supply Chain Compromise

As we’ve seen, this is APT41’s signature:

Compromise software development environments
Inject malicious code into legitimate updates
Sign malware with stolen certificates
Distribute to thousands but target specific victims

Persistence Mechanisms

APT41 employs multiple persistence techniques:

Web Shells:

ANTSWORD
BLUEBEAM
China Chopper

Services and Scheduled Tasks:

Creating new services
Modifying existing scheduled tasks
Registry Run keys
WMI event subscriptions

Bootkit Deployment: Bootkits are also a type of malware used by the group, which is both difficult to detect and harder to find among other cyber espionage and cybercrime groups, making it harder for security systems to detect malicious code.

Lateral Movement

The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems, until it can access game production environments.

Techniques Include:

Credential dumping and reuse
Pass-the-hash attacks
SMB for network propagation
Remote Desktop Protocol (RDP)
SSH for Linux systems

Defense Evasion

Code Signing Abuse: The most significant evasion technique. By using legitimate certificates, APT41’s malware appears trustworthy to security tools.

Living Off the Land:

PowerShell for scripting
WMI for execution
Legitimate system tools
Cobalt Strike for post-exploitation

Memory-Only Execution: DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces.

Process Injection:

Process hollowing
DLL injection
Reflective DLL loading

Command and Control Innovation

APT41 has shown remarkable creativity in C2:

Cloud Services Abuse:

Google Calendar (TOUGHPROGRESS)
Google Drive (MoonWalk)
Google Workspace (DUSTTRAP)
Microsoft OneDrive (PINEGROVE)

Traditional C2:

Custom protocols
Encrypted communications
Domain generation algorithms (DGAs)
Fast-flux networks

Data Exfiltration

APT41 used SQLULDR2 to export data from Oracle Databases to a local text-based file and PINEGROVE to transmit large volumes of sensitive data from compromised networks by abusing Microsoft OneDrive as an exfiltration vector.

Exfiltration Methods:

Legitimate cloud services (OneDrive, Google Drive)
Encrypted channels
Steganography in some cases
DNS tunneling
HTTPS to blend with normal traffic

Target Profile and Victimology

Geographic Distribution

To date, organizations have been targeted in the following locations: France, India, Italy, Japan, Myanmar, the Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, the United Kingdom, the United States and Hong Kong.

Primary Targets:

United States
United Kingdom
Taiwan
India
Japan
Australia

Recent Campaign Focus (2023-2024): Most of the affected organizations are located in the United Kingdom, Italy, Spain, Taiwan, Thailand, and Turkey.

Industry Sectors

Espionage Targets:

Healthcare and Pharmaceuticals – Research, intellectual property, patient data
High-Tech – Source code, product designs, business intelligence
Telecommunications – The group has repeatedly targeted call record information at telecom companies
Government – Policy documents, strategic intelligence, infrastructure
Defense – Military capabilities, defense technologies
Higher Education – Research, individual tracking
Media and News – Surveillance of journalists, narrative control

Financial Crime Targets:

Video Game Industry – Virtual currency manipulation, source code theft
Software Companies – Supply chain positioning
Any Organization – Ransomware targets of opportunity

Notable Victims and Campaigns

COVID-19 Exploitation (2020)

Companies could have an even harder time to respond to such breaches now when members of their security and IT teams are working from home or are sick as a result of the COVID-19 pandemic. The attacks observed by FireEye this year have targeted companies from many industries including banking/finance, defense, government, healthcare, high tech, manufacturing, oil & gas, pharmaceutical, telecommunications, and transportation worldwide.

Air India Breach (2021)

The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation. This also included the attack on Air India that came to light in June 2021 as part of a campaign codenamed ColunmTK.

U.S. State Governments (2021-2022)

Over the past few years, the threat group has been linked to breaches of U.S. state government networks between May 2021 and February 2022.

Global Logistics Campaign (2023-2024)

The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom within the global shipping and logistics, media and entertainment, technology, and automotive sectors.

