Chinese Actor APT41 Exploiting Vulnerabilities in Lengthy Global Campaign

By Bill Toulas / March 26, 2020

FireEye researchers have been monitoring the activity of the Chinese hacking group APT41. They report that they are seeing one of the lengthiest and most persistent campaigns ever to have stemmed from them. APT41 started their recent activity on January 20, 2020, and cycled through a total of four vulnerabilities, exploiting them individually and subsequently within specific periods. As for the target countries, the list includes Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK, and the USA.

Here’s a summary of the timeline of the attacks:


Source: FireEye

What becomes evident from the above is that APT41 is using publicly available PoC (proof of concept) code to launch their attacks, and it only takes them a couple of days to engage in this activity. It means that system administrators have a limited time to update, proving how crucial it is to upgrade your software immediately when a PoC is made public.

In all of the above cases, APT41 managed to compromise vulnerable systems that didn’t get to be updated. Apart from that, it is noteworthy that APT41 is now making use of “off the shelf” malware like Cobalt Strike and Metepreter. It proves that these tools are handy and versatile nowadays, as groups like APT41 are skilled enough to develop and use their own sophisticated tools.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: