Geek-Guy.com

Threat Actor Dossier: APT41 (BARIUM/BRASS TYPHOON/WICKED PANDA)

THREAT ACTOR DOSSIER

Threat Actor Dossier: APT41 (BARIUM/BRASS TYPHOON/WICKED PANDA)

====================

BASIC INFORMATION

Name: APT41 (Advanced Persistent Threat 41)
 
 Aliases: BARIUM, BRASS TYPHOON, WICKED PANDA, Double Dragon
 
 MITRE ATT&CK Group ID: G0096
 
 Country of Origin: People’s Republic of China
 
 Affiliation: Chinese state-sponsored espionage group
 
 Type: Dual-purpose (state-sponsored espionage + financially motivated cybercrime)

MOTIVATION

Primary Motivation: State-sponsored espionage and intellectual property theft
 
 Secondary Motivations:

  • Financial gain through cybercrime operations
  • Supply chain disruption
  • Strategic intelligence gathering
  • Targeting critical infrastructure

Geographic Focus:

  • North America (U.S., Canada)
  • Europe
  • Asia-Pacific (Taiwan, Japan, South Korea)
  • Africa

MITRE ATT&CK TTP MAPPING

Initial Access:

  • T1566.001 – Phishing: Spearphishing Attachment
  • T1566.002 – Phishing: Spearphishing Link
  • T1190 – Exploit Public-Facing Application
  • T1577 – Compromise Host via Supply Chain

Execution:

  • T1059.001 – PowerShell
  • T1059.004 – Python
  • T1204.002 – User Execution: Malicious File
  • T1059.003 – Command and Scripting Interpreter: PowerShell

Persistence:

  • T1547.001 – Boot or Logon Autostart Execution
  • T1546.004 – Accessibility Features
  • T1590 – Lateral Tool Transfer

Privilege Escalation:

  • T1068 – Exploitation for Privilege Escalation
  • T1548.002 – Abuse Elevation Control Mechanism
  • T1548.004 – Abuse Installed Service

Defense Evasion:

  • T1070.005 – Clear Windows Event Logs
  • T1071.001 – Application Layer Protocol
  • T1055 – Process Injection
  • T1027 – Obfuscated Files or Information

Credential Access:

  • T1555.001 – Input Capture: Keyboard
  • T1555.004 – Input Capture: Hardware Token
  • T1003 – OS Credential Dumping
  • T1110.001 – Brute Force

Discovery:

  • T1082 – Identify Windows System
  • T1083 – File and Directory Discovery
  • T1087 – Account Discovery
  • T1085 – Active Directory Permissions Discovery

Lateral Movement:

  • T1021.002 – SMB/Windows Admin Shares
  • T1021.004 – Remote Desktop Protocol
  • T1076 – Remote Services
  • T1570 – Overlay Tools

Collection:

  • T1005 – Data from Local System
  • T1003.001 – LSADump File
  • T1003.003 – Credential Dump
  • T1213 – Security Information Collection

Command and Control:

  • T1071.004 – Remote Services
  • T1571 – Non-Application Layer Protocol
  • T1102 – Web Service
  • T1071.001 – Application Layer Protocol: Web Protocol

Exfiltration:

  • T1041 – Exfiltration Over C2 Channel
  • T1567 – Exfiltration Over Web Service
  • T1570 – Overlay Tools

TOOLS AND INFRASTRUCTURE

Primary Tools:

  • Cobalt Strike – Commercial adversary simulation framework for post-exploitation
  • Mimikatz – Credential dumping and privilege escalation
  • ShadowPad – Modular remote access trojan (RAT), successor to PlugX
  • PowerSploit – PowerShell-based post-exploitation toolkit
  • Empire – Post-exploitation framework

Secondary Tools:

  • Covenant – Multi-arch C2 framework
  • Sliver – Modern C2 framework
  • Brute Ratel – Multi-platform C2
  • Rubeus – Kerberos attack toolkit

Infrastructure:

  • C2 domains embedded in malware
  • Hardcoded IP addresses in malware
  • Proxy servers for C2 communication
  • Compromised websites for C2
  • Cloud infrastructure for hosting

TARGETED SECTORS

Primary Targets:

