Watch On-Demand: From Trafficking Victim to Cybercrime Whistleblower
Utility navigation bar redirect icon
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Start for Free
HomeThreat Actors
APT41
Threat Actor Profile

APT41

APT41, also referred to as "Double Dragon," is a Chinese advanced persistent threat (APT) group identified as state-sponsored. Active since at least 2012, they uniquely combine cyber espionage and financially motivated cybercrime. Known for their sophisticated TTPs, APT41 continues to be one of the most versatile and dangerous threat actors on the global stage.

Threat Actor Profile

APT41

Country of Origin

APT41 is widely believed to operate out of China, with strong affiliations to the Ministry of State Security (MSS). This assessment is supported by connections to Chinese contractors and state interests.

Members

APT41's group size and exact structure remain unknown, but their operations suggest a large and well-funded team, combining expertise in cyber espionage, vulnerability exploitation, and financial theft. Commonly used aliases include Wicked Panda, Bronze Atlas, and Winnti.

Leadership

While specific leadership details are scarce, U.S. indictments in 2020 revealed five Chinese nationals allegedly linked to this group. These individuals were identified as part of coordinated intrusion operations supporting China’s broader strategic goals.

APT41 TTPs

Tactics

APT41 pursues dual missions: espionage campaigns targeting governments, research, defense, and technology sectors, and financially motivated cybercrime aimed at fraud and theft. This dual focus maximizes their operational impact globally.

Techniques

Their techniques include spear-phishing with malicious attachments, exploiting zero-day vulnerabilities (e.g., Log4Shell, USAHerds), and compromising supply chains to distribute malicious software updates.

Procedures

They utilize custom malware families, bootkits, and rootkits for stealth and persistence, credential harvesting for lateral movement, and covert C2 channels like Google Calendar. They are also adept at living-off-the-land strategies to avoid detection.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

  • Supply Chain Compromises: Leveraging vendor software to deploy malicious updates.

  • 2021-2022 Campaigns: Exploited vulnerabilities like Log4Shell to compromise U.S. state networks.

  • Global Campaigns: Breached ManageEngine, Cisco, and Citrix products in widespread attacks.

  • Southern Africa Espionage: Targeted a government IT services organization using tools like Pillager and Checkout.

Law Enforcement & Arrests

The U.S. Department of Justice indicted members of APT41 in 2020 for their role in cyber intrusions targeting over 100 global businesses. These crimes highlighted the group’s dual-focus approach and its link to Chinese state-sponsored operations.


Glitch effectGlitch effect

How to Defend Against APT41

1

Patch Management: Regularly update software to mitigate vulnerabilities.

2

Network Segmentation: Separate high-value assets from public-facing applications.

3

Threat Intelligence: Use IoCs to identify potential compromises.

4

Advanced Monitoring: Detect anomalies such as credential dumping or unusual outbound traffic.



References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free