Threat Watch

Chinese Actor APT41- A balance Between Crime and Espionage

China (APT41): APT41, a Chinese-linked hacking group has been seen carrying out attacks since 2012. The group has carried out many different attacks since then, using some malware that is not publicly available and some that is. The attacks have varied in size and target and the industries that the group targets have changed as well. One industry the group seems to stay consistent with is the video game industry, where the group has always found a way to attack for monetary gain. The group tends to go straight for video games where they have been able to manipulate virtual currency and deploy ransomware within the game. The group has proven to be able to move laterally within a network and pivot between Windows and Linux systems until they manage to access the production environment for the game, where they will deploy ransomware. The group has also been seen carrying out attacks against higher education, healthcare, telecommunications, and others, but these attacks seem to be more for espionage attacks rather than for financial gain. These attacks are primarily used to gain information or a foothold into a network, to gain access and to return as needed. The group has at least 46 different malware families within its arsenal whether they are public, proprietary or shared with other Chinese actor groups. While carrying out espionage attacks, the group primarily uses spear-phishing attacks that have attachments compiled as HTML (.chm) files to begin the attack. Once the victim is infected, that will leverage more sophisticated TTPs and use additional malware. For high-value targets, the group will deploy rootkits and Master Boot Record bootkits to deploy the malware in a stealthier manner, but this is not seen often. APT41 is quick with their attacks and continue attacking until they manage to get what they want, whether for espionage or monetary gain. Some suspected members of the group have been seen advertising their skills on public forums–offering to carry out video game hacks.


Because the group both carried out state-sponsored attacks as well as advertising on underground forums, it is likely that the group is leveraging their protections from the state-sponsored attacks to carry out the illegal video game hacking for money without getting any unwanted attention from authorities.