Chinese APT41 back in action compromising companies in Italy, Spain, Taiwan, Turkey, UK


Multiple organizations around the world have been compromised by the prolific Chinese state-sponsored threat group known as APT41, Google’s cybersecurity research arm Mandiant warns.

A group of hackers under the APT41 umbrella is conducting a sustained campaign to target and successfully compromise businesses operating in the global shipping and logistics, media and entertainment, technology, and automotive sectors.

“APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims' networks since 2023, enabling them to extract sensitive data over an extended period,” Mandiant said in a new report. ”The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom.”

ADVERTISEMENT

Mandiant has also detected reconnaissance activity targeting similar organizations elsewhere, including Singapore.

APT41 is a well-known Chinese state-sponsored threat group that specializes in espionage but is motivated financially. It is known for compromising companies in the video game industry by stealing code and digital certificates, manipulating virtual currencies, and attempting to deploy ransomware. Previously, the threat actor targeted healthcare, high-tech, telecoms, and other areas.

The threat actor uses a combination of sophisticated methods to gain access, stay hidden for extended periods, and steal sensitive information.

APT41 has deployed both publicly available malicious software and custom tools with codenames such as DUSTPAN and DUSTTRAP. Mandiant says that APT41 was observed using OneDrive to exfiltrate staged data, creating a Windows Service, and using legitimate Windows names and locations to achieve persistency. The hackers deleted files from the system after they were done using them.