1. Home
  2. Groups
  3. APT41

APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[1][2]

ID: G0096
Associated Groups: WICKED PANDA
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 3.0
Created: 23 September 2019
Last Modified: 15 October 2021

Associated Group Descriptions

Name Description
WICKED PANDA

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[4]

.002 Application Layer Protocol: File Transfer Protocols

APT41 used exploit payloads that initiate download via FTP.[4]
.004 Application Layer Protocol: DNS

APT41 used DNS for C2 communications.[1][2]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT41 created a RAR archive of targeted files for exfiltration.[1]
Enterprise T1197 BITS Jobs

APT41 used BITSAdmin to download and install payloads.[4][3]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT41 created and modified startup files for persistence.[1][2] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.[4]
Enterprise T1110 .002 Brute Force: Password Cracking

APT41 performed password brute-force attacks on the local admin account.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT41 leveraged PowerShell to deploy malware families in victims’ environments.[1][4]
.003 Command and Scripting Interpreter: Windows Command Shell

APT41 used cmd.exe /c to execute commands on remote machines.[1]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.[4]
.004 Command and Scripting Interpreter: Unix Shell

APT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices.[4]
Enterprise T1136 .001 Create Account: Local Account

APT41 created user accounts and adds them to the User and Admin groups.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT41 modified legitimate Windows services to install malware backdoors.[1][2] APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.[4]
Enterprise T1486 Data Encrypted for Impact

APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[1]
Enterprise T1005 Data from Local System

APT41 has uploaded files and data from a compromised host.[2]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

APT41 has used DGAs to change their C2 servers monthly.[1]
Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

APT41 leveraged sticky keys to establish persistence.[1]

Enterprise T1480 .001 Execution Guardrails: Environmental Keying

APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.[5]
Enterprise T1190 Exploit Public-Facing Application

APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[4]
Enterprise T1203 Exploitation for Client Execution

APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[1]

Enterprise T1133 External Remote Services

APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[1]
Enterprise T1008 Fallback Channels

APT41 used the Steam community page as a fallback mechanism for C2.[1]

Enterprise T1083 File and Directory Discovery

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.[4]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.[3]
.002 Hijack Execution Flow: DLL Side-Loading

APT41 used legitimate executables to perform DLL side-loading of their malware.[1]

.006 Hijack Execution Flow: Dynamic Linker Hijacking

APT41 has configured payloads to load via LD_PRELOAD.[3]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.[1]
.003 Indicator Removal on Host: Clear Command History

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[1]
.004 Indicator Removal on Host: File Deletion

APT41 deleted files from the system.[1]

Enterprise T1105 Ingress Tool Transfer

APT41 used certutil to download additional files.[4][3][2]
Enterprise T1056 .001 Input Capture: Keylogging

APT41 used a keylogger called GEARSHIFT on a target system.[1]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

APT41 has created services to appear as benign system tools.[2]
.005 Masquerading: Match Legitimate Name or Location

APT41 attempted to masquerade their files as popular anti-virus software.[1][2]
Enterprise T1112 Modify Registry

APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[1][2]
Enterprise T1104 Multi-Stage Channels

APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[4]
Enterprise T1046 Network Service Scanning

APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.[1]
Enterprise T1135 Network Share Discovery

APT41 used the net share command as part of network reconnaissance.[1][2]
Enterprise T1027 Obfuscated Files or Information

APT41 used VMProtected binaries in multiple intrusions.[4]
Enterprise T1588 .002 Obtain Capabilities: Tool

APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[1][2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[1]
Enterprise T1542 .003 Pre-OS Boot: Bootkit

APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[1]
Enterprise T1055 Process Injection

APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.[1]
Enterprise T1090 Proxy

APT41 used a tool called CLASSFON to covertly proxy network communications.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT41 used RDP for lateral movement.[1][3]
.002 Remote Services: SMB/Windows Admin Shares

APT41 has transferred implant files using Windows Admin Shares.[3]
Enterprise T1496 Resource Hijacking

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[1]
Enterprise T1014 Rootkit

APT41 deployed rootkits on Linux systems.[1][3]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT41 used a compromised account to create a scheduled task on a system.[1][3]
Enterprise T1218 .001 Signed Binary Proxy Execution: Compiled HTML File

APT41 used compiled HTML (.chm) files for targeting.[1]

.011 Signed Binary Proxy Execution: Rundll32

APT41 has used rundll32.exe to execute a loader.[3]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[1][2]
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[1]
Enterprise T1016 System Network Configuration Discovery

APT41 collected MAC addresses from victim machines.[1][2]

Enterprise T1049 System Network Connections Discovery

APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.[1][2]
Enterprise T1033 System Owner/User Discovery

APT41 used the WMIEXEC utility to execute whoami commands on remote machines.[1]
Enterprise T1569 .002 System Services: Service Execution

APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.[4][2]
Enterprise T1078 Valid Accounts

APT41 used compromised credentials to log on to other systems.[1][3]
Enterprise T1102 .001 Web Service: Dead Drop Resolver

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[1]
Enterprise T1047 Windows Management Instrumentation

APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[1][2]

Software

ID Name References Techniques
S0073 ASPXSpy [1] Server Software Component: Web Shell
S0190 BITSAdmin [4] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0069 BLACKCOFFEE [1] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication
S0160 certutil [4] Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0020 China Chopper [1] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike [4][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Proxy: Domain Fronting, Query Registry, Reflective Code Loading, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Signed Binary Proxy Execution: Rundll32, Software Discovery, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0021 Derusbi [1] Audio Capture, Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, Signed Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0363 Empire [3] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0095 FTP [4] Commonly Used Port, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
S0032 gh0st RAT [1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0100 ipconfig [2] System Network Configuration Discovery
S0443 MESSAGETAP [6][3] Archive Collected Data: Archive via Custom Method, Automated Collection, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal on Host: File Deletion, Network Sniffing, System Network Connections Discovery
S0002 Mimikatz [1][2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [1] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [1] System Network Connections Discovery
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0097 Ping [1][2] Remote System Discovery
S0013 PlugX [1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0006 pwdump [1] OS Credential Dumping: Security Account Manager
S0112 ROCKBOOT [1] Pre-OS Boot: Bootkit
S0596 ShadowPad [1][7] Application Layer Protocol: DNS, Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal on Host, Ingress Tool Transfer, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Transfer, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0430 Winnti for Linux [3] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Non-Application Layer Protocol, Obfuscated Files or Information, Rootkit, Traffic Signaling
S0412 ZxShell [1] Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Create or Modify System Process: Windows Service, Endpoint Denial of Service, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Network Service Scanning, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Screen Capture, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, Video Capture

References

  1. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  2. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  3. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  4. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  1. Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved June 23, 2020.
  2. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  3. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.