APT41

APT41 is a China-linked threat actor associated with long-term espionage activity. The provided content identifies APT41 with numerous aliases including Wicked Panda, Winnti, Winnti Group, Barium, Brass Typhoon, Bronze Atlas, Bronze University, Charcoal Typhoon, Chromium, Earth Lusca, Aquatic Panda, RedHotel, RedFoxtrot, DeputyDog, Hidden Lynx, Wicked Spider, and others. The content also places FishMonger under the broader Winnti Group umbrella and states that FishMonger is believed to be operated by the Chinese contractor I-SOON. The content states that APT41 impersonated an employee at a video game developer company to send phishing emails. It also describes a simulated Wicked Panda/APT41 campaign active between May 2021 and February 2022 targeting U.S. state government networks and Taiwanese media. In that activity, the attack chain used DLL sideloading with a legitimate executable such as taskhost.exe to launch the DodgeBox reflective DLL loader, which decrypted a second-stage payload from an encrypted DAT file and loaded the MoonWalk backdoor in memory. DodgeBox is described as using sandbox detection via SbieDll checks, dynamic API resolution through obfuscated hashes, salted FNV-1a hashing, and NtAllocateVirtualMemory for memory allocation. MoonWalk is described as a backdoor enabling remote command execution through cmd.exe, reverse shell communications over unencrypted TCP using Winsock, and persistence via a Run key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with the value name MoonWalkBackdoor. The content further states that command-and-control and data exfiltration could be hidden in Google Drive API traffic using an attacker-controlled Google Drive account and a BEAR-C2 profile. The content also links Earth Lusca to China-linked espionage activity and states that it remained active through 2023, targeting countries worldwide with a focus on Southeast Asia, Central Asia, and the Balkans, as well as scattered attacks in Latin America and Africa. Earth Lusca’s main targets are described as government departments involved in foreign affairs, technology, and telecommunications. Reported initial access included exploitation of public-facing server vulnerabilities in Fortinet, GitLab, Microsoft Exchange, Progress Telerik UI, and Zimbra, followed by web shell deployment and Cobalt Strike for lateral movement. The group was reported to use ShadowPad, Linux Winnti, and the previously unseen Linux backdoor SprySOCKS for long-term espionage. SprySOCKS is described as a Linux backdoor derived from the open-source Trochilus malware, with an interactive shell likely inspired by Linux Derusbi and a command-and-control protocol similar to RedLeaves. Additional content states that ESET identified two Windows SprySOCKS variants, WIN_DRV and WIN_PLUS, attributed with high confidence to FishMonger, which the content says is also known as Earth Lusca, TAG-22, Aquatic Panda, and Red Dev 10, and is associated with the Winnti Group umbrella. These variants were observed in 2023 and 2024 primarily against government organizations in Honduras, Taiwan, Thailand, and Pakistan. The Windows variants support command-and-control over TCP, UDP, and WebSocket and implement more than 30 commands for system information collection, process and service control, file management, keylogging, and SOCKS proxying. WIN_DRV uses a kernel driver named RawWNPF to hide network connections, processes, files, and registry keys, and can divert specially crafted TCP traffic from any open port to the hidden backdoor port. WIN_PLUS uses DLL side-loading, scheduled tasks, and print processor abuse for persistence. The content also notes limited indications of possible UEFI bootkit involvement exploiting CVE-2023-24932. The content further notes that ShadowPad was sold to multiple suspected PLA units and shared with entities such as Chengdu404, whose staff were charged for activity attributed to APT41.