APT41
Aliases: Wicked Panda, Brass Typhoon, BARIUM
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries. Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.
Open interactive actor investigation
ATT&CK techniques
T1078
Valid AccountsT1082
System Information DiscoveryT1195.002
Compromise Software Supply ChainT1069
Permission Groups DiscoveryT1562.006
Indicator BlockingT1595.003
Wordlist ScanningT1059.001
PowerShellT1014
RootkitT1087.002
Domain AccountT1555.003
Credentials from Web BrowsersT1036.005
Match Legitimate Name or LocationT1543.003
Windows ServiceT1071.002
File Transfer ProtocolsT1018
Remote System DiscoveryT1027.002
Software PackingT1553.002
Code SigningT1596.005
Scan DatabasesT1588.002
ToolT1098.007
Additional Local or Domain GroupsT1021.002
SMB/Windows Admin SharesT1037
Boot or Logon Initialization ScriptsT1136.001
Local AccountT1542.003
BootkitT1087.001
Local AccountT1071.001
Web ProtocolsT1070.001
Clear Windows Event LogsT1135
Network Share DiscoveryT1599
Network Boundary BridgingT1480.001
Environmental KeyingT1484.001
Group Policy ModificationT1595.002
Vulnerability ScanningT1005
Data from Local SystemT1133
External Remote ServicesT1070.004
File DeletionT1566.001
Spearphishing AttachmentT1053.005
Scheduled TaskT1547.001
Registry Run Keys / Startup FolderT1546.008
Accessibility FeaturesT1110
Brute ForceT1550.002
Pass the HashT1574.006
Dynamic Linker HijackingT1059.003
Windows Command ShellT1003.002
Security Account ManagerT1568.002
Domain Generation AlgorithmsT1569.002
Service ExecutionT1071.004
DNST1046
Network Service DiscoveryT1560.001
Archive via UtilityT1218.011
Rundll32T1102.001
Dead Drop ResolverT1008
Fallback ChannelsT1555
Credentials from Password StoresT1496.001
Compute HijackingT1003.003
NTDST1049
System Network Connections DiscoveryT1059.004
Unix ShellT1486
Data Encrypted for ImpactT1574.002
DLL Side-LoadingT1016
System Network Configuration DiscoveryT1033
System Owner/User DiscoveryT1105
Ingress Tool TransferT1203
Exploitation for Client ExecutionT1218.001
Compiled HTML FileT1112
Modify RegistryT1090
ProxyT1003.001
LSASS MemoryT1213.003
Code RepositoriesT1197
BITS JobsT1012
Query RegistryT1083
File and Directory DiscoveryT1656
ImpersonationT1055
Process InjectionT1021.001
Remote Desktop ProtocolT1190
Exploit Public-Facing ApplicationT1570
Lateral Tool TransferT1027
Obfuscated Files or InformationT1104
Multi-Stage ChannelsT1030
Data Transfer Size LimitsT1047
Windows Management InstrumentationT1056.001
KeyloggingT1070.003
Clear Command HistoryT1036.004
Masquerade Task or ServiceT1574.001
DLL Search Order HijackingT1589.001
CredentialsT1589.003
Employee Names
Valid AccountsT1082
System Information DiscoveryT1195.002
Compromise Software Supply ChainT1069
Permission Groups DiscoveryT1562.006
Indicator BlockingT1595.003
Wordlist ScanningT1059.001
PowerShellT1014
RootkitT1087.002
Domain AccountT1555.003
Credentials from Web BrowsersT1036.005
Match Legitimate Name or LocationT1543.003
Windows ServiceT1071.002
File Transfer ProtocolsT1018
Remote System DiscoveryT1027.002
Software PackingT1553.002
Code SigningT1596.005
Scan DatabasesT1588.002
ToolT1098.007
Additional Local or Domain GroupsT1021.002
SMB/Windows Admin SharesT1037
Boot or Logon Initialization ScriptsT1136.001
Local AccountT1542.003
BootkitT1087.001
Local AccountT1071.001
Web ProtocolsT1070.001
Clear Windows Event LogsT1135
Network Share DiscoveryT1599
Network Boundary BridgingT1480.001
Environmental KeyingT1484.001
Group Policy ModificationT1595.002
Vulnerability ScanningT1005
Data from Local SystemT1133
External Remote ServicesT1070.004
File DeletionT1566.001
Spearphishing AttachmentT1053.005
Scheduled TaskT1547.001
Registry Run Keys / Startup FolderT1546.008
Accessibility FeaturesT1110
Brute ForceT1550.002
Pass the HashT1574.006
Dynamic Linker HijackingT1059.003
Windows Command ShellT1003.002
Security Account ManagerT1568.002
Domain Generation AlgorithmsT1569.002
Service ExecutionT1071.004
DNST1046
Network Service DiscoveryT1560.001
Archive via UtilityT1218.011
Rundll32T1102.001
Dead Drop ResolverT1008
Fallback ChannelsT1555
Credentials from Password StoresT1496.001
Compute HijackingT1003.003
NTDST1049
System Network Connections DiscoveryT1059.004
Unix ShellT1486
Data Encrypted for ImpactT1574.002
DLL Side-LoadingT1016
System Network Configuration DiscoveryT1033
System Owner/User DiscoveryT1105
Ingress Tool TransferT1203
Exploitation for Client ExecutionT1218.001
Compiled HTML FileT1112
Modify RegistryT1090
ProxyT1003.001
LSASS MemoryT1213.003
Code RepositoriesT1197
BITS JobsT1012
Query RegistryT1083
File and Directory DiscoveryT1656
ImpersonationT1055
Process InjectionT1021.001
Remote Desktop ProtocolT1190
Exploit Public-Facing ApplicationT1570
Lateral Tool TransferT1027
Obfuscated Files or InformationT1104
Multi-Stage ChannelsT1030
Data Transfer Size LimitsT1047
Windows Management InstrumentationT1056.001
KeyloggingT1070.003
Clear Command HistoryT1036.004
Masquerade Task or ServiceT1574.001
DLL Search Order HijackingT1589.001
CredentialsT1589.003
Employee Names
Correlated CTI and IR reports
APT41 / Operation DragonRx
CTI Analyst Field Manual · explicit report mentionAPT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionAttribution Methodology: How to Build, Defend, and Challenge a Threat Actor Attribution
1200km CTI repository · explicit report mentionDFIR Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionDetection Guide — Operation DragonRx
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionLab Architecture — Operation DragonRx
1200km CTI repository · explicit report mentionMalicious Activity as a Statistical Signal: A Detection Engineering Analysis of Anomaly-Based Detection
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionRxPhage — Custom PlugX-lite Implant
1200km CTI repository · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionOperation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention
CTI Analyst Field Manual · explicit report mentionAPT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionAttribution Methodology: How to Build, Defend, and Challenge a Threat Actor Attribution
1200km CTI repository · explicit report mentionDFIR Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionDetection Guide — Operation DragonRx
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionLab Architecture — Operation DragonRx
1200km CTI repository · explicit report mentionMalicious Activity as a Statistical Signal: A Detection Engineering Analysis of Anomaly-Based Detection
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionRxPhage — Custom PlugX-lite Implant
1200km CTI repository · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionOperation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention