Threat Actor Profile
High APT
Description

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Confidence Score
90%
Known Aliases
APT41 Wicked Panda Brass Typhoon BARIUM
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (82)
T1005 - Data from Local System
Collection
T1056.001 - Keylogging
Collection
T1213.003 - Code Repositories
Collection
T1560.001 - Archive via Utility
Collection
T1008 - Fallback Channels
Command and Control
T1071.001 - Web Protocols
Command and Control
T1071.002 - File Transfer Protocols
Command and Control
T1071.004 - DNS
Command and Control
T1090 - Proxy
Command and Control
T1102.001 - Dead Drop Resolver
Command and Control
T1104 - Multi-Stage Channels
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1568.002 - Domain Generation Algorithms
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.002 - Security Account Manager
Credential Access
T1003.003 - NTDS
Credential Access
T1110 - Brute Force
Credential Access
T1555 - Credentials from Password Stores
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1014 - Rootkit
Defense Evasion
T1027 - Obfuscated Files or Information
Defense Evasion
T1027.002 - Software Packing
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1070.001 - Clear Windows Event Logs
Defense Evasion
T1070.003 - Clear Command History
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1197 - BITS Jobs
Defense Evasion
T1218.001 - Compiled HTML File
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1480.001 - Environmental Keying
Defense Evasion
T1484.001 - Group Policy Modification
Defense Evasion
T1550.002 - Pass the Hash
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1562.006 - Indicator Blocking
Defense Evasion
T1599 - Network Boundary Bridging
Defense Evasion
T1656 - Impersonation
Defense Evasion
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1069 - Permission Groups Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.001 - Local Account
Discovery
T1087.002 - Domain Account
Discovery
T1135 - Network Share Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.004 - Unix Shell
Execution
T1203 - Exploitation for Client Execution
Execution
T1569.002 - Service Execution
Execution
T1030 - Data Transfer Size Limits
Exfiltration
T1486 - Data Encrypted for Impact
Impact
T1496.001 - Compute Hijacking
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1195.002 - Compromise Software Supply Chain
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1037 - Boot or Logon Initialization Scripts
Persistence
T1098.007 - Additional Local or Domain Groups
Persistence
T1133 - External Remote Services
Persistence
T1136.001 - Local Account
Persistence
T1542.003 - Bootkit
Persistence
T1543.003 - Windows Service
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.001 - DLL
Persistence
T1574.006 - Dynamic Linker Hijacking
Persistence
T1546.008 - Accessibility Features
Privilege Escalation
T1595.002 - Vulnerability Scanning
Reconnaissance
T1595.003 - Wordlist Scanning
Reconnaissance
T1596.005 - Scan Databases
Reconnaissance
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['APT41', 'Wicked Panda', 'Brass Typhoon', 'BARIUM'],
 'created': '2019-09-23T13:43:36.945Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[APT41](https://attack.mitre.org/groups/G0096) is a threat '
                'group that researchers have assessed as Chinese '
                'state-sponsored espionage group that also conducts '
                'financially-motivated operations. Active since at least 2012, '
                '[APT41](https://attack.mitre.org/groups/G0096) has been '
                'observed targeting various industries, including but not '
                'limited to healthcare, telecom, technology, finance, '
                'education, retail and video game industries in 14 '
                'countries.(Citation: apt41_mandiant) Notable behaviors '
                'include using a wide range of malware and tools to complete '
                'mission objectives. '
                '[APT41](https://attack.mitre.org/groups/G0096) overlaps at '
                'least partially with public reporting on groups including '
                'BARIUM and [Winnti '
                'Group](https://attack.mitre.org/groups/G0044).(Citation: '
                'FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June '
                '2021)\n',
 'external_references': [{'external_id': 'G0096',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0096'},
                         {'description': '(Citation: Crowdstrike GTR2020 Mar '
                                         '2020)',
                          'source_name': 'Wicked Panda'},
                         {'description': '(Citation: FireEye APT41 2019)',
                          'source_name': 'APT41'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Brass Typhoon'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'BARIUM'},
                         {'description': 'Crowdstrike. (2020, March 2). 2020 '
                                         'Global Threat Report. Retrieved '
                                         'December 11, 2020.',
                          'source_name': 'Crowdstrike GTR2020 Mar 2020',
                          'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf'},
                         {'description': 'FireEye. (2019). Double DragonAPT41, '
                                         'a dual espionage andcyber crime '
                                         'operationAPT41. Retrieved September '
                                         '23, 2019.',
                          'source_name': 'FireEye APT41 2019',
                          'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'},
                         {'description': 'Fraser, N., et al. (2019, August 7). '
                                         'Double DragonAPT41, a dual espionage '
                                         'and cyber crime operation APT41. '
                                         'Retrieved September 23, 2019.',
                          'source_name': 'FireEye APT41 Aug 2019',
                          'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'},
                         {'description': 'Mandiant. (n.d.). APT41, A DUAL '
                                         'ESPIONAGE AND CYBER CRIME OPERATION. '
                                         'Retrieved June 11, 2024.',
                          'source_name': 'apt41_mandiant',
                          'url': 'https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Rostovcev, N. (2021, June 10). Big '
                                         'airline heist APT41 likely behind a '
                                         'third-party attack on Air India. '
                                         'Retrieved August 26, 2021.',
                          'source_name': 'Group IB APT 41 June 2021',
                          'url': 'https://www.group-ib.com/blog/colunmtk-apt41/'}],
 'id': 'intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7',
 'modified': '2025-06-11T20:13:29.024Z',
 'name': 'APT41',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Kyaw Pyiyt Htet, @KyawPyiytHtet',
                          'Nikita Rostovcev, Group-IB'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '4.2'}
Quick Actions
Related TTPs (82)
Data from Local System
Collection
Keylogging
Collection
Code Repositories
Collection
Archive via Utility
Collection
Fallback Channels
Command and Control
View All 82 TTPs
Back to Threat Actors
Dashboard Home