Ddos 
In a newly published report, Kaspersky’s Managed Detection and Response (MDR) team has unveiled a high-level cyberespionage campaign attributed to the notorious Chinese-speaking threat group APT41. The operation, which targeted government IT infrastructure in Africa, represents one of the group’s rare ventures into the region—one that showcased their full range of tactics, techniques, and procedures (TTPs).
“The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware,” the report begins.
The intrusion began with suspicious activity traced back to Impacket modules—WmiExec and Atexec—executed from an unmonitored host within the organization. These modules allowed lateral movement and credential harvesting across the network.
“The source of the suspicious activity turned out to be an unmonitored host that had been compromised,” Kaspersky wrote. “Impacket was executed on it in the context of a service account.”
Once foothold was established, the attackers began executing reconnaissance commands and extracting registry hives:
- reg save HKLM\SAM
- reg save HKLM\SYSTEM
These hives contained sensitive credentials that were later used for lateral movement. Alarmingly, a backup solution account with domain administrator privileges was among the compromised identities.
“This underscores a crucial point: to detect incidents promptly and minimize damage, security solution agents must be installed on all workstations across the organization without exception,” the report notes.
APT41 used Cobalt Strike, sideloaded via legitimate applications like cookie_exporter.exe, to establish command-and-control (C2) communications. Each version was tailored with obfuscated payloads stored in .txt or .ini files, decrypted in-memory and executed via DLL hijacking.
“The attackers renamed cookie_exporter.exe to Edge.exe and replaced msedge.dll with their own malicious library of the same name,” the report explains.
The group also deployed C# Trojans (agents.exe, agentx.exe) to interact with a compromised internal SharePoint server serving as a captive C2.
In advanced stages of the operation, APT41 fetched an HTA file from a fake GitHub domain (e.g., github.githubassets[.]net) to establish a reverse shell, allowing command execution.
“The attackers primarily used the site to host JavaScript code… responsible for delivering either the next stage of their malware or the tools needed to further the attack,” the report writes.
APT41 utilized recompiled versions of open-source tools for stealthy data collection:
- Pillager – to steal credentials, screenshots, SSH sessions, and source code.
- Checkout – to exfiltrate browser history and credit card data.
- Mimikatz – to dump secrets via DLL sideloading through java.exe.
- RawCopy – for low-level registry file extraction.
“Despite modifying the code, the group didn’t change the stealer’s default output file name and path: C:\Windows\Temp\Pillager.zip.”
Kaspersky attributes this attack to APT41 with high confidence due to reused infrastructure and toolsets seen in previous campaigns:
“The C2 domain names identified in this incident… are similar to domain names previously observed in APT41 attacks,” the report confirms.
Even their web shell, newfile.aspx, used Neo-reGeorg tunneling, enabling the attackers to proxy internal traffic over a compromised IIS web server.
The operation underscores the sophistication and adaptability of APT41. Their ability to blend custom and open-source tools, leverage internal infrastructure for C2, and tailor payloads per environment makes them particularly dangerous.
“It’s impossible to counter such sophisticated attacks without a comprehensive knowledge base and continuous monitoring of the entire infrastructure,” the report concludes.
Kaspersky advises organizations to ensure complete EDR/XDR coverage, enforce least-privilege principles, and continuously audit service accounts.
Related Posts:
- Cyber Espionage Alert: APT41 Strikes Global Industries, Steals Sensitive Data
- Chinese APT41 Group Breaches Taiwanese Research Institute
- APT41 Unleashes Stealthy Malware Using Google Calendar for Covert C2!
- ThreatMon Revealed APT41’s Stealthy PowerShell Backdoor
- APT41 Uses Google Calendar as Covert C2 in Stealthy Cyberespionage Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
