APT41 Espionage Strikes Southern African Government IT

Arabian Post

22-07-2025

A sophisticated cyber‑espionage campaign has targeted a government‑affiliated IT department in Southern Africa, with indicators pointing to the China‑linked APT41 group. Kaspersky's Managed Detection and Response team detected the intrusion via unusual activity on multiple workstations, prompting an in‑depth investigation and attribution to APT41 with high confidence.
The attackers infiltrated the network by exploiting a publicly exposed web server, carrying out registry dumping to harvest credentials for a local administrator account and a backup solution account with domain‑wide privileges. These credentials enabled lateral movement and elevation of access across the organisation's network.
Once embedded, the threat actors deployed a suite of both custom and public reconnaissance tools. A modified Pillager stealer was converted into a DLL to exfiltrate browser, database and admin tool credentials, screenshots, source code, active chats, email correspondence, and more. Additionally, the Checkout stealer captured browser history, downloaded files, stored passwords and credit card information. The attackers also utilised RawCopy and a Mimikatz DLL to extract registry secrets, while Cobalt Strike served as their primary command‑and‑control mechanism.
ADVERTISEMENT
Unusually, the attackers leveraged the internal SharePoint server as a covert C2 channel, embedding a custom web‑shell to send and receive commands. This tactic allowed them to mask illicit operations within legitimate internal communications, minimising suspicion.
Further probing revealed use of Impacket modules WmiExec and Atexec, which fetched reconnaissance outputs and exfiltrated SAM and SYSTEM registry hives from compromised hosts. A later phase of the operation involved the deployment of a malicious HTA file via a domain impersonating GitHub, used to establish a reverse shell—locking down persistent access.
This marks one of APT41's most comprehensive operations in Africa, a region previously experiencing minimal activity from this actor. Analysts highlight the full deployment of the group's TTPs—spanning stealthy reconnaissance, lateral movement, data harvesting, and covert command channels.
Denis Kulik, Lead SOC Analyst at Kaspersky MDR, emphasised the challenge such campaigns present: 'Defending against such sophisticated attacks is impossible without comprehensive expertise and continuous monitoring of the entire infrastructure'. Culprits' integration of both bespoke stealer implants and legitimate tools like Mimikatz and Cobalt Strike underlines their adaptive and stealthy approach.
The incident underscores growing cyber‑espionage interest in African government IT systems. APT41, active across 42 countries, now appears to be intensifying surveillance operations on the continent. Organisations are urged to ensure full security agent deployment across endpoints, enforce least privilege principles, and monitor internal services rigorously. Kaspersky also recommends adopting advanced solutions such as EDR/XDR and managed detection and response services, along with threat intelligence offerings to anticipate and counter complex intrusions.