Share article

Decoding Chinese Hacking Syndicate – APT 41


Author: Ms Khyati Singh, Research Associate, Centre for Air Power Studies

Keywords: Cyber Security, Chinese Hackers, APT 41, Cyber Attack, Double Dragon, Wicked Panda.

It has become nearly impossible to talk about any international venture without the mention of China. One such domain has been cyber-security and cyber-attacks. The cyber-attacks perpetuated by China have become the new normal and have been a cause of concern for several institutions in the United States. Furthermore, these attacks are not only being conducted by the Chinese state, but the People’s Liberation Army (PLA) and the Ministry of State Security are backing various hacker groups to follow a similar trail.[i]

Recently, nearly six states have come under cyber-attacks, most of which were conducted through an application which is used to track disease in livestock, known as USAHEARDS. This attack is suspected to have been carried out by the infamous APT41 criminal hacking group located in Chengdu. APT stands for Advanced Persistent Threat, and has many names like Wicked Panda, Winnti, Double Dragon, Barium, and Wicked Spider.[ii] APT 41, the official name that the US security agencies have given it, also targets organizations to collect ransoms. It has been active in the public domain since 2012 and has been targeting all possible spheres of public conduct, from health care and telecom to video games and other everyday use applications. These targets are aligned with China’s economic plans and try to gain strategic access to various organizations.

Earlier it was involved in exploiting the vulnerabilities, and mass scanning but it is expanding its target audience and range. The US government has uncovered that it is actively involved in activities that directly affect and harm state governments. APT 41 tried to exploit a vulnerability through a SQL(Structured Query Learning) injection and was countered by Mandiant Managed Defense. In a series of attacks that followed between the two, it was identified that they had been exploiting various kinds of vulnerabilities, especially in commercial applications. Furthermore, it has been quick on the part of its operations as it picks on the publicly available vulnerabilities and adapts to its needs in no time. They have been increasingly trying to penetrate the state government structure. Mediant released the following chart to map out the series of attacks.[iii]

APT 41 has been able to perform instant reconnaissance after penetrating an internet server. In addition, it continues to deploy advanced malware in its operations. DEADEYE launcher and Lowkey being one of them. These anti-analysis technologies allow them to keep away from any investigation and operate undetected. APT 41 has been working to advance its capabilities and has successfully upgraded the guardrail capabilities of DEADEYE. ‘Guardrailing’ is a tactic deployed by malware to ensure that the binary only unleashes on the system that is chosen by the threat actor. Hence, narrowing down the margin of error. To remain undetected APT 41 keeps leveraging advanced tradecraft, it kept blocking identification servers to persist. [iv]

The group, being financially motivated, is expanding its base and is increasingly targeting the video game industry, where it tries to deploy ransomware and dictate virtual currency. Moreover, due to its flexible and adaptive nature, it has been able to move laterally within the networks and has affected the biggest system providers like Linux and Windows. By hacking these systems, they steal source code, which comes in handy to sign malware. They further compromise supply chains by injecting malicious codes into legitimate files that are distributed to the organizations. Therefore, creating a series of discrepancies.

What makes APT 41 different from its contemporaries is the vast range of malware it has at its disposal. It has 46 different malware systems to leverage and accomplish the task. It also masquerades with the commonly available systems, and hence its detection becomes difficult. For instance, for a majority of its operations, it relies on spear-phishing emails that have attachments like HTML (.chm), which are not easily identified. In a single hacking attack, APT 41 uses up to 150 unique sets of malwares, including rootkits, keyloggers, backdoors, and credential stealers.[v]

Following the trail of other Chinese espionages, APT 41 is also moving to conduct more strategic operations and is working on intelligence collection. However, that is not keeping it away from extracting gains by exploiting private players or exploiting the video game industry. The state’s support, in fact, is enhancing its capabilities and allowing it to evade any scrutiny from that end.

The US alone is not on the radar of such attacks. India too has come under cyber-attacks from APT 41 in the past. In 2021, BlackBerry Research and Intelligence researchers identified a series of phishing attacks that targeted victims in India. These contained data about new tax legislation and COVID-19 records and statistics. They masqueraded as the Indian government to maintain its credibility.[vi] They have targeted many pro-democracy activists and countries like Hong Kong, France, Japan, Myanmar, Italy, Thailand, Turkey, Singapore, South Korea, the UK, Switzerland, South Africa, and Vietnam. A report by FireEye also found them responsible for some of the most exploitative supply chain attacks, where they exploited profiles available in the public domain to appear as legitimate network traffic, like the ones that come from Gmail, Amazon, and OneDrive. [vii] The following map was shared by FireEye in its report that points out countries where the attacks have been rampant, along with the list of industries that they target.

To mitigate these attacks, it is important to keep updating network-based security measures and parameters, along with the focus on the protection of sensitive content. The US Information Assurance Directorate issued some strategies that can be used to counter the APT 41 threat. These included damage containment, device integrity, secure and available transport, and account protection.[viii]

It is crucial to tap into the cyber domain now more than ever. Aggressive states are using the cyber front as a proxy front to penetrate into the system and affect critical infrastructure. APT 41 is one such group, while there are way too many in operation. The fact that they have state cover allows them to exploit their capabilities to the fullest. Cyberspace is growing every day, and so are threat actors. Any delay on the part of the states ends up proving a strategic loss which is felt both in terms of money and matters.




[i] Garrett O’Brien, “A deep dive into APT41, one of the most aggressive and effective Chinese cyber hacking groups.”, The Wire China, July 31, 2022,, Accessed on August 02, 2022

[ii] Ibid.

[iii] Rufus Brown et al, “Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments”, Mandiant 2022. Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments | Mandiant. Accessed on August 02, 2022.

[iv] Ibid.

[v] “FireEye Identifies Prolific Chinese Cyber Threat Group”, FIREEYE, APT41: FireEye Identifies Prolific Chinese Cyber Threat Group. Accessed on August 02, 2022.

[vi] Shubhobrota Dev Roy, “Chinese hacker group APT41 targeting Indian citizens with phishing attacks, credential stealers”,  TechCircle, Chinese hacker group APT41 targeting Indian citizens with phishing attacks, credential stealers ( Accessed on August 02, 2022

[vii]FireEye Identifies Prolific Chinese Cyber Threat Group”, FIREEYE, APT41: FireEye Identifies Prolific Chinese Cyber Threat Group. Accessed on August 02, 2022

[viii] “Strategies for Mitigating Advanced Persistent Threats (APTs)”, Encyclopaedia KasperskyStrategies for Mitigating Advanced Persistent Threats (APTs) P.1 | Kaspersky IT Encyclopaedia. Accessed on August 03,2022.

Related articles