Attribution to China

Technical Indicators

Malware Characteristics:

Use of tools associated with Chinese APT ecosystem
Shared infrastructure with other Chinese groups
Code similarities to known Chinese malware families
Language artifacts in code

Infrastructure: Another IP address belongs to a range listed as the Korean Education Network and likely belongs to Konkuk university. This IP address range has been previously reported by Avast as one of those related to the ShadowPad activity linked to the CCleaner incident. It seems that the ShadowPad attackers are still abusing the university’s network to host their C2 infrastructure.

Legal Attribution

ZHANG Haoran, TAN Dailin, QIAN Chuan, FU Qiang, and JIANG Lizhi are all part of a Chinese hacking group known as APT41 and BARIUM.

The US Department of Justice has outed the front company for APT41 (aka Barium), naming five of its hackers in indictments and announcing the arrest of two Malaysian accomplices that helped launder funds for the organisation. Three public indictments put a name (‘Chengdu 404’) and five faces to one of the world’s most capable hacking teams.

Front Company: Chengdu 404 Network Technology Company

Strategic Alignment

APT41 targeting is consistent with the Chinese government’s national plans to move into high research and development fields and increase production capabilities. Such initiatives coincide with the Chinese government’s “Made in China 2025” plan, aiming to move Chinese production into high-value fields such as pharmacy, semi-conductors, and other high-tech sectors.

Government Protection Theory: It is also recognized in China that more skilled hackers tend to work in the private sector under government contracts due to the higher pay. The FireEye report also noted that the Chinese state has depended on contractors to assist with other state operations focused on cyber-espionage, as demonstrated by prior Chinese advanced persistent threats like APT10.

Comparison with Other Nation-State APTs

APT41 vs APT28 (Russia – Fancy Bear)

Similarities:

Both conduct state-sponsored espionage
Both use custom and commodity malware
Both have been indicted by U.S. government
Both target government and military

Differences:

APT28 focuses purely on espionage and influence operations
APT41 combines espionage with financial crime
APT28 targets primarily NATO and European entities
APT41 has broader global targeting including video game industry
APT41 specializes in supply chain attacks, APT28 in influence operations

APT41 vs APT29 (Russia – Cozy Bear)

Similarities:

Highly sophisticated technical capabilities
Long-term persistent operations
Strategic intelligence collection
Use of legitimate cloud services

Differences:

APT29 is exclusively focused on espionage
APT29 operates more stealthily and patiently
APT41 has shown more aggressive, broad campaigns
APT29 rarely overlaps with criminal activity
APT41’s supply chain attacks are more frequent and brazen

APT41 vs APT33 (Iran – Elfin)

Similarities:

Both target aerospace and energy sectors
Both use custom malware alongside public tools
Both have destructive capabilities
Both aligned with national strategic interests

Differences:

APT33 focuses on Iran’s regional rivals (Saudi Arabia, UAE)
APT41 has truly global reach
APT33 shows potential destructive intent (Shamoon connection)
APT41’s financial motivation is absent in APT33
APT41’s supply chain sophistication far exceeds APT33

APT41 vs Lazarus Group (North Korea)

This is perhaps the most interesting comparison, as both groups blend state objectives with financial operations.

Similarities:

Both conduct espionage and financially motivated attacks
Both have robbed banks and cryptocurrency exchanges
Both use supply chain attacks (Lazarus: 3CX, APT41: CCleaner/ASUS)
Both are highly skilled and well-resourced
Both have been indicted by multiple governments

Differences:

Lazarus is primarily motivated by revenue generation for sanctioned regime
APT41’s criminal activity appears more personal/group profit
Lazarus deployed WannaCry ransomware globally
APT41’s ransomware attempts have been more targeted
Lazarus has hit SWIFT financial networks
APT41 focuses more on intellectual property theft
Lazarus engages in cryptocurrency theft at massive scale
APT41’s game industry targeting is for virtual currency manipulation

What Makes APT41 Unique:

