Security is Everyone's Job

APT 41

APT 41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations

Active since at least 2012, APT 41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries


2012: APT41 was first observed by researchers as a Chinese state-sponsored espionage group that also conducts financially-motivated operations

2014: APT41 began to engage in personal gain activities, such as stealing virtual currency and selling game accounts, in addition to its espionage operations

2015: APT41 compromised a software company and injected malicious code into one of its products, which was then distributed to hundreds of organizations

2016: APT41 conducted a supply chain attack against a popular web browser in Asia, infecting millions of users with a backdoor

2017: APT41 exploited a zero-day vulnerability in Apache Struts to compromise several organizations, including a telecom company and a credit bureau

2018: APT41 targeted a hotel reservation system ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons

2019: APT41 was indicted by a federal grand jury in Washington, D.C. for computer intrusions affecting 100 companies globally

2020: APT41 was indicted again by the U.S. Department of Justice for allegedly compromising more than 100 companies around the world as part of APT41

2021: APT41 conducted four different malicious campaigns, targeting political groups, military organizations, airlines, and other sectors in 13 countries

2022: APT41 exploited the Log4j vulnerability to compromise at least two U.S. state governments and their more traditional targets in the insurance and telecommunications industries

Attack methods

APT 41 uses various attack methods such as spearphishing, malware, supply chain attack, web shell, and exploit public-facing application

It also uses data obfuscation, proxy, and web service to evade detection and exfiltrate data


APT 41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group

It also has other aliases such as Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie, Blackfly, and Double Dragon