🇨🇳APT41
🇨🇳 APT41 is a tracked threat actor in the Clankerusecase corpus. Attributed to CN. Primary motivation: State. We map 26 detection use cases to this actor across 100 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-02-26 to 2026-05-07.
crit 2
26Use cases
2Articles
100Techniques
9IOCs
Known aliases
APT41BARIUMWicked PandaWinnti GroupBrass TyphoonDouble DragonBlackfly
Top techniques
All other tracked techniques
T1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1003.002 · Security Account ManagerT1003.003 · NTDST1005 · Data from Local SystemT1008 · Fallback ChannelsT1012 · Query RegistryT1014 · RootkitT1016 · System Network Configuration DiscoveryT1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1027 · Obfuscated Files or InformationT1027.002 · Software PackingT1030 · Data Transfer Size LimitsT1033 · System Owner/User DiscoveryT1036.004 · Masquerade Task or ServiceT1036.005 · Match Legitimate Resource Name or LocationT1037 · Boot or Logon Initialization ScriptsT1046 · Network Service DiscoveryT1047 · Windows Management InstrumentationT1049 · System Network Connections DiscoveryT1053.005 · Scheduled TaskT1055 · Process InjectionT1056.001 · KeyloggingT1057 · Process DiscoveryT1059.003 · Windows Command ShellT1059.004 · Unix ShellT1059.005 · Visual BasicT1069 · Permission Groups DiscoveryT1069.002 · Domain GroupsT1070.003 · Clear Command HistoryT1070.004 · File DeletionT1071 · Application Layer ProtocolT1071.002 · File Transfer ProtocolsT1071.004 · DNST1078 · Valid AccountsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1087.001 · Local AccountT1087.002 · Domain AccountT1090 · ProxyT1090.002 · External ProxyT1098.007 · Additional Local or Domain GroupsT1102.001 · Dead Drop ResolverT1104 · Multi-Stage ChannelsT1105 · Ingress Tool TransferT1110 · Brute ForceT1112 · Modify RegistryT1127.001 · MSBuildT1133 · External Remote ServicesT1135 · Network Share DiscoveryT1136.001 · Local AccountT1195.002 · Compromise Software Supply ChainT1197 · BITS JobsT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1213.003 · Code RepositoriesT1218 · System Binary Proxy ExecutionT1218.001 · Compiled HTML FileT1218.011 · Rundll32T1219 · Remote Access ToolsT1480.001 · Environmental KeyingT1484.001 · Group Policy ModificationT1486 · Data Encrypted for ImpactT1496.001 · Compute HijackingT1542.003 · BootkitT1543.003 · Windows ServiceT1546.008 · Accessibility FeaturesT1547.001 · Registry Run Keys / Startup FolderT1550.002 · Pass the HashT1553.002 · Code SigningT1555 · Credentials from Password StoresT1555.003 · Credentials from Web BrowsersT1560.001 · Archive via UtilityT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1568.002 · Domain Generation AlgorithmsT1569.002 · Service ExecutionT1570 · Lateral Tool TransferT1572 · Protocol TunnelingT1573.002 · Asymmetric CryptographyT1574.001 · DLLT1574.002 · T1574.002T1574.006 · Dynamic Linker HijackingT1583.001 · DomainsT1588.002 · ToolT1595.002 · Vulnerability ScanningT1595.003 · Wordlist ScanningT1596.005 · Scan DatabasesT1599 · Network Boundary BridgingT1684.001 · ImpersonationT1685 · Disable or Modify ToolsT1685.005 · Clear Windows Event Logs
Detection use cases (26)
APT41 (Wicked Panda / Brass Typhoon) IIS post-exploitation: w3wp.exe spawning LOLBins after webshell drop APT41 DUSTTRAP / DodgeBox DLL side-loading: legitimately-signed third-party binary relocated to a writable path with same-folder DLL load an CL-STA-1132 EarthWorm staging download from 146.70.100.69:8000/php_sess Malformed CL-STA-1132 attacker User-Agent (Mozilla/5.5 + Safari/532.31) PAN-OS firewall service account LDAP enumeration of DomainDnsZones Beaconing — periodic outbound to small set of destinations Network connections to article IPs / domains LSASS process access / dump (credential theft) Asset exposure — vulnerability matches article CVE(s) Remote service execution — PsExec / SMB lateral movement PowerShell encoded / obfuscated command RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard File hash IOCs — endpoint file/process match Article-specific behavioural hunt — Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated 1Password failed sign-in burst 1Password impossible-travel sign-in 1Password item exfiltration attempt 1Password vault export attempted Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command executionThreat-intel articles (2)
crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution · 2026-05-07
crit PlugX Meeting Invitation via MSBuild and GDATA · 2026-02-26
Tracked indicators
Domains (5)
decoorat.net decoraat.net gesecole.net onedow.gesecole.net onedown.gesecole.netIP addresses (4)
136.0.8.48 146.70.100.69 149.104.66.84 67.206.213.86CVEs (1)
CVE-2026-0300