APT41 Exploits Cloud Services with New Zero-Detection ELF Backdoor

APT41 Exploits Cloud Services with New Zero-Detection ELF Backdoor

First seen 13 Apr 2026, 18:30 UTC Darkreadingintel.breakglass.techwww.cybersecuritydive.comGbhackersCybersecuritynews+1 84% similarity 77.0

Article Content

Browse articles
ThreatCluster

APT41, a China-backed threat group, has been identified using a new zero-detection ELF backdoor targeting Linux cloud workloads across major platforms including AWS, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud. The backdoor operates via SMTP port 25 for command-and-control communication, making it difficult to detect with conventional tools. This malware harvests cloud provider credentials and metadata, posing a significant risk to organizations with broad permissions. The backdoor has zero detections on VirusTotal, indicating its stealthy nature. APT41 has also employed typosquatting techniques, registering domains that mimic legitimate services to obscure its activities. The campaign represents a notable evolution in APT41's operational tactics, focusing on cloud environments rather than traditional endpoints. The group has a history of state-sponsored espionage and cybercrime, with previous indictments failing to deter its operations.

Key Points: • APT41's new ELF backdoor targets major cloud platforms with zero detections on VirusTotal. • The malware uses SMTP port 25 for covert command-and-control communication. • Typosquatting techniques complicate tracking and detection of APT41's activities.

ThreatCluster AI

Timeline

2026-01-20
APT41 registered three typosquatted domains.
2026-04-13
APT41's ELF backdoor reported targeting cloud environments.
2026-04-14
APT41's campaign detailed in multiple cybersecurity articles.

Community

Browse all →