Threat Actor Profile
Wicked Spider
Wicked Spider, a financially-motivated threat actor and a component of the Chinese nexus group APT41, emerged as a key cyber adversary. Known for its dual capability of criminal profit-making and state-sponsored espionage, Wicked Spider leverages advanced techniques like spear-phishing, supply chain attacks, and certificate theft to target industries globally, with a strong focus on gaming and technology.
Threat Actor Profile
Wicked Spider
Country of Origin
Wicked Spider originates from China, with credible links to state-sponsored operations potentially directed by the Ministry of State Security. Its role in carrying out sophisticated cyberattacks aligns with broader Chinese cybersecurity strategies.
Members
The exact number of individuals in Wicked Spider is not publicly disclosed. It is believed to operate as part of, or alongside, the larger APT41 collective, also known as Winnti, Barium, and Wicked Panda. This overlap enables dynamic and scalable operations, blending espionage and financial motivations.
Leadership
Specific leadership figures of Wicked Spider remain unknown. However, the group is broadly considered a criminal division of APT41, which operates with decentralized coordination under the umbrella of state directives and opportunistic financial pursuits.
Wicked Spider TTPs
Tactics
Wicked Spider targets the theft of intellectual property, confidential business data, and financial resources. It operates with two key motives—achieving monetary profit through cybercrime and advancing state intelligence objectives.
Techniques
The group employs spear-phishing campaigns, exploiting vulnerabilities in public-facing systems, and compromising supply chains to achieve access. It frequently uses stolen code-signing certificates to distribute sophisticated malware while evading detection.
Procedures
Their procedures involve using the Winnti malware family, leveraging legitimate tools for stealth (“living off the land”), and utilizing open-source solutions for lateral movement. Supply chain implants and modular toolsets allow flexibility in delivering customized payloads based on specific objectives.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
One of Wicked Spider’s most significant campaigns involved breaching gaming companies to harvest code-signing certificates. These were subsequently used to disguise malicious software. Similarly, in 2020, the U.S. Department of Justice indicted members of APT41, attributing years-long campaigns targeting high-tech and gaming companies to groups like Wicked Spider.
Law Enforcement & Arrests
In 2020, global law enforcement efforts resulted in the indictment of seven individuals linked to APT41. These charges underline the growing international crackdown on state-backed and criminal cyber actors like Wicked Spider.
How to Defend Against Wicked Spider
To reduce risk, organizations should prioritize securing their supply chains, strengthening email defenses, and closely monitoring certificate usage for suspicious activity.
Strong cyber hygiene combined with advanced tools like endpoint detection and response (EDR) are essential—helping teams spot indicators of compromise, track abnormal endpoint behavior, and deliver actionable threat intelligence to stop attacks before they succeed.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
