Introduction
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries. apt41_mandiant Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group. FireEye APT41 Aug 2019 Group IB APT 41 June 2021
Activities and Tactics
Targeted Sectors: Gaming, Technology, Healthcare, Automotive, Business, Services, Cryptocurrency, Education, Energy, Financial, High-Tech, Intergovernmental, Media and Entertainment, Pharmaceuticals, Private sector, Retail, Telecommunications, Travel
Country of Origin: π¨π³ China
Risk Level: High
First Seen: 2012
Last Activity: 2024
Suspected Victims: China, France, Hong Kong, India, Italy, Japan, Myanmar, Netherlands, Singapore, South Koreaβ¦
Notable Campaigns
- Avast/CCleaner (September 2016; WickedPanda (CN APT))
Tactics, Techniques, and Procedures (TTPs)
- T1014 Rootkit
- T1105 Ingress Tool Transfer
- T1083 File and Directory Discovery
- T1583.001 Domains
- T1057 Process Discovery
- T1553.002 Code Signing
ATT&CK technique IDs (denormalized)
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 9 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- CyberGate
- Cyber Eye RAT
- Winnti Rootkit malware:
- CRACKSHOT:
- GEARSHIFT:
- HIGHNOON:
- JUMPALL:
- POISONPLUG:
- HOTCHAI:
- LATELUNCH:
- LIFEBOAT:
- LOWKEY:
- NJRAT:
- PACMAN:
- PHOTO:
- POTROAST:
- ROCKBOOT:
- SAGEHIRE:
- SWEETCANDLE:
- SOGU:
- TERA:
- TIDYELF:
- WIDETONE:
- WINTERLOVE:
- XDoor:
- Xmrig:
- ZxShell:
MITRE ATT&CK Software
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [6] Crowdstrike GTR2020 Mar 2020 Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. [7] FireEye APT41 2019 FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019. [8] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [9] Group IB APT 41 June 2021 Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. [10] mitre-attack [13] Symantec Suckfly March 2016 DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016. [14] 401 TRG Winnti Umbrella May 2018 Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018. [15] Kaspersky Winnti April 2013 Kaspersky Labβs Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. [16] Novetta Winnti April 2015 Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. [17] Kaspersky Winnti June 2015 Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
Recent News
Latest articles from security news feeds mentioning this actor.
- How Security Leaders Cut Through Complexity to Drive Better Outcomes Rapid7 - 2026-05-26T
- Former US execs plead guilty to aiding tech support scammers BleepingComputer - 2026-05-22T