APT41’s New “Zero-Detection” Backdoor Targets Linux Workloads

A sophisticated new threat has been unmasked targeting the heart of enterprise cloud infrastructure. Researchers from Breakglass Intelligence have identified a “zero-detection ELF backdoor attributed to APT41 (Winnti)” that is actively targeting Linux cloud workloads across AWS, GCP, Azure, and Alibaba Cloud environments.

The malware represents a significant evolution in stealth, designed to remain invisible to both traditional security scanners and modern endpoint detection systems.

The most striking feature of the new implant is its choice of communication protocol. Rather than utilizing common web traffic like HTTPS, “the implant uses SMTP port 25 as a covert command-and-control channel”.

According to the analysis, this was a strategic move by the threat actors. “Port 25 traffic is expected in cloud environments running mail services,” and as a result, “many cloud security tools do not deeply inspect SMTP traffic for C2 patterns”. This allows the malware to exfiltrate highly sensitive data—including encrypted cloud provider credentials and metadata—under the guise of routine email traffic.

To protect its backend infrastructure, APT41 has implemented a “selective C2 handshake validation mechanism” that effectively hides their servers from the public internet.

The C2 server, currently hosted on Alibaba Cloud in Singapore, will only interact with clients that present a valid token in the initial connection string. As the report explains, “a selective C2 handshake validation mechanism renders the server invisible to conventional scanning tools like Shodan and Censys”. For an automated scanner, the server appears as nothing more than a generic, benign mail server.

This latest backdoor is not an isolated incident but the culmination of a long-term development effort by APT41. The Breakglass Intelligence report traces a “6-year Winnti ELF lineage tracing from PWNLNX (2020) through intermediate variants to this sample”.

Year	Variant	Key Evolution
2020	PWNLNX	First documented Winnti ELF implant
2021-22	Winnti 4.0	Modular plugin architecture and kernel rootkit components
2023	KEYPLUG (Linux)	HTTPS C2 and initial cloud awareness
2025-26	Current Sample	Full cloud credential harvesting, SMTP C2, selective handshake, typosquat infrastructure

This timeline reveals “a consistent 6-year investment in making Winnti’s Linux tooling cloud-native progressing from basic reverse shells to purpose-built cloud credential harvesters”.

The campaign also utilizes a “burst” pattern of domain registration to support its activities. Researchers identified three typosquat domains registered through NameSilo within a single 24-hour window in January 2026. These domains, such as ns1[.]aliyun[.]top, utilize homoglyph techniques (replacing letters with similar-looking numbers) to mimic legitimate cloud services like Alibaba Cloud.