THREATOPS Actor Dossier
LIVE ← Dashboard

APT41

G00961 reports
aliases · APT41 · Wicked Panda · Brass Typhoon · BARIUM
Export dossier:
1
Reports
4
Techniques
3
Tactics
3
Countries
50%
Hunt coverage
4
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1590.005 (IP Addresses), T1059.007 (JavaScript), T1087.003 (Email Account).
  • Primary targeting: CN, HK, US.
  • Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
  • Hunt coverage 50% of 4 observed techniques (2 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2024-11-15 · last 2024-11-15
0
7d
0
30d
0
90d
1
All
0.0
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

Dropped (90d+)
T1590.005T1059.007T1087.003T1589.001

Overview

Analyst triage
Intelligence summary

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected