{"id":48063,"date":"2022-08-18T18:34:08","date_gmt":"2022-08-18T18:34:08","guid":{"rendered":"https:\/\/www.darkreading.com\/remote-workforce\/china-apt41-baffling-approach-cobalt-strike-payload"},"modified":"2022-08-18T18:34:08","modified_gmt":"2022-08-18T18:34:08","slug":"chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/","title":{"rendered":"China&#8217;s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltafe3188832ab1c4b\/62fe7850e17c194ab25d55a9\/china_vectorsector_shutterstock.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>An analysis of China-backed advanced persistent threat (APT) actor APT41&#8217;s activities has shown the group to be&nbsp;using&nbsp;a unique \u2014 and somewhat inexplicable \u2014 method for deploying its main Cobalt Strike payload on victim systems.<\/p>\n<p>Researchers from Singapore-based Group-IB also&nbsp;discovered that the adversary is using&nbsp;a variety of dual-use tools for conducting reconnaissance.&nbsp;<\/p>\n<p>So far, Group-IB has identified&nbsp;at least 13 major organizations worldwide that have been&nbsp;compromised over four separate campaigns, with the APT&nbsp;gaining varying levels of access. Victims included organizations in the government, healthcare, manufacturing, logistics, hospitality, and media sectors in the US as well as China,&nbsp;India, Taiwan, and Vietnam.&nbsp;<\/p>\n<p>The security vendor concluded that the actual number of APT41&#8217;s victims&nbsp;<a href=\"https:\/\/blog.group-ib.com\/apt41-world-tour-2021\" target=\"_blank\" rel=\"noopener\">could be much higher<\/a>,<br \/>\nbased \u2014 among other things \u2014 on the fact that it observed signs of APT-related activity at a total of 80 private and government organizations in 2021.<\/p>\n<h2 class=\"regular-text\">Puzzling Payload Deployment Strategy for Cobalt Strike<\/h2>\n<p>One interesting aspect of the campaigns that Group-IB analyzed was the tendency by APT41 to encode its main custom Cobalt Strike binary in Base64, then break it up into smaller chunks of 775 characters. These are then added to a text file. In one instance, the threat actors had to repeat the action 154 times to write the entire payload to the file.<\/p>\n<p>In another instance, Group-IB researchers observed the threat actor breaking up the code into chunks of 1,024 characters before writing the payload to a text file using 128 iterations of the process.<\/p>\n<p>Nikita Rostovcev, an analyst within Group-IB&#8217;s APT research team, says it&#8217;s unclear why APT41 might have adopted the strategy but surmises it may be an attempt at remaining under the radar.<\/p>\n<p>&#8220;We do not fully know why the attackers chose this method because SQLmap has a large data transfer limit, which means it was done intentionally, most likely in order to prevent its detection,&#8221; he says. <\/p>\n<p>However, detecting the ruse is not difficult, especially considering that the payload was encoded in Base64 at the end, he adds: &#8220;This is a unique finding. We have not seen any other attackers use this method in their attacks.&#8221;<\/p>\n<h2 class=\"regular-text\">SQL Injection &amp; Dual-Use Tools<\/h2>\n<p>Group-IB&#8217;s analysis shows the threat actors had shifted tactics for initial access, performing SQL injection attacks using the SQLmap tool to gain a foothold to some target organizations. SQLmap automatically discovers and exploits SQL vulnerabilities. The SQL injection attacks allow APT41 actors to gain command shell access on some targeted servers.<\/p>\n<p>The tactic marks a deviation from APT41&#8217;s usual pattern of using phishing, watering-hole attacks, and stolen credentials as an initial access vectors. <\/p>\n<p>APT41 mainly went after databases with information about existing user accounts, employee lists, and passwords stored in plaintext and hashed form. In total, APT41 actors attacked 86 vulnerable websites and applications belonging to the targeted organizations, and they were able to compromise half of them via SQL injection. <\/p>\n<p>&#8220;Typically, attackers from APT41 are interested in information about existing users and their accounts and any data that can be used for further lateral movement,&#8221; Rostovcev says.<\/p>\n<p>Once the threat actor has gained access to a target network it has been known to deploy numerous other custom tools to carry out its mission. In its report earlier this year, Cybereason identified some of these tools as DeployLog, for deploying the threat group&#8217;s main kernel-level rootkit, an initial payload called Spyder Loader; a tool for storing payloads called StashLog; and one for privilege escalation dubbed PrivateLog.<\/p>\n<p>In the 2021 campaigns that Group-IB investigated, it discovered APT41 actors using tools such as Acunetix&#8217;s Web vulnerability scanner, Nmap, and OneForAll, and pen-testing tools such as subdomain3, subDomainsBrute, and Sublist3r.<\/p>\n<p>&#8220;All these utilities \u2014 except Acunetix \u2014 are available to the public and used not only in hacker&#8217;s attacks but in penetration tests, for example,&#8221; Rostovcev says.