HQ/EMEAFind out how we can help your business
APT41, an active cyber threat group in China, initiated a comprehensive cyber espionage campaign at the beginning of 2023. Across a wide range of industries, including worldwide shipping and logistics, media and entertainment, technology, and the automobile sector, this campaign has effectively penetrated organisations, mostly in Taiwan, Thailand, Italy, Spain, the United Kingdom, and Turkey.
The Middle East and Europe are home to the majority of targets in the shipping and logistics industries. By contrast, every single targeted organisation in the media and entertainment space has its headquarters in Asia. The campaign’s global reach is further enhanced by the fact that many of the affected firms are affiliates or subsidiaries of big multinational corporations.
APT41 has been active as a group of threat actors with a base in China since at least 2012. They have engaged in supply chain attacks, cyber espionage, and financially motivated cybercrime.
Over time, APT41 subgroups like Wicked Panda, Winnti, Suckfly, and Barium have been discovered. Acting on behalf of the Chinese government, these groups have stolen commercial secrets, intellectual property, healthcare data, and other confidential information all across the world.
Five members of APT41 were indicted by the US authorities in 2020 for their roles in attacks on more than 100 companies worldwide. APT41 has carried on with its operations in spite of these accusations.
Throughout this campaign, researchers have seen the group use a range of unique tools. These tools make it easier to distribute malware, create robust backdoors, move laterally within networks, and exfiltrate data. Two web shells, AntsWord and BlueBeam, are important tools that the group used to download DustPan, a dropper that tries to load the Beacon post-compromise tool on victim systems.
Furthermore, APT41 has introduced a recently discovered multi-phase plugin framework called DustTrap, which permits communication between compromised systems and infrastructure under APT41 control by decrypting and executing malicious payloads in memory. While the group has been using DustPan since 2021, DustTrap is making its debut in this campaign. Additional tools include PineGrove, which transfers enormous amounts of data to a OneDrive account, and SQLULDR2, which extracts data from Oracle databases.
Although no compromises have been verified, researchers have also found reconnaissance activity targeting comparable organisations in nations like Singapore, pointing to a possible expansion of APT41’s operations.
There is no proof that the group is making money from their attacks, even with the extent and sophistication of their current campaign. Although the scope of post-compromise actions is still unclear, espionage seems to be the main focus.
The most recent operation from APT41 emphasises the ongoing and changing threat that state-sponsored cyber espionage organisations—especially those with Chinese origins—pose.
