APT41

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to intrusion sets

· Published 16/12/2025 19:39 · Modified 27/03/2026 01:14 · Source: The MITRE Corporation

Essential information

Confidence: 100/100
Published: 16/12/2025 19:39
Modified: 27/03/2026 01:14
Updated at: 27/03/2026 01:14
Revoked: No
Author / Source: The MITRE Corporation
Resource level: —
Primary motivation: —
Related entities: 10 reports, 113 attack patterns (mitre), 35 malware, 21 sectors, 16 countries, 100 indicators, 6 vulnerabilities (cve), 10 tool

Aliases

Wicked Panda Brass Typhoon BARIUM

Description

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Marking (TLP)

External references

mitre-attack (G0096)
FireEye APT41 Aug 2019
Microsoft Threat Actor Naming July 2023
Group IB APT 41 June 2021
Crowdstrike GTR2020 Mar 2020

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (10)

China-linked Actors Maintain Focus on Organizations Influencing U.S. …

4 CVEs 1 MITRE 2 Malwares 7 Observables 1 APT
SOC files: an APT41 attack on government IT …

4 Malwares 1 APT
APT 41: Threat Intelligence Report and Malware Analysis

14 MITREs 3 Malwares 10 Observables 1 APT
Mark Your Calendar: APT41 Innovative Tactics

5 MITREs 5 Malwares 6 Observables 1 APT
Unmasking the Shadow of PoisonPlug's Obfuscator

20 MITREs 2 Malwares 2 Observables 1 APT
The Dark Knight Returns: Joker malware analysis

6 MITREs 8 Observables 1 APT
AppDomainManager Injection Technique Used to Execute Malware on …

9 MITREs 9 Observables 1 APT
Likely compromise of Taiwanese government-affiliated research institute with …

1 CVE 12 MITREs 4 Malwares 13 Observables 1 APT
MoonWalk

7 MITREs 2 Malwares 3 Observables 1 APT
DodgeBox: A deep dive into the updated arsenal …

6 MITREs 2 Malwares 1 Observable 1 APT

Attack patterns (MITRE) (113)

T1036.003 uses

Rename Legitimate Utilities MITRE
T1195 uses

Supply Chain Compromise MITRE
T1195.002 uses

Compromise Software Supply Chain MITRE
T1016 uses

System Network Configuration Discovery MITRE
T1550 uses

Use Alternate Authentication Material MITRE
T1486 uses

Data Encrypted for Impact MITRE
T1071.004 uses

DNS MITRE
T1543.003 uses

Windows Service MITRE
Compute Hijacking uses

MITRE
T1595 uses

Active Scanning MITRE
T1027.001 uses

Binary Padding MITRE
Data from Configuration Repository uses

T1602 MITRE

← Previous

Page / 10

1–12 of 113

MOPSLED uses

Family
Deed RAT uses

Family
Mydoor uses

Family
APT17 uses
KEYPLUG uses
China Chopper uses

Family
ShadowPad - S0596 uses

Family
DUSTPAN uses
MESSAGETAP uses
Derusbi uses
Dcsync uses

Family
PLUSDROP uses

Family

← Previous

Page / 3

1–12 of 35

Sports targets
Defense ministries (including the military) targets
Finance targets
Road transport targets
Political parties targets
Telecommunications targets
Energy targets
Education targets
Chemical targets
Manufacturing targets
Healthcare targets
Transportation targets

← Previous

Page / 2

1–12 of 21

Brunei Darussalam targets
Central African Republic targets
United Arab Emirates targets
Ireland targets
Malaysia targets
India targets
Germany targets
Philippines targets
Mongolia targets
Viet Nam targets
Taiwan targets
Hong Kong targets

← Previous

Page / 2

1–12 of 16

ns1.extrsports.ru related
151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7 related
visualstudio-microsoft.com related
c840e3cae2d280ff0b36eec2bf86ad35051906e484904136f0e478aa423d7744 related
http://ns1.extrsports.ru:443 related
51ffcff8367b5723d62b3e3108e38fb7cbf36354e0e520e7df7c8a4f52645c4d related
f040a173b954cdeadede3203a2021093b0458ed23727f849fc4c2676c67e25db related
99a0b424bb3a6bbf60e972fd82c514fd971a948f9cedf3b9dc6b033117ecb106 related
ns1.s3-azure.com related
ff4c2a91a97859de316b434c8d0cd5a31acb82be8c62b2df6e78c47f85e57740 related
d62596889938442c34f9132c9587d1f35329925e011465c48c94aa4657c056c7 related
s3-azure.com related

← Previous

Page / 9

1–12 of 100

Vulnerabilities (CVE) (6)

CVE-2022-26134 KEV targets

Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …

Published: 02/06/2022
Modified: 27/05/2026

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2018-0824 KEV targets

Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution via a …

Published: 05/08/2024
Modified: 21/12/2025

CVE-2017-17562 KEV targets

8.1 High

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.

Attack vector: NETWORK
Complexity: HIGH
Published: 12/12/2017
Modified: 22/04/2026

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2021-44228 KEV related

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

Tool (10)

netstat uses

The MITRE Corporation Confidence 100

[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)
pwdump uses

The MITRE Corporation Confidence 100

[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)
BITSAdmin uses

The MITRE Corporation Confidence 100

[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
PowerSploit uses

The MITRE Corporation Confidence 100

[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
Impacket uses

The MITRE Corporation Confidence 100

[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
ftp uses

The MITRE Corporation Confidence 100

[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
Ping uses

The MITRE Corporation Confidence 100

[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
Mimikatz uses

The MITRE Corporation Confidence 100

[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
Net uses

The MITRE Corporation Confidence 100

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…

Contact About Legal notice Privacy policy Terms of use

APT41

Essential information

Aliases

Description

Marking (TLP)

External references

Related entities

Reports (10)

Attack patterns (MITRE) (113)

Malware (35)

Sectors (21)

Countries (16)

Indicators (100)

Vulnerabilities (CVE) (6)

Tool (10)