C0040: APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
Analyst context for executives and security teams
APT41 DUST is a documented 2023–July 2024 espionage-oriented campaign attributed in ATT&CK to APT41 and reported against entities in Europe, Asia, and the Middle East, including shipping, logistics, and media. Its decision value is that the behavior spans more than one alert type: web-facing persistence, Windows service abuse, encoded or encrypted artifacts, tool transfer, data staging, database collection, and cloud-storage exfiltration. Leaders should treat it as a test of whether SOC, incident response, endpoint, web, database, and cloud telemetry can be joined quickly enough to prove or disprove information-gathering activity.
Executive priority
Prioritize this as an information-risk and resilience scenario, especially for organizations in or adjacent to shipping, logistics, media, or operations that depend on timely data integrity and confidentiality. The campaign’s ATT&CK relationships point to controls that often sit in different budget owners: endpoint detection, web server hardening, service and DLL monitoring, database access governance, cloud egress visibility, and incident response evidence retention. Executives should ask whether the organization can produce audit-ready evidence for suspicious service creation, web shell activity, staged archives, database access, and outbound cloud storage use during an investigation.
Technical view
ATT&CK does not provide campaign-specific detection text or campaign platforms, so validation should be relationship-driven. SOC and IR teams should map coverage against the listed software and techniques: Cobalt Strike, certutil, DUSTPAN, DUSTTRAP, encoded files, masqueraded tasks or services, file deletion, web protocols, local data staging, web services, ingress tool transfer, automated collection, database collection, web shells, Windows services, code signing abuse, archiving utilities, cloud-storage exfiltration, service execution, asymmetric C2 encryption, DLL abuse, serverless infrastructure, and cloud accounts. Focus correlation on sequences such as externally reachable web activity followed by new files or web scripts, service creation or service execution, unusual DLL loading, archive creation, database access, outbound web or cloud-storage traffic, and cleanup or deletion.
Likely telemetry
- Endpoint process creation and command-line logs, especially for service control, certutil, archive utilities, and unusual child processes
- Windows service creation/modification events and related registry/service configuration data
- DLL load telemetry and file path/signature metadata for suspicious or unexpected libraries
- File creation, modification, archive creation, staging-directory activity, and deletion events
- EDR or memory-oriented alerts relevant to in-memory droppers or post-exploitation tooling where available
Detection direction
- Because ATT&CK provides no official detection guidance for C0040, build detections from the related techniques rather than the campaign name alone.
- Tune for behavioral chains: web shell indicators, ingress tool transfer, new or modified services, DLL abuse, encoded/encrypted payloads, local staging, archive creation, and outbound web or cloud-storage traffic.
- Separate legitimate administration from suspicious use by baselining approved service names, scheduled tasks, certutil usage, archive utilities, database access patterns, and cloud storage destinations.
- Validate visibility on both host and network layers; web-protocol and legitimate web-service C2 can blend into normal traffic if proxy, DNS, TLS, and destination context are weak.
- Review false positives around software deployment, backup jobs, database maintenance, developer tooling, and sanctioned cloud storage use.
Mitigation priorities
- Start with exposure and logging basics: inventory internet-facing web applications, web servers, databases, cloud storage paths, and systems where Windows services can be created or modified.
- Harden and monitor web servers for unauthorized script placement, unexpected file writes, and abnormal execution from web-accessible directories.
- Restrict and audit administrative utilities and service-control activity; require change-management evidence for new services, modified services, and privileged execution.
- Apply least privilege to databases and cloud storage, with logging sufficient to show who accessed what data and where it was sent.
- Control outbound traffic to cloud storage and web services based on business need, while preserving proxy/DNS/TLS metadata for investigation.
Analyst notes and limits
This take is based on ATT&CK campaign C0040, its official description, the Google Cloud external reference, and the supplied ATT&CK relationships. The most relevant local validation question is not whether a product has an “APT41 DUST” signature, but whether the organization can detect and investigate the behaviors ATT&CK associates with the campaign across endpoint, web, database, network, and cloud telemetry.
ATT&CK does not list campaign-specific platforms, tactics, or detection text for C0040 in the supplied fields. Related techniques and software include platform information, but that should not be treated as a complete platform scope for the campaign. Local exposure, sector relevance, telemetry quality, and control effectiveness must be validated in the environment before drawing conclusions about risk or coverage.
APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1102 | Web Service | APT41 DUST used compromised Google Workspace accounts for command and control.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1213.006 | Databases Sub-technique | APT41 DUST collected data from victim Oracle databases using SQLULDR2.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1543.003 | Windows Service Sub-technique | APT41 DUST used Windows Services with names such as `Windows Defend` for persistence of DUSTPAN.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT41 DUST deleted various artifacts from victim systems following use.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | APT41 DUST involved execution of `certutil.exe` via web shell to download the DUSTPAN dropper.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | APT41 DUST involved use of web shells such as ANTSWORD and BLUEBEAM for persistence.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1593.002 | Search Engines Sub-technique | APT41 DUST involved use of search engines to research victim servers.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1588.003 | Code Signing Certificates Sub-technique | APT41 DUST used stolen code signing certificates to sign DUSTTRAP malware and components.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1586.003 | Cloud Accounts Sub-technique | APT41 DUST used compromised Google Workspace accounts for command and control.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1119 | Automated Collection | APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT41 DUST used encrypted payloads decrypted and executed in memory.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | APT41 DUST involved exporting data from Oracle databases to local CSV files prior to exfiltration.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | APT41 DUST exfiltrated collected information to OneDrive.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as `w3wp.exe` or `conn.exe`.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1596.005 | Scan Databases Sub-technique | APT41 DUST used internet scan data for target development.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP.CitationGoogle Cloud APT41 2024 APT41 DUST used also DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1569.002 | Service Execution Sub-technique | APT41 DUST used Windows services to execute DUSTPAN.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | APT41 DUST used `rar` to compress data downloaded from internal Oracle databases prior to exfiltration.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | APT41 DUST used HTTPS for command and control.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1594 | Search Victim-Owned Websites | APT41 DUST involved access of external victim websites for target development.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1583.007 | Serverless Sub-technique | APT41 DUST used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | APT41 DUST used HTTPS for command and control.CitationGoogle Cloud APT41 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | APT41 DUST used stolen code signing certificates for DUSTTRAP malware and subsequent payloads.CitationGoogle Cloud APT41 2024 |
Groups, software, and campaigns
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
S0160: certutil
S1159: DUSTTRAP
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S1158: DUSTPAN
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0312428620ad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google Cloud APT41 2024
Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
Open source URL -
[2]
mitre-attack C0040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.