APT41 is a Chinese state-sponsored cyber threat group active since at least 2012, notable for its dual focus on both cyber espionage and financially motivated cybercrime. The group is believed to operate under the direction of Chinese intelligence agencies and has targeted over 40 industries globally, including healthcare, telecommunications, technology, government, finance, higher education, and gaming.
Key Characteristics
• Aliases: BARIUM, Wicked Panda, Brass Typhoon, Winnti, Double Dragon, Blackfly, and others.
• Motivations: Espionage (intellectual property theft, surveillance), financial gain (ransomware, cryptocurrency theft), and strategic disruption.
• Target Regions: U.S., UK, EU, Japan, India, Taiwan, Southeast Asia, and more.
• Notable Campaigns: Attacks on U.S. state governments, global supply chains, and recent exploitation of Google Calendar for command-and-control (C2).
Tactics, Techniques, and Procedures (TTPs)
• Initial Access: Spearphishing, supply chain compromise, exploitation of vulnerabilities.
• Persistence: Use of rootkits, bootkits, and registry modifications.
• C2 & Data Exfiltration: Leveraging cloud services (Google Calendar, Cloudflare), encrypted channels, and DNS tunneling.
• Malware Arsenal: Over 46 malware families, including PlugX, LOWKEY, GH0ST, Meterpreter, BlackCoffee, MessageTap, ToughProgress, Voldemort, DustTrap, and more.
Attributed IP Addresses and Infrastructure
• 45.61.136.199 — Used as C2 for APT41 (Barium) campaigns.
• 104.224.169.214 — Hosted Cobalt Strike and shellcode loaders for APT41 operations.
• 185.118.166.66 — Associated with SSL certificates and domains used by APT41.
• 121.42.149.52 — Used as C2 for Android surveillanceware (WyrmSpy), linked to APT41 operations from 2014–2020.