APT41 is a group that carries out Chinese state-sponsored espionage and financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.[1][2]

The group is known to target technology and video game companies to compromise their Supply Chain and insert a backdoor to their products and is reported to be behind the infamous [ShadowPad] backdoor inserted first to NetSarang software. The group has been also observed inserting malicious code into legitimate video game files to distribute malware.[1]

APT41 also regularly leverages stolen Code Signing certificates to sign their malware and tools when targeting their victims.[1]

Techniques Used

Domain ID Name Use
Enterprise VT0012 .001 Command and Scripting Interpreter: Unix Shell

APT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices.[3]

Enterprise VT0003 Exploit Public-Facing Application

APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[3]

Enterprise VT0002 External Remote Services

APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[1]

Enterprise VT0018 .001 Input Capture: Keylogging

APT41 used a keylogger called GEARSHIFT on a target system.[1]

Enterprise VT0024 Network Service Scanning

APT41 used a malware variant called WIDETONE to conduct port scans on the specified subnets.[1]

Enterprise VT0031 Resource Hijacking

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[1]

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[1]

Enterprise VT0004 .002 Supply Chain Compromise: Compromise Software Supply Chain

APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[1]

Enterprise VT0005 Valid Accounts

APT41 used compromised credentials to log on to other systems.[1]


ID Name References Techniques
VS0008 ShadowPad APT41 is reported to be behind the infamous modular backdoor ShadowPad, which was first discovered in the Software Supply Chain Compromise of Netsarang software. Supply Chain Compromise: Compromise Software Supply Chain




Created: 27 April 2021

Last Modified: 06 May 2021