Since last year, the APT41 Chinese state-sponsored espionage group has launched sustained data exfiltration attacks against multiple organizations across the shipping and logistics, media, technology and automotive sectors.
Different security research teams in past weeks have taken note of this APT41 activity and updates to its toolset. The attacks used variants of previously known malware and publicly available tools, all aimed at defense evasion and achieving long-term persistence on compromised systems. The targeted, unnamed organizations are primarily in Italy, Spain, Taiwan, Thailand, Turkey and the United Kingdom. Overall, APT41 targeted 10 organizations, although researchers with Mandiant couldn't confirm how many of those were compromised.
“In collaboration with Google's TAG, Mandiant notified multiple additional organizations across various sectors that have been compromised by this campaign,” according to a threat intelligence report released by Mandiant researchers on Thursday. “APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period.”
In the attacks observed by Mandiant researchers, APT41 utilized two web shells that then executed a dropper (called Dustpan) that had previously been used by the group in attacks in 2021 and 2022. The dropper, which was disguised as a Windows binary, would load Beacon payloads into memory, encrypted with chacha20, and these payloads then communicated with the attacker’s command-and-control (C2) channels. One major part of the attacks was a multi-stage framework tracked as Dusttrap, which operated using DLL sideloading and DLL search order hijacking tactics for persistence, and included plugins that allowed for file manipulation, keylogging, active directory-related operations and various shell, file system and process-related operations.
“Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces,” said Mandiant researchers. “The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access.”
APT41 also relied on several publicly available command-line utility tools like PineGrove, which it used to exfiltrate data to Microsoft OneDrive; and SQLULDR2, which it utilized to copy and export data from Oracle databases.
The APT group is notable for its previous attacks, including ones in 2022 that targeted various vulnerable Internet-facing web applications like the infamous Log4j flaw in order to compromise at least six U.S. state government networks. In 2020, the group conducted a massive attack targeting companies in the banking, defense, technology, and other sectors in at least 20 countries. The group is also known for launching software supply-chain attacks and using compromised digital certificates.
APT41 is a unique group within the broader China-based threat landscape for several reasons. While the threat actor conducts espionage attacks that fall into the line of state-sponsored activity, it also carries out financially motivated attacks, like targeting the video game industry to steal source code or digital certificates, and trying to deploy ransomware, Mandiant researchers said.
“APT41 has always had a worldwide mandate driven by a combination of PRC government intelligence priorities and sometimes financial incentives," said Stephen Eckels, Mandiant staff reverse engineer with Google Cloud. "We expect that the targeting in this campaign is driven by them as well. We also note that there are likely other organizations targeted beyond Mandiant’s visibility, so the targeting of these orgs should not be interpreted to exclude other operations."