G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
Analyst context for executives and security teams
APT41 matters because ATT&CK describes it as a long-running group assessed in public reporting as conducting both state-sponsored espionage and financially motivated operations across many industries and countries. For leaders, the key decision value is not the name alone; it is whether the organization can withstand the behaviors associated with this group: exploitation of Internet-facing applications, web shells, credential dumping, remote access tooling, administrative utility abuse, and rapid adaptation to disclosed and zero-day vulnerabilities in at least one attributed campaign.
Executive priority
Prioritize APT41 as a resilience and readiness use case for exposed applications, identity compromise, and incident response speed. The C0017 relationship highlights compromise of U.S. state government networks through vulnerable Internet-facing web applications, making this especially relevant to vulnerability management, asset inventory, patch prioritization, and evidence that externally exposed systems are monitored. The APT41 DUST relationship adds relevance for organizations in shipping, logistics, media, and internationally distributed operations, but local targeting risk should be assessed with threat intelligence rather than assumed.
Technical view
ATT&CK provides no official detection text and no tactics/platforms directly on the group object, so defenders should validate coverage from the relationships. The associated software set includes credential dumpers such as Mimikatz and pwdump; web shells such as China Chopper and ASPXSpy; remote access/post-exploitation tools such as PlugX, gh0st RAT, Cobalt Strike, Empire, PowerSploit, and Impacket; and administrative or transfer utilities such as Net, dsquery, ipconfig, netstat, ping, ftp, certutil, and BITSAdmin. SOC and IR teams should test whether controls can connect external web exploitation, web shell persistence, credential access, Active Directory discovery, lateral movement tooling, and unusual file transfer into a single investigation narrative.
Likely telemetry
- Internet-facing web application access logs, error logs, upload events, and web server process execution evidence
- Endpoint process creation, command-line, parent-child process, module/script, and PowerShell telemetry where available
- Windows authentication, credential access, Active Directory query, service creation, and administrative share activity logs
- Network connection metadata, DNS, proxy, firewall, and egress records for unusual remote access or file transfer behavior
- File integrity and web root monitoring for unexpected ASPX or other web shell-like artifacts
Detection direction
- Because no official ATT&CK detection guidance is supplied for this group, build detections around the related behaviors and tools rather than the group name alone.
- Correlate web application exploitation indicators with subsequent web server child processes, new files in web directories, outbound connections, and credential access attempts.
- Tune for legitimate administration overlap: Net, ping, ipconfig, netstat, ftp, certutil, BITSAdmin, dsquery, Impacket, PowerSploit, Empire, and Cobalt Strike can have authorized or testing use, so detections should include context such as host role, account, timing, command line, destination, and change ticket evidence.
- Validate identity telemetry depth, especially for credential dumping signals and unusual Active Directory enumeration from non-administrative systems.
- Use relationship-driven hunt packs for web shells, credential dumping, remote access frameworks, and living-off-the-land utilities; avoid assuming all related software will appear in every incident.
Mitigation priorities
- Maintain an authoritative inventory of Internet-facing applications and prioritize remediation of exploitable web application vulnerabilities, especially newly disclosed issues affecting exposed systems.
- Harden and monitor web servers: restrict write paths, review uploaded files, collect logs centrally, and alert on unexpected script execution from web directories.
- Reduce credential theft blast radius through least privilege, privileged access controls, credential hygiene, and monitoring of high-risk authentication events.
- Control and audit administrative utilities and offensive security frameworks with allowlisting, script logging, EDR policy, and clear exception processes for authorized testing.
- Prepare IR playbooks that connect web compromise, web shell triage, credential reset scope, lateral movement review, and evidence preservation.
Analyst notes and limits
The strongest business signal in the supplied ATT&CK data is the combination of broad sector targeting, dual espionage and financially motivated characterization, extensive tool relationships, and the C0017 campaign note about exploitation of vulnerable Internet-facing web applications. This should drive validation of exposure management, identity telemetry, and IR readiness rather than attribution-centric alerting.
ATT&CK does not provide official detection guidance, tactics, or platforms on the APT41 group object itself. Platform observations come only from related software objects, and campaign descriptions are not proof of current activity against any specific organization. Local asset exposure, logging maturity, authorized tool use, and threat intelligence are required to determine relevance and coverage.
APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078 | Valid Accounts | APT41 used compromised credentials to log on to other systems.CitationFireEye APT41 Aug 2019CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1082 | System Information Discovery | APT41 uses multiple built-in commands such as |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1069 | Permission Groups Discovery | APT41 used |
| Enterprise | T1595.003 | Wordlist Scanning Sub-technique | APT41 leverages various tools and frameworks to brute-force directories on web servers.CitationRostovcev APT41 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT41 leveraged PowerShell to deploy malware families in victims’ environments.CitationFireEye APT41 Aug 2019CitationFireEye APT41 March 2020 |
| Enterprise | T1014 | Rootkit | APT41 deployed rootkits on Linux systems.CitationFireEye APT41 Aug 2019CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1087.002 | Domain Account Sub-technique | APT41 used built-in |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.CitationRostovcev APT41 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | APT41 attempted to masquerade their files as popular anti-virus software.CitationFireEye APT41 Aug 2019CitationGroup IB APT 41 June 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | APT41 modified legitimate Windows services to install malware backdoors.CitationFireEye APT41 Aug 2019CitationGroup IB APT 41 June 2021 APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.CitationFireEye APT41 March 2020 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | |
| Enterprise | T1018 | Remote System Discovery | APT41 has used MiPing to discover active systems in the victim network.Citationapt41_dcsocytec_dec2022 |
| Enterprise | T1027.002 | Software Packing Sub-technique | APT41 uses packers such as Themida to obfuscate malicious files.CitationRostovcev APT41 2021 |
| Enterprise | T1553.002 | Code Signing Sub-technique | APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.CitationFireEye APT41 Aug 2019CitationGroup IB APT 41 June 2021 |
| Enterprise | T1596.005 | Scan Databases Sub-technique | APT41 uses the Chinese website fofa.su, similar to the Shodan scanning service, for passive scanning of victims.CitationRostovcev APT41 2021 |
| Enterprise | T1588.002 | Tool Sub-technique | APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | APT41 has added user accounts to the User and Admin groups.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | APT41 has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, then executes files through Windows Management Instrumentation (WMI).CitationCrowdstrike GTR2020 Mar 2020Citationapt41_dcsocytec_dec2022 |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | APT41 used a hidden shell script in `/etc/rc.d/init.d` to leverage the `ADORE.XSEC`backdoor and `Adore-NG` rootkit.Citationapt41_mandiant |
| Enterprise | T1136.001 | Local Account Sub-technique | APT41 has created user accounts.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1542.003 | Bootkit Sub-technique | APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1087.001 | Local Account Sub-technique | APT41 used built-in |
| Enterprise | T1071.001 | Web Protocols Sub-technique | APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.CitationFireEye APT41 March 2020 |
| Enterprise | T1135 | Network Share Discovery | APT41 used the |
| Enterprise | T1599 | Network Boundary Bridging | APT41 used `NATBypass` to bypass firewall restrictions and to access compromised systems via RDP.Citationapt41_dcsocytec_dec2022 |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.CitationTwitter ItsReallyNick APT41 EK |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | APT41 used scheduled tasks created via Group Policy Objects (GPOs) to deploy ransomware.Citationapt41_mandiant |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | APT41 used the Acunetix SQL injection vulnerability scanner in target reconnaissance operations, as well as the JexBoss tool to identify vulnerabilities in Java applications.CitationRostovcev APT41 2021 |
| Enterprise | T1005 | Data from Local System | APT41 has uploaded files and data from a compromised host.CitationGroup IB APT 41 June 2021 |
| Enterprise | T1133 | External Remote Services | APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT41 deleted files from the system.CitationFireEye APT41 Aug 2019CitationRostovcev APT41 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1685 | Disable or Modify Tools | APT41 developed a custom injector that enables an Event Tracing for Windows (ETW) bypass, making malicious processes invisible to Windows logging.CitationRostovcev APT41 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | APT41 used a compromised account to create a scheduled task on a system.CitationFireEye APT41 Aug 2019CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | APT41 created and modified startup files for persistence.CitationFireEye APT41 Aug 2019CitationGroup IB APT 41 June 2021 APT41 added a registry key in |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | APT41 leveraged sticky keys to establish persistence.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1110 | Brute Force | APT41 performed password brute-force attacks on the local admin account.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | |
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | APT41 has configured payloads to load via LD_PRELOAD.CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | APT41 used |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | APT41 extracted user account data from the Security Account Managerr (SAM), making a copy of this database from the registry using the |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | APT41 has used DGAs to change their C2 servers monthly.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.CitationFireEye APT41 March 2020CitationGroup IB APT 41 June 2021 |
| Enterprise | T1071.004 | DNS Sub-technique | APT41 used DNS for C2 communications.CitationFireEye APT41 Aug 2019CitationGroup IB APT 41 June 2021 |
| Enterprise | T1046 | Network Service Discovery | APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | APT41 has used rundll32.exe to execute a loader.CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1008 | Fallback Channels | APT41 used the Steam community page as a fallback mechanism for C2.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1555 | Credentials from Password Stores | APT41 has obtained information about accounts, lists of employees, and plaintext and hashed passwords from databases.CitationRostovcev APT41 2021 |
| Enterprise | T1496.001 | Compute Hijacking Sub-technique | APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.CitationFireEye APT41 Aug 2019Citationapt41_mandiant |
| Enterprise | T1003.003 | NTDS Sub-technique | APT41 used ntdsutil to obtain a copy of the victim environment |
| Enterprise | T1049 | System Network Connections Discovery | APT41 has enumerated IP addresses of network resources and used the |
| Enterprise | T1059.004 | Unix Shell Sub-technique | APT41 used Linux shell commands for system survey and information gathering prior to exploitation of vulnerabilities such as CVE-2019-19871.CitationFireEye APT41 March 2020 |
| Enterprise | T1486 | Data Encrypted for Impact |
Groups, software, and campaigns
S0073: ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
S0190: BITSAdmin
S0013: PlugX
S0357: Impacket
S0032: gh0st RAT
S0104: netstat
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0412: ZxShell
S1051: KEYPLUG
S0097: Ping
S1185: LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]
S1158: DUSTPAN
C0040: APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
C0017: C0017
C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.2 | Current bundle | 2aa901da2e5b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
apt41_mandiant
Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.
Open source URL -
[2]
FireEye APT41 Aug 2019
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Open source URL -
[3]
Group IB APT 41 June 2021
Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
Open source URL -
[4]
APT41
(Citation: FireEye APT41 2019)
-
[5]
BARIUM
(Citation: Microsoft Threat Actor Naming July 2023)
-
[6]
Brass Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)
-
[7]
Crowdstrike GTR2020 Mar 2020
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
Open source URL -
[8]
FireEye APT41 2019
FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.
Open source URL -
[9]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[10]
Wicked Panda
(Citation: Crowdstrike GTR2020 Mar 2020)
-
[11]
mitre-attack G0096Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.