APT41
| Actor Type | Commercial Provider |
|---|---|
| Attributed to Nation | China |
| Directly Linked Intrusion Sets | Wicked Spider , Wicked Panda |
| Affiliated Intrusion Sets | TeleBoyi |
| Associated Threat Actor | Chengdu 404 |
| Associated MITRE ATT&CK Group | APT41 (G0096) |
APT41 is a Chinese state-sponsored group involved in espionage and cyber crime, targeting sectors aligned with China's economic plans. The group was originally named by researchers at FireEye/Mandiant.
The group has been active since 2012, focusing on strategic access and intellectual property theft, particularly in healthcare, high-tech, and telecommunications.
In addition to cyber espionage, APT41 has also been observed engaging in financially motivated activities, especially within the video game industry, including source code theft and virtual currency manipulation.
The group has executed multiple software supply chain attacks, injecting malicious code into legitimate files before distribution in order to gain access to victim environments.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
APT41 Threat Reports
APT41 Has Arisen From the DUST
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and ...
APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation
This 2022 report by researchers at FireEye threat intelligence outlines the intrusion set they designate as APT41. They describe the group as 'a ...
References
content.fireeye.com
https://content.fireeye.com/apt-41/rpt-apt41/services.google.com
https://services.google.com/fh/files/misc/apt41-a-dual-espionage-and-cyber-crime-operation.pdfcloud.google.com
https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dustwww.justice.gov
https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computerattack.mitre.org
https://attack.mitre.org/groups/G0096/www.fbi.gov
https://www.fbi.gov/wanted/cyber/apt-41-groupjsac.jpcert.or.jp
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_8_yi-chin_yu-tung_en.pdfMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1560.001 | Archive via Utility | Collection |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1594 | Search Victim-Owned Websites | Reconnaissance |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1569.002 | Service Execution | Execution |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1505.003 | Web Shell | Persistence |
| T1071.001 | Web Protocols | Command and Control |
| T1070.004 | File Deletion | Defense Evasion |