The Chinese-linked threat group APT41 is using a sophisticated backdoor to target Linux-based cloud systems and steal sensitive credentials from major providers, according to a new technical deep dive from cybersecurity firm Breakglass Intelligence.
The researchers say that the malware is designed to target cloud environments such as Amazon Web Services, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud. The backdoor is written in ELF format, commonly used on Linux systems, and communicates through SMTP port 25 to evade detection by standard internet scanning tools. Researchers noted that the malware currently has zero detections on VirusTotal.
Once inside a system, the malware targets cloud metadata services to extract temporary credentials. For example, it probes AWS instances to retrieve access data linked to the system’s identity. If security permissions are too broad, attackers could gain deeper access across cloud environments.
Researchers say the observed campaign show years of development of APT41, evolving from simple hacking tools into advanced, cloud-focused malware. The group has also used typosquatting (registering fake domains that closely resemble legitimate services) to disguise its activity and avoid detection.
First spotted in 2012, APT41 (aka Winnti, Wicked Panda, Barium, Silver Dragon and Brass Typhoon) is known for combining state-sponsored espionage with financially motivated cybercrime. The threat actor had been targeting various sectors, including healthcare, telecommunications, and video game industries, by exploiting vulnerabilities in software providers’ networks. In September 2020, the US Department of Justice charged several members of the group for infiltrating over 100 companies in the United States and abroad.