Back

APT41 Exploits Cloud Services with New Zero-Detection ELF Backdoor

Severity: High (Score: 77.0)

Sources: intel.breakglass.tech, www.cybersecuritydive.com, Csoonline, Cybersecuritynews, Darkreading

Summary

APT41, a China-backed threat group, has been identified using a new zero-detection ELF backdoor targeting Linux cloud workloads across major platforms including AWS, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud. The backdoor operates via SMTP port 25 for command-and-control communication, making it difficult to detect with conventional tools. This malware harvests cloud provider credentials and metadata, posing a significant risk to organizations with broad permissions. The backdoor has zero detections on VirusTotal, indicating its stealthy nature. APT41 has also employed typosquatting techniques, registering domains that mimic legitimate services to obscure its activities. The campaign represents a notable evolution in APT41's operational tactics, focusing on cloud environments rather than traditional endpoints. The group has a history of state-sponsored espionage and cybercrime, with previous indictments failing to deter its operations. Key Points: • APT41's new ELF backdoor targets major cloud platforms with zero detections on VirusTotal. • The malware uses SMTP port 25 for covert command-and-control communication. • Typosquatting techniques complicate tracking and detection of APT41's activities.

Key Entities

  • APT41 (apt_group)
  • Barium (apt_group)
  • Brass Typhoon (apt_group)
  • Silver Dragon (apt_group)
  • Wicked Panda (apt_group)
  • Malware (attack_type)
  • Singapore (country)
  • aliyuncs.com (domain)
  • 169.254.169.254 (ipv4)
  • Pwnlnx (malware)
  • ToughProgress (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071.002 - File Transfer Protocols (mitre_attack)
  • Alibaba Cloud (company)
  • Amazon Web Services (company)
  • AWS (company)
  • Azure (company)
  • Google Cloud Platform (company)
  • Cloudflare Worker (tool)
  • Google Cloud (tool)
  • GCP (platform)
  • Google Calendar (platform)
  • Linux (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed