Latest news with #APT41
Arabian Post
22-07-2025
- Arabian Post
APT41 Espionage Strikes Southern African Government IT
A sophisticated cyber‑espionage campaign has targeted a government‑affiliated IT department in Southern Africa, with indicators pointing to the China‑linked APT41 group. Kaspersky's Managed Detection and Response team detected the intrusion via unusual activity on multiple workstations, prompting an in‑depth investigation and attribution to APT41 with high confidence. The attackers infiltrated the network by exploiting a publicly exposed web server, carrying out registry dumping to harvest credentials for a local administrator account and a backup solution account with domain‑wide privileges. These credentials enabled lateral movement and elevation of access across the organisation's network. Once embedded, the threat actors deployed a suite of both custom and public reconnaissance tools. A modified Pillager stealer was converted into a DLL to exfiltrate browser, database and admin tool credentials, screenshots, source code, active chats, email correspondence, and more. Additionally, the Checkout stealer captured browser history, downloaded files, stored passwords and credit card information. The attackers also utilised RawCopy and a Mimikatz DLL to extract registry secrets, while Cobalt Strike served as their primary command‑and‑control mechanism. ADVERTISEMENT Unusually, the attackers leveraged the internal SharePoint server as a covert C2 channel, embedding a custom web‑shell to send and receive commands. This tactic allowed them to mask illicit operations within legitimate internal communications, minimising suspicion. Further probing revealed use of Impacket modules WmiExec and Atexec, which fetched reconnaissance outputs and exfiltrated SAM and SYSTEM registry hives from compromised hosts. A later phase of the operation involved the deployment of a malicious HTA file via a domain impersonating GitHub, used to establish a reverse shell—locking down persistent access. This marks one of APT41's most comprehensive operations in Africa, a region previously experiencing minimal activity from this actor. Analysts highlight the full deployment of the group's TTPs—spanning stealthy reconnaissance, lateral movement, data harvesting, and covert command channels. Denis Kulik, Lead SOC Analyst at Kaspersky MDR, emphasised the challenge such campaigns present: 'Defending against such sophisticated attacks is impossible without comprehensive expertise and continuous monitoring of the entire infrastructure'. Culprits' integration of both bespoke stealer implants and legitimate tools like Mimikatz and Cobalt Strike underlines their adaptive and stealthy approach. The incident underscores growing cyber‑espionage interest in African government IT systems. APT41, active across 42 countries, now appears to be intensifying surveillance operations on the continent. Organisations are urged to ensure full security agent deployment across endpoints, enforce least privilege principles, and monitor internal services rigorously. Kaspersky also recommends adopting advanced solutions such as EDR/XDR and managed detection and response services, along with threat intelligence offerings to anticipate and counter complex intrusions.
Zawya
21-07-2025
- Zawya
Kaspersky: Advanced Persistent Threat (APT41) targets Southern African organisation in espionage attack
Kaspersky Managed Detection and Response experts ( have observed a cyber espionage attack on an organisation in Southern African and have linked it to the Chinese-speaking APT41 group. Although the threat actor has shown limited activity in Southern Africa, this incident reveals that the cyber attackers have targeted government IT services in one of the countries in the region, attempting to steal sensitive corporate data — including credentials, internal documents, source code, and communications. APT (Advanced Persistent Threat) is a category of threat actors known for carrying out concerted, stealthy, and ongoing attacks against specific organisations, as opposed to opportunistic, isolated incidents that account for most cybercriminal activity. The adversaries' techniques observed during the attack in Southern Africa allowed Kaspersky to attribute it to the Chinese-speaking APT41 group with a high confidence. The primary goal of the attack was cyber espionage, which is typical for this threat actor. The attackers attempted to collect sensitive data from the machines they compromised within the organisation's network. It is noteworthy that APT41 typically has been showing quite limited activity in the Southern African region. APT41 specialises in cyber espionage and targets organisations across various industries, including telecommunications providers, educational and healthcare institutions, IT, energy, and other sectors, with known activity in at least 42 countries. Based on Kaspersky experts' analysis, the attackers may have gained access to the organisation's network through a web server exposed to the Internet. Using a credential harvesting technique – known in professional terms as registry dumping – the attackers obtained two corporate domain accounts: one with local administrator rights on all workstations and another belonging to a backup solution, which had domain administrator privileges. These accounts allowed the attackers to compromise additional systems within the organisation. One of the stealers used for data collection was a modified Pillager utility, designed for exporting and decrypting data. The attackers compiled its code from an executable file into a Dynamic Link Library (DLL). With it, they aimed to gather saved credentials from browsers, databases, administrative tools, as well as project source code, screenshots, active chat sessions and their data, email correspondence, lists of installed software, operating system credentials, Wi-Fi credentials, and other information. The second stealer used during the attack was Checkout. In addition to saved credentials and browser history, it was also capable of collecting information on downloaded files and browser-stored credit card data. The attackers also used the RawCopy utility and a version of Mimikatz compiled as a Dynamic Link Library (DLL) to dump registry files and credentials, as well as Cobalt Strike for Command and Control (C2) communication on compromised hosts. 