Redazione RHC : 4 August 2025 07:15
The Chinese-linked cyber group APT41 has launched a new espionage operation targeting government IT services in Africa, an unexpected turn of events for a region previously considered an unlikely target. Kaspersky Lab specialists identified the attack after detecting suspicious activity on workstations of an unidentified organization. The attackers used remote administration tools and executed commands to ensure the availability of their control servers within the compromised network.
It was later revealed that the entry point was an untraceable host, where the Impacket framework, including the Atexec and WmiExec modules, was launched under a service account. After execution, the attackers temporarily halted their activities. However, they soon began using stolen high-privileged credentials to escalate their rights and move laterally across the network, including using the Cobalt Strike tool, implemented via DLL sideloading.
The malicious libraries’ unique feature is that they monitor system language settings and abort execution if Chinese (both simplified and traditional), Japanese, or Korean language packs are detected. This measure is clearly aimed at preventing the infection of computers in countries where the developers are based.
The attackers also used SharePoint Server as a control center in the victim’s infrastructure, disguising the malicious activity as normal business activity. It was used to transmit commands executed by a Trojan written in C#, which gained access to the system via the “agents.exe” and “agentx.exe” files transmitted via the SMB protocol. These executable files interacted with the CommandHandler.aspx web shell installed on SharePoint, executing the attackers’ commands.
The attack combines common penetration techniques with “Living off the Land” tactics, which use legitimate corporate services as control tools. These techniques are consistent with the MITRE ATT&CK T1071.001 and T1047 standards, making them particularly difficult to detect using traditional means.
After initial reconnaissance, the attackers focused on the machines of interest. From there, they launched scripts via “cmd.exe that downloaded malicious HTA files from an external source, whose domain was disguised as an official GitHub resource. While the exact functionality of the downloaded content is still unknown, it is known that one of the previously used scripts launched a reverse shell, providing full remote control of the system.
A wide range of tools were used to collect information. A modified version of the Pillager tool allowed the theft of login credentials from browsers and terminals, files, correspondence, emails, screenshots, and other sensitive information. The Checkout tool collected information about downloaded files and payment details, including data from browsers such as Chrome, Opera, Brave, and others. The RawCopy utility was used to extract raw log files, while Mimikatz was used to download user credentials.
APT41 demonstrated a high level of adaptability, tailoring its malware modules to the specifics of the victim’s infrastructure. Furthermore, the attackers actively used a combination of legitimate and proprietary tools, including penetration testing tools, to disguise the attack as the actions of insiders.
This operation in Africa marks a shift in APT41’s geographic focus and highlights the growing attention of Chinese cyber units towards regions previously unexplored by their targets. According to Trend Micro, the first signs of activity in this direction were observed as early as the end of 2022. The use of internal corporate services as control and data collection channels confirms an evolution in approaches in which the boundary between pentests and real attacks is virtually erased.
Redazione