Researchers at Mandiant are flagging a significant resurgence in malware attacks by APT41, a prolific Chinese government-backed hacking team caught breaking into organizations in the shipping, logistics, technology, and automotive sectors in Europe and Asia.
Mandiant said the bulk of the compromised organizations are located in the United Kingdom, Italy, Spain, Turkey, Taiwan, and Thailand and warned that APT41 has managed to infiltrate these organizations and maintain prolonged, unauthorized access since at least 2023.
In a technical report documenting its findings, Mandiant said APT41 (also tracked as Barium, Wicked Panda and Winnti) is also conducting reconnaissance activities against similar organizations in countries like Singapore, indicating a potential expansion of targeting.
The group is known for its dual-role operations, conducting both state-sponsored espionage and financially motivated intrusions. Espionage targets include healthcare, high-tech, telecommunications, and other economically significant sectors.
Notably, APT41 has previously used software supply chain compromises, UEFI firmware implants, and stolen digital certificates in its operations.
In the latest observed attacks, Mandiant said APT 41 used web shells on Tomcat Apache Manager servers to execute a dropper that then deployed a backdoor for command-and-control communications.
The group later used a multi-stage plugin framework called DUSTTRAP that leaves minimal forensics traces after the hackers conduct “hands-on keyboard” activities and a command-line utility to export stolen data from Oracle databases.
“The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic,” Mandiant researchers explained.
The company published indicators of compromise and forensics data to help organizations hunt for signs of APT41 infections.
Over the years, APT41 has been observed hacking into thousands of organizations worldwide, including software and video gaming companies, governments, universities, think tanks, non-profit entities, and pro-democracy politicians and activists in Hong Kong.
APT41’s activity spans over more than a decade, with victims located in the United States, Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.
The U.S. Department of Justice has charged Chinese nationals Zhang Haoran and Tan Dailin, and Jiang Lizhi, Qian Chuan, and Fu Qiang and linked them to APT41 hacking activities.
Related: Chinese APT Uses ‘Stack Rumbling’ Technique to Kill Security Software
Related: Details Emerge on Operations, Members of China’s APT41 Hackers
Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws
Related: Chinese APT41 CaughtUsing ‘MoonBounce’ UEFI Firmware Implant