'Interestingly, as one of their C2 communication channels besides Cobalt Strike, the attackers chose the SharePoint server within the victim's infrastructure. They communicated with it using custom C2 agents connected with a web-shell. They may have chosen SharePoint because it was an internal service already present in the infrastructure and unlikely to raise suspicion. Moreover, in that case, it probably offered the most convenient way to exfiltrate data and control compromised hosts through a legitimate communication channel,' explains Denis Kulik, Lead SOC Analyst at Kaspersky Managed Detection and Response service. 'In general, defending against such sophisticated attacks is impossible without comprehensive expertise and continuous monitoring of the entire infrastructure. It is essential to maintain full security coverage across all systems with solutions capable of automatically blocking malicious activity at an early stage — and to avoid granting user accounts excessive privileges,' comments Denis Kulik. To mitigate or prevent similar attacks, organisations are advised to follow these best practices: Ensure that security agents are deployed on all workstations within the organisation without exception, to enable timely incident detection and minimise potential damage. Review and control service and user account privileges, avoiding excessive rights assignments – especially for accounts used across multiple hosts within the infrastructure. To protect the company against a wide range of threats, use solutions from the Kaspersky Next ( product line that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organisations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing. Adopt managed security services by Kaspersky such as Compromise Assessment ( Managed Detection and Response (MDR) ( and / or Incident Response ( covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers. Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organisation. The latest Kaspersky Threat Intelligence ( will provide them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner. A detailed analysis of the incident is available on Securelist ( Kaspersky Managed Detection and Response service monitors suspicious activity and helps organisations respond swiftly to minimise impact. This is a part of Kaspersky Security Services, a team delivering hundreds of information security projects every year for Fortune Global 500 organisations: incident response, managed detection, SOC consulting, red teaming, penetration testing, application security, digital risks protection. Distributed by APO Group on behalf of Kaspersky. For further information please contact: Nicole Allman nicole@ Social Media: Facebook: X: YouTube: Instagram: Blog: About Kaspersky: Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at
News18
30-05-2025
- News18
Google Calendar Has A Dangerous Malware Threat: What Is It And How It Attacks
Last Updated: Google malware threats are getting wilder but the Calendar app being the ruse to attack businesses is a new method on the check list. Hacker groups are now eyeing your Google Calendar to bypass the device security and steal information. They have devised a dangerous malware called TOUGHPROGRESS that primarily targets government websites and holds them to ransom in exchange for giving them back the access. This is not the first sighting of the malware, and the Google Threat Intelligence team claims the first incident of the APT41 hacking group was reported back in October 2024. Now, the same group is exploiting the Calendar app to breach the system defenses and attack the victims. The details from the cyber security group at Google suggests the malware is directed at targeted systems using the conventional phishing email method. The group sends the pointed email with the objective to get the victim to open the affected website where the malicious ZIP file with PDF and fake images triggers the malware into action. And once the TOUGHPROGRESS malware bypasses all the checks, it tries to access the Calendar app of the victim to not only steal data but take control over the system by sending commands. The fake Calendar app also creates events with data embedded into them. This isn't the first Google product to be targeted by the hacker group. The APT41 group used Google Drive to inflict similar attacks on government entities using Google Sheets and more. Not In Danger Google has strong advice for people to avoid falling prey to these attacks: Expect more details from Google once the severity and impact of the malware campaign is addressed and rectified. First Published:
Hans India
29-05-2025
- Hans India
Chinese Hacker Group APT41 Uses Google Calendar to Spy with New Malware
Google said that a Chinese hacker group called APT41 used a new kind of bad software called TOUGHPROGRESS to spy on governments. This bad software uses Google Calendar in a smart way to send commands and steal information. Here is how it works: The hackers sent emails with a link to a fake file on a government website. When someone clicked the file, it showed a fake document but secretly put bad software on the computer. The bad software talks to the hackers by reading and writing events on a Google Calendar the hackers control. It uses calendar events to send orders and steal data without anyone noticing. The bad software hides itself well to avoid being caught, using tricks like secret codes and running only in the computer's memory. Google found this attack in late 2024 and quickly closed the bad Google Calendar and related accounts to stop the hackers. The companies and governments attacked were told about it. APT41 is a well-known hacker group that has attacked many industries like shipping, media, and technology all over the world. This is not the first time they used Google's tools to hide their attacks — before, they used Google Drive and Google Sheets for spying too.
