{"id":56555,"date":"2024-07-12T14:33:26","date_gmt":"2024-07-12T14:33:26","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36101\/Chinas-APT41-Crew-Adds-A-Stealthy-Malware-Loader-And-Fresh-Backdoor-To-Its-Toolbox.html"},"modified":"2024-07-12T14:33:26","modified_gmt":"2024-07-12T14:33:26","slug":"chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/","title":{"rendered":"China&#8217;s APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox"},"content":{"rendered":"<p>Chinese government-backed cyber espionage gang APT41 has very likely added a loader dubbed DodgeBox and a backdoor named MoonWalk to its malware toolbox, according to cloud security service provider Zscaler\u2019s ThreatLabz research team.<\/p>\n<p><a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/03\/09\/china_apt41_mandiant_usaherds\/\" rel=\"noopener\">APT41<\/a> \u2013 also known as Barium, Wicked Panda, Wicked Spider and Earth Baku \u2013 has ties to the Chinese Ministry of State Security. In addition to digital espionage, the crew also conducts <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.mandiant.com\/sites\/default\/files\/2022-02\/rt-apt41-dual-operation.pdf\">financially motivated crimes<\/a> [PDF] on occasion. Google&#8217;s Mandiant security unit believes that&#8217;s how the gang funds its spying operations.<\/p>\n<p>Over the years, the US government has charged APT41 members with breaking into computer networks belonging to <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.justice.gov\/opa\/pr\/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\">more than 100 victims<\/a> across the globe.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The tactics, techniques, and procedures (TTPs) that the Zscaler team observed in this campaign \u2013 including DLL sideloading \u2013 and the DodgeBox malware code&#8217;s similarity to <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html\">StealthVector<\/a> malware, led the threat hunters to attribute the intrusions with medium confidence to APT41.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>In a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/dodgebox-deep-dive-updated-arsenal-apt41-part-1\">technical analysis<\/a> published on Wednesday, ThreatLabz researchers Yin Hong Chang and Sudeep Singh wrote that &#8220;analysis of the telemetry available in VirusTotal reveals that DodgeBox samples have been submitted from both Thailand and Taiwan.&#8221;<\/p>\n<p>&#8220;This observation aligns with previous instances of APT41 employing StealthVector in campaigns primarily targeting users in the Southeast Asian (SEA) region,&#8221; they added.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>In April, Zscaler uncovered Dodgebox and opined that it closely resembles APT41&#8217;s StealthVector. Like StealthVector, DodgeBox is a shellcode loader written in C that can be configured with various features \u2013 including &#8220;decrypting and loading embedded DLLs, conducting environment checks and bindings, and executing cleanup procedures.&#8221;<\/p>\n<p>DodgeBox, however, &#8220;incorporates significant improvements in its implementation&#8221; compared to StealthVector, Chang and Singh assert. Some of DodgeBox&#8217;s capabilities include encryption \u2013 it uses AES Cipher Feedback (AES-CFB) mode for encrypting its configuration. It also performs a series of environmental checks to ensure it has hit the correct target and has the right privileges to ensure maximum access to the victim&#8217;s system.<\/p>\n<p>Plus, it takes a series of steps to evade detection, including call stack spoofing, and then executes cleanup procedures to remove itself from the victim&#8217;s system.<\/p>\n<p>&#8220;What sets DodgeBox apart from other malware is its unique algorithms and techniques,&#8221; Chang and Singh <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/dodgebox-deep-dive-updated-arsenal-apt41-part-1\">wrote<\/a>.<\/p>\n<p>As part of the setup process, the malware resolves multiple APIs, we&#8217;re told. It also performs environment checks to ensure it has hit the correct target. &#8220;Notably, DodgeBox employs a salted FNV1a hash for DLL and function names,&#8221; the researchers observed.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>This salted hash helps it evade static detections, and also allows different DodgeBox samples to use distinct values for the same DLL and function, the two explained. The malware then scans DLLs and checks to see if Windows Control Flow Guard (CFG) is enabled. This is a security feature that prevents memory corruption vulnerabilities in Windows applications \u2013 if it is enabled, the malware attempts to disable it.<\/p>\n<p>Finally, it performs checks to verify that it is configured correctly, and running with system privileges. If those conditions aren&#8217;t met, the malware terminates.<\/p>\n<p>Otherwise, assuming it&#8217;s still a go after these checks, DodgeBox enters the final phase and decrypts its payload: the MoonWalk backdoor, which it drops as a DAT file on the infected machine.<\/p>\n<p>Zscaler promises to provide more detail on what the MoonWalk backdoor actually enables in the second part of its blog post, which is unpublished at time of writing. All it reveals in part one is that the backdoor &#8220;shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/36101\/Chinas-APT41-Crew-Adds-A-Stealthy-Malware-Loader-And-Fresh-Backdoor-To-Its-Toolbox.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[5265],"class_list":["post-56555","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-blogs","tag-headlinehackergovernmentmalwarechinacyberwarbackdoor"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>China&#039;s APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"China&#039;s APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-12T14:33:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"China&#8217;s APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox\",\"datePublished\":\"2024-07-12T14:33:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/\"},\"wordCount\":599,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_specialfeatures\\\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"keywords\":[\"headline,hacker,government,malware,china,cyberwar,backdoor\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/\",\"name\":\"China's APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_specialfeatures\\\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-07-12T14:33:26+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_specialfeatures\\\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_specialfeatures\\\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,government,malware,china,cyberwar,backdoor\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackergovernmentmalwarechinacyberwarbackdoor\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"China&#8217;s APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"China's APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/","og_locale":"en_US","og_type":"article","og_title":"China's APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-07-12T14:33:26+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"China&#8217;s APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox","datePublished":"2024-07-12T14:33:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/"},"wordCount":599,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","keywords":["headline,hacker,government,malware,china,cyberwar,backdoor"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/","url":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/","name":"China's APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-07-12T14:33:26+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_specialfeatures\/malwaremonth&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZpHZMstvy4YWzqKilddXAQAAAJY&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/chinas-apt41-crew-adds-a-stealthy-malware-loader-and-fresh-backdoor-to-its-toolbox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,government,malware,china,cyberwar,backdoor","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackergovernmentmalwarechinacyberwarbackdoor\/"},{"@type":"ListItem","position":3,"name":"China&#8217;s APT41 Crew Adds A Stealthy Malware Loader And Fresh Backdoor To Its Toolbox"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56555","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56555"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56555\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}