Free Access
Blog

13 Organizations Targeted by Chinese-Linked APT41 and a New Wave of Cobalt Strike Infections

This image is about 13 organizations targeted by Chinese-linked APT41 and a new wave of Cobalt Strike infections.

APT41

APT41, one of the state-sponsored ex-hacker groups, breached government networks in six US states in March 2022, including by exploiting a vulnerability in a livestock management system, according to Mandiant researchers.

Cybersecurity firm Group-IB’s investigations resulted in nearly 80 proactive notifications of APT41 attacks against their infrastructure to private and government organizations worldwide.

The group’s targets include government and private organizations based in the United States, Taiwan, India, Thailand, China, Hong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei and the United Kingdom.

According to the analysis, the sectors targeted by APT41 in the campaigns are the government sector, manufacturing, health, logistics, accommodation, finance, education, telecommunications, consultancy, sports, media and travel.

Attackers use tools such as Acunetix, Nmap, Sqlmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r for discovery.

During its infiltration phase, APT41 used various techniques such as spear phishing emails, exploiting various vulnerabilities (including Proxylogon), and thirst and supply chain attacks.

Threat actors used SQL injections in some cases. Such attacks were carried out with the publicly available SQLmap tool.

APT41 members gained access to a target server’s command shell and were able to execute certain commands. The group also used this tool to upload files to the target server. At this stage, the files were either Cobalt Strike Beacons or custom web shells.

The group usually uses certain servers only to host the Cobalt Strike framework. It uses others only for active browsing through Acunetix.

By the end of 2021, the number of Cobalt Strike servers exclusively used for command and control reached 106, according to Group-IB Threat Intelligence data. However, many of them are no longer active.

The cybersecurity firm said that while this tool has been favored by cybercriminal gangs targeting banks in the past, it is now popular with various threat actors, including notorious ransomware operators.

References:

https://blog.group-ib.com/apt41-world-tour-2021

More posts

This image is about monthly vulnerabilities for September 2024.
Peek into Monthly Vulnerabilities: September 2024
October 9, 2024
This image is about the ServiceNow data leak.
ServiceNow Data Leak: Risks of Misconfigured Knowledge Bases
September 18, 2024
This image is about monthly vulnerabilities for July 2024.
Peek into Monthly Vulnerabilities: July 2024
August 12, 2024
This image is about Securing the Games- cyber strategies for the Paris Olympics 2024.
Securing the Games: Cyber Strategies for Paris Olympics 2024
August 9, 2024
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
August 2, 2024
View All
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
advanced divider
Subscribe to our blog newsletter to follow the latest posts
Stay informed with the latest updates, expert insights, and in-depth analysis from ThreatMon’s cybersecurity intelligence. Subscribe to receive critical news, threat reports, and industry trends directly in your inbox, helping you stay ahead of emerging cyber threats.
Platform
Subscriptions
Solutions
Resources
Partner
Company

© 2025 ThreatMon. All rights reserved.

X-twitter Linkedin-in Github