  • Healthcare – Hospitals, healthcare providers, pharmaceutical companies
  • Finance – Banks, financial institutions, payment processors
  • Government – Federal agencies, state/local governments, research institutes
  • Telecommunications – Network operators, equipment manufacturers
  • Technology – Semiconductor companies, tech vendors

Secondary Targets:

  • Energy – Utility companies, power generation facilities
  • Education – Universities, research institutions
  • Transportation – Aviation, shipping, logistics companies
  • Media – Broadcasting companies, news organizations

ASSOCIATED MALWARE

Primary Malware Families:

  • ShadowPad – Modular RAT, successor to PlugX
  • Pikabot – Ransomware framework (associated with financial operations)
  • Custom PowerShell scripts for initial access
  • Cobalt Strike Beacon for post-exploitation

Secondary Malware Families:

  • PowerShell-based droppers for initial access
  • Credential theft tools (Mimikatz variants)
  • Lateral movement scripts (PsExec, WinRM)
  • Data exfiltration tools (custom C2 clients)

NOTABLE CAMPAIGNS

Campaign 1: Healthcare Sector Attacks (2021-2023)

  • Targets: U.S. hospitals, healthcare providers
  • Impact: Intellectual property theft, patient data compromise
  • Techniques: Supply chain attacks, phishing, Cobalt Strike deployment

Campaign 2: Financial Sector Operations (2022-2024)

  • Targets: Banks, financial institutions
  • Impact: Financial data exfiltration, strategic intelligence
  • Techniques: Business email compromise, supply chain compromise

Campaign 3: Government and Research Targets (2023-2025)

  • Targets: U.S. federal agencies, research institutes
  • Impact: Strategic intelligence gathering, technology theft
  • Techniques: Spearphishing, supply chain compromise, zero-day exploitation

Campaign 4: African Government Services (2025)

  • Targets: Government IT services in Africa
  • Impact: IT infrastructure compromise
  • Techniques: Hardcoded infrastructure names, proxy servers, ShadowPad

THREAT LEVEL ASSESSMENT

Overall Threat Level: HIGH

Capabilities:

  • Advanced persistent threat (APT) capabilities
  • State-sponsored intelligence gathering
  • Custom malware development
  • Multi-vector attack campaigns
  • Supply chain compromise expertise

Maturity: Advanced

Resources: Extensive

Notable Operations:

  • 13+ confirmed victims in 2021 alone
  • 4+ malicious campaigns in 2021
  • Regular supply chain attacks
  • Cross-sector targeting

CVE AND VULNERABILITY EXPLOITATION

Exploited Vulnerabilities:

  • Unpatched remote code execution vulnerabilities
  • Supply chain software vulnerabilities
  • Zero-day exploits in critical infrastructure
  • Legacy system vulnerabilities

Preferred Exploitation Vectors:

  • Phishing campaigns with malicious attachments
  • Business email compromise (BEC)
  • Supply chain software updates
  • Compromised third-party vendors

INDICATORS OF COMPROMISE (IOCs)

File Hashes:

  • ShadowPad variants: Multiple MD5/SHA256 hashes
  • Cobalt Strike Beacon: Various hashes
  • Custom scripts: Hashes from malware analysis

Network Indicators:

  • C2 domains: Various TLDs and country-code TLDs
  • IP addresses: Compromised infrastructure
  • Malicious URLs: Phishing sites, dropper downloads

SOURCES

Primary Sources:

  • MITRE ATT&CK Groups database (attack.mitre.org/groups/G0096/)
  • Huntress Threat Library (huntress.com/threat-library/threat-actors/apt41)
  • FortiGuard Labs Threat Actor Profile (fortiguard.com/threat-actor/5566/apt41)
  • Picus Security TTP Analysis (picussecurity.com/resource/blog/apt41-cyber-attacks-history-operations-and-full-ttp-analysis)
  • Malpedia (malpedia.caad.fkie.fraunhofer.de/actor/apt41)

Secondary Sources:

  • Group-IB Threat Actor Report
  • Resecurity Threat Intelligence Report
  • Brandefense APT41 Analysis
  • HivePro Threat Advisory
  • HHS.gov APT41 Recent Activity Report

CVE Databases:

  • CVE (Common Vulnerabilities and Exposures)
  • NVD (National Vulnerability Database)
  • MITRE CVE

LAST UPDATED

Date: 2026-06-03
 
 Analyst: IRG Research lurch-bot farm
 
 Review Status: Current