3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
APT41

APT41

ID: 4efd834e57e0b0527cb9b30cd331b8dc79736
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Financial Crime
China
Updated: 2026-02-26
Created: 2025-10-21
Progress: 69% Completeness: 69% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Barium Brass Typhoon Br********** Do***********
Re******** TG***** Wi********** Wi***********
W*****
Showing 2 of 9 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

APT41 is a China-nexus intrusion set widely described as conducting state-aligned espionage in parallel with financially motivated cybercrime (“dual mission”). Public government and vendor reporting describe initial access via spearphishing, exploitation of public-facing applications, and supply chain compromise, followed by web shells, in-memory droppers/plugin frameworks, DLL side-loading persistence, and sustained data exfiltration (including cloud-assisted channels). APT41 operations often require a dual-lens analytic approach to distinguish espionage objectives from opportunistic monetization signals (ransomware/cryptojacking).


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2020-09-16 — Technical bulletin describes spearphishing with malicious files as a common tactic. · ref
T1195.002 Compromise Software Supply Chain TA0001
  • 2020-09-16 — Technical bulletin describes supply chain compromises resulting in third-party customer victimization. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2022-03-08 — Mandiant describes exploitation of vulnerable internet-facing web applications for initial access in state government campaign. · ref
T1505.003 Web Shell TA0003
  • 2024-07-19 — IMDA advisory references web shells used on exposed Tomcat Apache Manager servers. · ref
T1055 Process Injection TA0004 TA0005
  • 2024-07-19 — IMDA advisory describes in-memory droppers executing payloads and injection behavior. · ref
T1543.003 Windows Service TA0003 TA0004
  • 2024-07-19 — IMDA advisory describes persistence via Windows services masquerading as legitimate services. · ref
T1574.002 DLL Side-Loading TA0003 TA0004 TA0005
  • 2020-09-16 — Technical bulletin describes DLL side-loading and specific DLL hijack patterns (loadperf.dll, winmm.dll). · ref
T1074.001 Local Data Staging TA0009
  • 2024-07-19 — IMDA advisory references tools used to copy large volumes of data prior to exfiltration. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2024-07-19 — IMDA advisory references exfiltration and use of OneDrive for transfer. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-26T03:00:33+00:00
APT41 (Wicked Panda / Winnti / Double Dragon / Wicked Spider / Brass Typhoon / Bronze Atlas) — Dual-Use China Nexus Group (G0096)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Actor type: Cyber / hybrid — China-nexus operator associated with both state-aligned espionage and financially motivated cybercrime (“dual mission”) in open reporting.

Primary motivation: Espionage with parallel criminal monetization (reported).

Common aliases: BARIUM, Winnti, Wicked Panda, Wicked Spider, Double Dragon, Brass Typhoon, TG-2633, Red Kelpie, Bronze Atlas.



Executive Summary

APT41 is widely described in public reporting as a prolific China-nexus intrusion set notable for conducting state-aligned espionage while also engaging in financially motivated activity. U.S. Department of Justice communications describe intrusions attributed to “APT41” labels and associated aliases that supported theft of source code and sensitive business information, while also enabling ransomware and cryptojacking schemes. Joint FBI/CISA reporting describes broad initial access methods including spearphishing and rapid exploitation of public-facing vulnerabilities, as well as supply chain compromises. Multiple public analyses emphasize APT41’s adaptability: from vulnerability exploitation and web-application compromise to in-memory droppers, web shells, and data exfiltration using common enterprise channels and cloud services.


OSINT frames APT41 as operating at the intersection of espionage and profit. This duality is a defining analytic feature: an operation’s victimology may look “state-like” even when monetization artifacts appear. INFERENCE (confidence: medium): the actor’s longevity and diversity of tooling suggest access to a broad shared arsenal and a mature internal R&D and operations pipeline, with parallel workflows for state-directed collection and opportunistic monetization.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — APT41


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — APT41 (Web Compromise → In‑Memory Loaders → Data Theft)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-26T03:01:29+00:00

IOC Appendix — APT41 (Operational Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-26T03:04:38+00:00

OSINT Library — APT41


2026-02-04 — Check Point Research — “Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in Southeast Asia (APT41 nexus)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.