Dual Mission Execution: No other major APT successfully balances state espionage with personal financial gain at this scale
Supply Chain Mastery: Since targeting the Windows software utility CCleaner in 2018 and the ASUS LiveUpdate in 2019, APT41’s methods continue to improve. Every software provider should be aware of this threat and take steps to protect their software development environments
Code Signing Arsenal: This shared resource allows members of the group to select the appropriate certificate for their needs, “dramatically” improving success rates
Cloud Service Abuse: More innovative than any other APT in leveraging legitimate cloud services (Google Calendar, Drive, OneDrive, Workspace)
Cross-Platform Operations: The group is adept at moving laterally within targeted networks, including pivoting between Windows and Linux systems

Recent Campaigns Deep Dive

The 2024 Global Logistics Campaign

One of China’s more prolific threat groups, APT41, is carrying out a sustained cyber espionage campaign targeting organizations in multiple sectors, including global shipping and logistics, media and entertainment, technology, and the automotive industry. The advanced persistent threat (APT) actor appears to have launched the new campaign sometime in early 2023.

Campaign Characteristics:

Duration: 2023 to at least July 2024
Primary sectors: Shipping, logistics, media, entertainment, technology, automotive
Geographic focus: UK, Italy, Spain, Taiwan, Thailand, Turkey
Persistence: Prolonged unauthorized access maintained

Technical Tools: Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE) to achieve persistence, deliver additional payloads, and exfiltrate data of interest.

Data Theft: The intrusions are also characterized by the use of SQLULDR2 to export data from Oracle Databases to a local text-based file and PINEGROVE to transmit large volumes of sensitive data from compromised networks by abusing Microsoft OneDrive as an exfiltration vector.

Code Signing: The DUSTTRAP malware and its associated components that were observed during the intrusion were code signed with presumably stolen code signing certificates. One of the code signing certificates seemed to be related to a South Korean company operating in the gaming industry sector.

The Google Calendar C2 Campaign (October 2024 – May 2025)

This represents APT41’s latest innovation in command and control.

Discovery Timeline: In late October 2024, GTIG discovered an exploited government website hosting malware being used to target multiple other government entities.

Malware Distribution: APT41 has also been observed using URL shorteners in their phishing messages. The shortened URL redirects to their malware hosted on free hosting app subdomains.

The Innovation: Using Google Calendar for C2 is brilliant:

Legitimate service used globally
Encrypted traffic
Unlikely to be blocked
Blends with normal enterprise usage
Zero-minute calendar events for covert communication

Google’s Response: All domains and URLs in this blog post have been added to the Safe Browsing blocklist. This enables a warning on site access and prevents users from downloading the malware. GTIG identified and terminated the attacker-controlled Workspace projects and infrastructure APT41 relied on for these campaigns.

The Taiwan Media Campaign (2024)

Attacks targeting Taiwanese media organizations using an open-source red teaming tool known as Google Command and Control (GC2).

The RevivalStone Campaign (March 2024)

Earlier this year, a sub-cluster within the APT41 umbrella was identified as attacking Japanese companies in the manufacturing, materials, and energy sectors in March 2024 as part of a campaign dubbed RevivalStone.

Detection and Hunting

Behavioral Indicators

Supply Chain Red Flags:

Unexpected software updates
Updates signed with recently issued certificates
Software requesting unusual permissions
Anomalous update timing or frequency

Network Indicators:

Connections to free hosting services from enterprise systems
Google Calendar API calls from non-user applications
OneDrive/Google Drive traffic from servers
Unusual Oracle database export activity
C2 communications disguised as cloud service traffic

Endpoint Indicators:

Web shells on internet-facing servers
Malware signed with certificates from gaming companies
Process injection into system processes
Memory-only malware execution
Suspicious PowerShell or WMI activity

Known Infrastructure Patterns

The Singapore-headquartered company said it identified 106 unique Cobalt Strike servers that were exclusively used by APT41 between early 2020 and late 2021 for command-and-control.

Infrastructure Characteristics:

Abuse of compromised legitimate websites
Use of compromised university networks for C2
Free web hosting services
Shortened URLs for phishing
Compromised Google Workspace accounts

YARA Rules

Google has published YARA rules for detecting TOUGHPROGRESS-related artifacts. Organizations should implement these and other APT41-specific detection signatures.

Hunting Queries

For Google Calendar C2: Look for:

Applications making Google Calendar API calls
Zero-minute calendar events with unusual descriptions
Calendar API access from system processes
Unusual patterns of calendar creation/deletion

For Cloud Service Abuse:

OneDrive/Google Drive access from servers
Large data transfers to cloud storage
Cloud storage access outside business hours
Multiple failed authentication attempts to cloud services

For Supply Chain Compromise:

Recently signed executables with unfamiliar certificates
Software updates from unusual sources
Executables with multiple digital signatures
Certificates issued to gaming or software companies used in unexpected contexts

MITRE ATT&CK Mapping

APT41 uses a comprehensive set of ATT&CK techniques:

Initial Access:

T1195 – Supply Chain Compromise
T1190 – Exploit Public-Facing Application
T1566 – Phishing

Execution:

T1059 – Command and Scripting Interpreter
T1106 – Native API
T1053 – Scheduled Task/Job

Persistence:

T1505.003 – Web Shell
T1543 – Create or Modify System Process
T1547 – Boot or Logon Autostart Execution

Defense Evasion:

T1553.002 – Code Signing
T1055 – Process Injection
T1140 – Deobfuscate/Decode Files or Information
T1112 – Modify Registry

Discovery:

T1083 – File and Directory Discovery
T1046 – Network Service Scanning
T1018 – Remote System Discovery

Lateral Movement:

T1021 – Remote Services
T1570 – Lateral Tool Transfer

Command and Control:

T1071.001 – Web Protocols
T1102 – Web Service (Google Calendar, Drive, OneDrive)
T1573 – Encrypted Channel

Exfiltration:

T1567 – Exfiltration Over Web Service
T1041 – Exfiltration Over C2 Channel

Defense Strategies and Mitigation

Immediate Actions

1. Protect Software Supply Chain

This is critical given APT41’s focus on supply chain attacks.

Development Environment Security:

Isolate build environments from corporate networks
Implement code signing with Hardware Security Modules (HSMs)
Monitor and audit access to build systems
Implement reproducible builds to detect tampering
Use binary diff tools to compare official releases with builds

Code Signing Best Practices: Every software provider should be aware of this threat and take steps to protect their software development environments.

Store private keys in HSMs only
Implement dual control for signing operations
Log all signing operations
Regularly audit certificate usage
Revoke and replace certificates if compromise suspected
Monitor for unauthorized use of certificates

2. Cloud Service Security

Given APT41’s abuse of Google Calendar, OneDrive, and Google Drive:

Google Workspace/Microsoft 365 Controls:

Enable advanced logging
Monitor for unusual API access patterns
Implement application whitelisting
Alert on calendar events created by non-user processes
Monitor for large file transfers to cloud storage
Implement DLP for cloud services

Calendar-Specific Detection:

Alert on zero-minute events
Monitor for programmatic calendar access
Unusual event description patterns
Calendar API calls from servers

3. Web Shell Detection

Web shells act as a conduit to download the DUSTPAN (aka StealthVector) dropper.

Web Shell Hunting:

Regular scans of web directories
Monitor for new files in web roots
Alert on web server processes spawning shells
Implement file integrity monitoring
Review web server logs for suspicious POST requests
Look for ANTSWORD and BLUEBEAM signatures

Medium-Term Improvements

Enhanced Monitoring

Network Monitoring:

Deep packet inspection for encrypted traffic
SSL/TLS decryption and inspection
Anomaly detection for cloud service usage
Monitor for data exfiltration patterns

Endpoint Monitoring:

Process creation monitoring
Memory scanning for injected code
DLL loading monitoring
Registry change tracking
Scheduled task creation alerts

Database Security: The intrusions are characterized by the use of SQLULDR2 to export data from Oracle Databases.

Monitor for SQLULDR2 usage
Alert on large data exports
Implement database activity monitoring
Restrict database administrative functions

Vulnerability Management

APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central.

Patch Management:

Prioritize patching of internet-facing applications
Emergency patching process for exploited vulnerabilities
Virtual patching where immediate patching impossible
Regular vulnerability scanning

Application Hardening:

Minimize attack surface
Remove unnecessary features
Implement web application firewalls
Regular security assessments

Long-Term Strategic Defenses

Zero Trust Architecture

Given APT41’s ability to move laterally:

Implementation:

Verify every access request
Least privilege access
Microsegmentation
Continuous authentication
Assume breach mentality

Network Segmentation:

Isolate critical systems
Segment by data sensitivity
Separate development from production
Restrict lateral movement paths

Supply Chain Risk Management

Vendor Security Assessment:

Evaluate vendor security practices
Require security attestations
Monitor vendor breach notifications
Include security requirements in contracts

Software Verification:

Verify digital signatures
Compare file hashes with known-good versions
Monitor for unexpected updates
Implement application whitelisting

Threat Intelligence Integration

APT41-Specific Intelligence:

Subscribe to APT41 IOC feeds
Monitor for new APT41 malware families
Track APT41 campaign shifts
Participate in information sharing groups

Proactive Hunting: The researchers concluded that the group is well-resourced, highly skilled, creative and agile, adapting quickly to any attempts by its targets to remediate the infections. APT41 compromises are typically widespread and highly persistent with the group ready to fight to maintain its foothold inside networks.

Given this persistence:

Regular threat hunting exercises
Hunt for APT41-specific TTPs
Historical analysis of logs
Memory forensics on critical systems

Security Awareness Training

Targeted Training:

Supply chain attack awareness
Phishing recognition (especially spear phishing)
Social engineering red flags
Reporting procedures

Incident Response Preparation: Companies could have an even harder time to respond to such breaches now when members of their security and IT teams are working from home or are sick as a result of the COVID-19 pandemic.

Ensure your IR team can respond even under adverse conditions:

Regular tabletop exercises
Remote response procedures
Backup communication channels
Documented playbooks
External IR support relationships

The Future of APT41

Expected Evolution

Continued Supply Chain Targeting

Venafi warns that APT41’s success means their unique use of compromised code signing machine identities and supply chain attacks will become the preferred method of other threat hacker groups.

APT41 has proven the supply chain attack model works. Expect:

More sophisticated supply chain compromises
Targeting of smaller software vendors
Attacks on open-source software ecosystems
CI/CD pipeline compromises
Container registry poisoning

Cloud-Native Attacks

Given their innovation with Google Calendar, expect APT41 to continue abusing cloud services:

Kubernetes exploitation
Serverless malware
Container escapes
Cloud storage abuse
SaaS application compromise

AI/ML Integration

As AI tools become more prevalent:

AI-powered social engineering
Automated vulnerability discovery
Evasion technique development
Target identification and prioritization

Geopolitical Drivers

APT41’s activities will continue to align with Chinese strategic interests:

Economic Competition:

Technology transfer for “Made in China 2025”
Intellectual property theft
Trade secret acquisition
Competitive intelligence

Strategic Intelligence:

Government and defense targeting
Critical infrastructure mapping
Telecommunications surveillance
Tracking of dissidents and activists

Financial Motivations:

Continued video game industry targeting
Cryptocurrency theft
Ransomware deployment
Sale of stolen data

The Criminal-State Nexus

APT 41 relation to the Chinese state can be evidenced by the fact that none of this information is on the dark web and may be obtained by the CCP. APT 41 targeting is consistent with the Chinese government’s national plans.

The relationship between APT41’s criminal activities and state sponsorship will likely continue. This provides:

Plausible deniability for state
Self-funding operations
Skill development for operators
Diversification of targets

Conclusion

APT41 represents the evolution of nation-state cyber threats. APT41 is a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain.

Key Takeaways:

Unprecedented Versatility: APT41’s dual mission—state espionage and personal financial gain—makes them unique among major APT groups.
Supply Chain Masters: The success of attacks using this model over the last decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect. APT41 has perfected supply chain attacks, from CCleaner to ASUS, demonstrating capabilities that other groups are now emulating.
Innovation in C2: From Google Calendar to OneDrive, APT41 continues to find creative ways to blend malicious traffic with legitimate cloud service usage.
Persistent and Adaptive: The researchers concluded that the group is well-resourced, highly skilled, creative and agile, adapting quickly to any attempts by its targets to remediate the infections.
Global Reach: Their activity spans 15 jurisdictions, 14 countries and more than seven years, targeting industries such as healthcare, high-tech, telecommunications, higher education, video gaming, travel and even news organizations.
Continuing Threat: Despite indictments and public exposure, APT41 continues operations with new malware, new techniques, and new targets.

