By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
TechFyle | TFTechFyle | TFTechFyle | TF
  • Latest News
    • Articles
      • Analysis
      • Reviews
        • Phones & Tablets
        • Laptops & PCs
        • Software & Apps
      • TF Africa
      • TF Americas
      • TF APAC
      • TF Europe
      • Media
    • Reviews
    • AI
    • Transportation
    • Hardware
    • Internet & Cloud
    • Gadgets
    • Cybersecurity
    • Society
  • Register
  • My t/f
    • Member Login
    • My Feed
    • My Saves
    • My Interests
    • Profile
    • Password Reset
  • VentureHub
  • Tech Week In Review
  • About TF
  • en
    • en
    • fr
    • de
    • pt
    • es
Notification Show More
Font ResizerAa
TechFyle | TFTechFyle | TFTechFyle | TF
Font ResizerAa
  • Register
  • Login
  • Interests
  • Feed
  • Saved
  • Latest News
    • Articles
    • Reviews
    • AI
    • Transportation
    • Hardware
    • Internet & Cloud
    • Gadgets
    • Cybersecurity
    • Society
  • Register
  • My t/f
    • Member Login
    • My Feed
    • My Saves
    • My Interests
    • Profile
    • Password Reset
  • VentureHub
  • Tech Week In Review
  • About TF
Have an existing account? Sign In
  • My Feed
  • My Interests
  • History
  • My Saves
TechFyle | TF > Reporting > Business > APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.

thehackernews.com
Last updated: 2 years ago
By thehackernews.com Add a Comment
Share
APT41 Infiltrates Networks in Italy, Spain, Taiwan, Turkey, and the U.K.
SHARE

Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a “sustained campaign” by the prolific China-based APT41 hacking group.

“APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims’ networks since 2023, enabling them to extract sensitive data over an extended period,” Google-owned Mandiant said in a new report published Thursday.

The threat intelligence firm described the adversarial collective as unique among China-nexus actors owing to its use of “non-public malware typically reserved for espionage operations in activities that appear to fall outside the scope of state-sponsored missions.”

Attack chains involve the use of web shells (ANTSWORD and BLUEBEAM), custom droppers (DUSTPAN and DUSTTRAP), and publicly available tools (SQLULDR2 and PINEGROVE) to achieve persistence, deliver additional payloads, and exfiltrate data of interest.

The web shells act as a conduit to download the DUSTPAN (aka StealthVector) dropper that’s responsible for loading Cobalt Strike Beacon for command-and-control (C2) communication, followed by the deployment of the DUSTTRAP dropper post lateral movement.

DUSTTRAP, for its part, is configured to decrypt a malicious payload and execute it in memory, which, in turn, establishes contact with an attacker-controlled server or a compromised Google Workspace account in an attempt to conceal its malicious activities.

Google said the identified Workspace accounts have been remediated to prevent unauthorized access. It, however, did not reveal how many accounts were affected.

The intrusions are also characterized by the use of SQLULDR2 to export data from Oracle Databases to a local text-based file and PINEGROVE to transmit large volumes of sensitive data from compromised networks by abusing Microsoft OneDrive as an exfiltration vector.

It’s worth noting here that the malware families that Mandiant tracks as DUSTPAN and DUSTTRAP share overlaps with those that have been codenamed DodgeBox and MoonWalk, respectively, by Zscaler ThreatLabz.

“DUSTTRAP is a multi-stage plugin framework with multiple components,” Mandiant researchers said, adding it identified at least 15 plugins that are capable of executing shell commands, carrying out file system operations, enumerating and terminating processes, capturing keystrokes and screenshots, gathering system information, and modifying Windows Registry.

It’s also engineered to probe remote hosts, perform domain name system (DNS) lookups, list remote desktop sessions, upload files, and conduct various manipulations to Microsoft Active Directory.

“The DUSTTRAP malware and its associated components that were observed during the intrusion were code signed with presumably stolen code signing certificates,” the company said. “One of the code signing certificates seemed to be related to a South Korean company operating in the gaming industry sector.”

GhostEmperor Comes Back to Haunt

The disclosure comes as Israeli cybersecurity company Sygnia revealed details of a cyber attack campaign mounted by a sophisticated China-nexus threat group called GhostEmperor to deliver a variant of the Demodex rootkit.

The exact method used to breach targets is currently not clear, although the group has been previously observed exploiting known flaws in internet-facing applications. The initial access facilitates the execution of a Windows batch script, which drops a Cabinet archive (CAB) file to ultimately launch a core implant module.

The implant is equipped to manage C2 communications and install the Demodex kernel rootkit by using an open-source project named Cheat Engine to get around the Windows Driver Signature Enforcement (DSE) mechanism.

“GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes several methods to impede analysis process,” Security researcher Dor Nizar said.

Source: thehackernews.com

[gspeech type=full]

thehackernews.com 2 years ago 2 years ago
Share This Article
Facebook Twitter Copy Link Print
Leave a comment Leave a comment

Click here to cancel reply.

Please Login to Comment.

Related Stories

Uncover the stories that related to the post!

A Brain Implant Helped a Paralysed Man Feed Himself for the First Time

By Z Patel July 17, 2026

Kalshi Lets You Bet on Drug Trial Results

By Adam Carter July 17, 2026

AST SpaceMobile Delays Commercial Service to 2027

By Joseph Adebayo July 16, 2026

Lawsuit Claims Meta’s AI Targeted Employees With Medical Conditions for Layoffs

By Li Nguyen July 16, 2026

SpaceX Shares Fall Below Their IPO Price

By Joseph Adebayo July 16, 2026

White House Launches Gold Eagle — an AI Cybersecurity Clearinghouse

By Li Nguyen July 15, 2026

Google Images Turns 25 — and Gets AI Image Generation as a Birthday Gift

By Sophia Rodriguez July 15, 2026

AI for Good Summit: Countries Clash Over Who Governs AI Globally

By Li Nguyen July 13, 2026
Show More
TechFyle | TF

To illuminate and provide knowledge anywhere through which technology flows

Quick Links

  • My Feed
  • My Interests
  • History
  • My Saves

Company

  • Privacy Policy
  • Terms and Conditions
  • Cookie Policy

Copyright TechFyle 2024. All rights reserved.

Welcome Back!

Sign in to your account

Register Lost your password?