<\/p>\n<p>Rostovcev describes the tools as falling into multiple categories, including those that can be used to look for hidden directors and forgotten backup archives, and those for scanning ports and the services running on them.<\/p>\n<h2 class=\"regular-text\">A Prolific &amp; Persistent State-Sponsored Threat Actor<\/h2>\n<p>APT41 (aka&nbsp;Winnti, Wicked Panda, Barium, and Blackfly) is a well-known APT group that first surfaced in 2010 with attacks on the likes of Google and Yahoo. The group is believed to be working on behalf of the Chinese government&nbsp;\u2014 or at least with its tacit support. Some have described APT41 as <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/report-china-s-intelligence-apparatus-linked-to-previously-unconnected-threat-groups\" target=\"_blank\" rel=\"noopener\">representing a collection of cyber threat actors<\/a> carrying out directives from China&#8217;s intelligence agencies.&nbsp;<\/p>\n<p> Though the US government <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/indictments-unlikely-to-deter-china-s-apt41-activity\" target=\"_blank\" rel=\"noopener\">indicted five APT41 members in 2020<\/a> and multiple security vendors have chronicled its activities and TTPs, the threat actor has continued its activities unfazed. The Cybereason report shows that APT41 stole hundreds of gigabytes of sensitive data from 30 organizations in North America in a <a href=\"https:\/\/www.darkreading.com\/attacks-breaches\/china-winnti-apt-trade-secrets-us\" target=\"_blank\" rel=\"noopener\">recent cyber-espionage campaign<\/a>.<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/remote-workforce\/china-apt41-baffling-approach-cobalt-strike-payload\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The state-sponsored threat actor has switched up its tactics, also adding an automated SQL-injection tool to its bag of tricks for initial access.Read More <a href=\"https:\/\/www.darkreading.com\/remote-workforce\/china-apt41-baffling-approach-cobalt-strike-payload\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-48063","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>China&#039;s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"China&#039;s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-18T18:34:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltafe3188832ab1c4b\/62fe7850e17c194ab25d55a9\/china_vectorsector_shutterstock.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"China&#8217;s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload\",\"datePublished\":\"2022-08-18T18:34:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/\"},\"wordCount\":815,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltafe3188832ab1c4b\\\/62fe7850e17c194ab25d55a9\\\/china_vectorsector_shutterstock.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/\",\"name\":\"China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltafe3188832ab1c4b\\\/62fe7850e17c194ab25d55a9\\\/china_vectorsector_shutterstock.jpg\",\"datePublished\":\"2022-08-18T18:34:08+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltafe3188832ab1c4b\\\/62fe7850e17c194ab25d55a9\\\/china_vectorsector_shutterstock.jpg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltafe3188832ab1c4b\\\/62fe7850e17c194ab25d55a9\\\/china_vectorsector_shutterstock.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"China&#8217;s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/","og_locale":"en_US","og_type":"article","og_title":"China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-08-18T18:34:08+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltafe3188832ab1c4b\/62fe7850e17c194ab25d55a9\/china_vectorsector_shutterstock.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"China&#8217;s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload","datePublished":"2022-08-18T18:34:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/"},"wordCount":815,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltafe3188832ab1c4b\/62fe7850e17c194ab25d55a9\/china_vectorsector_shutterstock.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/","url":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/","name":"China's APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltafe3188832ab1c4b\/62fe7850e17c194ab25d55a9\/china_vectorsector_shutterstock.jpg","datePublished":"2022-08-18T18:34:08+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltafe3188832ab1c4b\/62fe7850e17c194ab25d55a9\/china_vectorsector_shutterstock.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltafe3188832ab1c4b\/62fe7850e17c194ab25d55a9\/china_vectorsector_shutterstock.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-embraces-baffling-approach-for-dropping-cobalt-strike-payload\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"China&#8217;s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=48063"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48063\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=48063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=48063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=48063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}