The Bottom Line:

APT41 exemplifies the blurred line between state-sponsored cyber operations and cybercrime. Organizations must recognize that defending against APT41 requires:

Supply Chain Security: Protect your software development and distribution pipeline as if it’s your crown jewel—because to APT41, it is.
Cloud Security Vigilance: Don’t assume cloud services are safe. APT41 has shown remarkable creativity in abusing legitimate services.
Persistent Monitoring: APT41 fights to maintain access. Your defense must be equally persistent in hunting them down.
Threat Intelligence: Stay current on APT41’s evolving tactics. What worked yesterday may not work tomorrow.

The APT41 threat is real, sophisticated, and ongoing. But it’s not insurmountable. With proper security controls, vigilant monitoring, comprehensive threat intelligence, and—most importantly—protection of your software supply chain, organizations can defend against even this most versatile of threats.

Stay informed. Stay vigilant. Stay secure.

APT41: The Complete Guide to China’s Dual-Purpose Cyber Threat Group

The Unique Threat of APT41

Historical Background and Evolution

The Early Years (2012-2014)

The Dual-Mission Era (2014-2019)

The Indictments (2019-2020)

Modern Operations (2020-2025)

The Dual Nature: Espionage Meets Crime

State-Sponsored Espionage Activities

Financially Motivated Criminal Operations

The Blurred Line

Supply Chain Attacks: APT41’s Signature Move

The CCleaner Attack (2017)

Operation ShadowHammer: The ASUS Attack (2019)

The Code Signing Certificate Arsenal

APT41’s Modern Arsenal (2023-2025)

TOUGHPROGRESS: Google Calendar C2 (2024-2025)

DodgeBox and MoonWalk (2024)

DUSTTRAP and DUSTPAN Campaign (2023-2024)

DeepData Framework (2024)

VOLDEMORT Malware (2024)

The Full Malware Portfolio

Tactics, Techniques, and Procedures (TTPs)

Initial Access

Spear Phishing

Exploiting Public-Facing Applications

Supply Chain Compromise

Persistence Mechanisms

Lateral Movement

Defense Evasion

Command and Control Innovation

Data Exfiltration

Target Profile and Victimology

Geographic Distribution

Industry Sectors

Espionage Targets:

Financial Crime Targets:

Notable Victims and Campaigns

COVID-19 Exploitation (2020)

Air India Breach (2021)

U.S. State Governments (2021-2022)

Global Logistics Campaign (2023-2024)

Attribution to China

Technical Indicators

Legal Attribution

Strategic Alignment

Comparison with Other Nation-State APTs

APT41 vs APT28 (Russia – Fancy Bear)

APT41 vs APT29 (Russia – Cozy Bear)

APT41 vs APT33 (Iran – Elfin)

APT41 vs Lazarus Group (North Korea)

Recent Campaigns Deep Dive

The 2024 Global Logistics Campaign

The Google Calendar C2 Campaign (October 2024 – May 2025)

The Taiwan Media Campaign (2024)

The RevivalStone Campaign (March 2024)

Detection and Hunting

Behavioral Indicators

Known Infrastructure Patterns

YARA Rules

Hunting Queries

MITRE ATT&CK Mapping

Defense Strategies and Mitigation

Immediate Actions

1. Protect Software Supply Chain

2. Cloud Service Security

3. Web Shell Detection

Medium-Term Improvements

Enhanced Monitoring

Vulnerability Management

Long-Term Strategic Defenses

Zero Trust Architecture

Supply Chain Risk Management

Threat Intelligence Integration

Security Awareness Training

The Future of APT41

Expected Evolution

Continued Supply Chain Targeting

Cloud-Native Attacks

AI/ML Integration