← All Threat Actors / APT41
Last updated: April 02, 2026
APT41
APT41
Chinese Ministry of State Security (MSS), linked to Chengdu 404 Network Technology
🇨🇳 ChinaNation-State / Cybercriminal Hybrid● ActiveG0096
Key Intelligence
MITRE ID
G0096
Country
🇨🇳 China
Motivation
Espionage, Financial Gain
Active Since
2012
Last Seen
2025
Techniques
28 across 12 tactics
Attribution
Chinese Ministry of State Security (MSS), linked to Chengdu 404 Network Technology
Also Known As
Double DragonWicked PandaBrass TyphoonBARIUMWinntiLeadTG-2633RedGolfEarth Baku
Target Profile
Targeted Industries
HealthcareTelecommunicationsGamingTechnologyGovernmentHigher EducationManufacturing
Targeted Countries
🇺🇸 United States🇬🇧 United Kingdom🇮🇳 India🇰🇷 South Korea🌍 Global

Overview

APT41 is a unique dual-mission Chinese threat group that conducts both state-sponsored espionage and financially motivated cybercrime. Attributed to contractors working with China's MSS, the group has targeted healthcare, telecoms, technology, and video game companies. Several members were indicted by the US DOJ in 2020. Known for supply chain attacks, exploitation of zero-day vulnerabilities, and large-scale data theft operations.

Tools & Malware

ShadowPadPOISONPLUGWinntiCROSSWALKLOWKEYDEADEYEKeyPlugDUSTPANDUSTTRAPCobalt StrikeShadowPad AnalysisChina Chopper WebshellChina ChopperMimikatzNucleiRubeus

Malware & Tool Details

Arsenal attributed to APT41.

ShadowPad
Modular Backdoor
Modular Backdoor
POISONPLUG
Malware / Tool
ATT&CK Software
Winnti
Backdoor
Backdoor
CROSSWALK
Malware / Tool
ATT&CK Software
LOWKEY
Malware / Tool
ATT&CK Software
DEADEYE
Downloader
Downloader
KeyPlug
Cross-Platform Backdoor
Cross-Platform Backdoor
DUSTPAN
Malware / Tool
ATT&CK Software
DUSTTRAP
Malware / Tool
ATT&CK Software
Cobalt Strike
C2 Framework
C2 Framework
ShadowPad Analysis
Modular Backdoor
Modular Backdoor
China Chopper Webshell
Web Shell
Web Shell

Attack Path Operation CuckooBees / State Gov Targeting (2021)

Following MITRE ATT&CK Flow methodology.

ATTACK FLOWOperation CuckooBees / State Gov Targeting (2021)8 steps | Drag nodes to rearrange

Diamond Model

Caltagirone, Pendergast & Betz (2013) | Drag to rearrange
ADVERSARY
MSS contractors (Chengdu 404), indicted Zhang Haoran, Tan Dailin
CAPABILITY
ShadowPad, POISONPLUG, DEADEYE, KeyPlug, Cobalt Strike, DUSTPAN, Winnti
INFRASTRUCTURE
ShadowPad C2, compromised university networks, Cloudflare-fronted domains
VICTIM
Healthcare, telecom, gaming, tech, US state governments

ATT&CK Navigator

Interactive MITRE ATT&CK Navigator layer for APT41 (G0096).

Open Full Navigator

Known CVEs Exploited

CVEYearDescription
CVE-2019-197812019Citrix ADC RCE — mass exploitation in 2020
CVE-2020-101892020Zoho ManageEngine RCE
CVE-2021-442282021Log4Shell — US state government targeting
CVE-2021-442072021USAHerds zero-day for state agricultural agencies

Notable Campaigns

2023
KeyPlug Linux Campaign
Deployment of Linux variant of KeyPlug backdoor against telecommunications providers.
2021
USAHerds/Log4j Campaign
Exploitation of Log4j and USAHerds application targeting US state governments.
2020
Citrix/Cisco/Zoho Exploitation
Mass exploitation of vulnerabilities in enterprise networking products.
2019
Operation CuckooBees
Multi-year espionage campaign targeting technology and manufacturing companies.

Detection Engineering

Web Shell Detection on IIS/Apache
Monitor web server directories for new or modified script files (.aspx, .jsp, .php). Detect w3wp.exe or httpd spawning cmd.exe, powershell.exe, or bash. File integrity monitoring on web root directories. Sigma rule: web_webshell_detection.
View Detection Rule / Guide
DLL Side-Loading Detection
Detect unsigned DLLs loaded by legitimate signed executables using Sysmon Event ID 7. Monitor known side-loading host binaries: vmnat.exe, colorcpl.exe, consent.exe. Alert on DLL loads from non-standard directories by trusted processes.
View Detection Rule / Guide
DNS Tunneling Detection
Alert on DNS queries with subdomain labels exceeding 50 characters or high entropy values. Monitor for excessive DNS TXT record queries to single domains. Deploy passive DNS monitoring to identify newly registered domains mimicking legitimate services.
View Detection Rule / Guide

Related Threat Actors

Documented in MITRE ATT&CK, vendor intelligence, and government advisories.

Winnti
Shared toolset
APT41 extensively uses Winnti backdoor. Overlapping infrastructure.
APT10
Chinese co-operator
Both MSS-linked. May share telecom targeting intelligence.

Defense Recommendations

Mitigations with MITRE ATT&CK IDs. Click badges for implementation guidance.

Patch public-facing apps within 24hrs of critical CVE. APT41 mass-exploits Citrix, ManageEngine, Log4Shell within days.
CISA KEV Catalog
Deploy WAF rules to block web shell uploads (.aspx, .jsp, .php). APT41 uses web shells as primary persistence.
OWASP Web Shell Guide
Deploy WDAC/AppLocker to prevent DLL side-loading. APT41 abuses signed executables to load ShadowPad.
Microsoft WDAC
Monitor DNS for tunneling via entropy analysis and TXT query volume. APT41 uses DNS for exfiltration.
SANS DNS Hunting

Attribution Confidence

High
Attribution
Confidence
Evidence Supporting Attribution
DOJ indicts 5 Chinese nationals for APT41 (Sept 2020)
https://www.justice.gov/opa/pr/seven-international-cyber-def
FBI wanted posters for APT41 operators
https://www.fbi.gov/wanted/cyber/apt-41-group
Mandiant, CrowdStrike, Microsoft vendor attributions
https://www.mandiant.com/resources/blog/apt41-dual-espionage

Threat Assessment

Capability9/10
Intent9/10
Targeting8/10
Critical
Overall Threat Level
Rare dual-purpose actor conducting both state espionage and financially motivated cybercrime. Extremely versatile with supply chain and zero-day capability.

Legal Actions & Sanctions

2020-09
DOJ charges 7 for APT41 hacking campaign spanning 100+ victims
Indictment
https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer

Recent Reporting

2024-08

Emulation Plans & Guidance

PlanSourceTypeDescriptionLink
ATT&CK Evaluations LibraryMITRE EngenuityFrameworkOfficial APT41 evaluation plan and detection analyticsOpen
Cybereason CuckooBees AnalysisCybereasonGuideDetailed technical analysis of APT41 Operation CuckooBees with IOCsOpen
SCYTHE #ThreatThursday - APT41SCYTHEBlog PostDetailed APT41 emulation plan with CTI profile, bitsadmin/certutil LOLBins, persistence, and KerberoastingOpen

References & Intelligence Sources

Page Contributors

Adversary Village
MITRE ATT&CK Team
BreachSimRange