The China-linked cyber espionage group tracked as APT41 has been attributed to a new campaign targeting government IT services in the African region.
“The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware,” Kaspersky researchers Denis Kulik and Daniil Pogorelov said. “One of the C2s [command-and-control servers] was a captive SharePoint server within the victim’s infrastructure.”
APT41 is the moniker assigned to a prolific Chinese nation-state hacking group that’s known for targeting organizations spanning multiple sectors, including telecom and energy providers, educational institutions, healthcare organizations and IT energy companies in more than three dozen countries.
What makes the campaign noteworthy is its focus on Africa, which, as the Russian cybersecurity vendor noted, “had experienced the least activity” from this specific threat actor. That said, the findings line up with previous observations from Trend Micro that the continent has found itself in its crosshairs since late 2022.
Kaspersky said it began an investigation after it found “suspicious activity” on multiple workstations associated with an unnamed organization’s IT infrastructure that involved the attackers running commands to ascertain the availability of their C2 server, either directly or via an internal proxy server within the compromised entity.
“The source of the suspicious activity turned out to be an unmonitored host that had been compromised,” the researchers noted. “Impacket was executed on it in the context of a service account. After the Atexec and WmiExec modules finished running, the attackers temporarily suspended their operations.”
Soon after, the attackers are said to have harvested credentials associated with privileged accounts to facilitate privilege escalation and lateral movement, ultimately deploying Cobalt Strike for C2 communication using DLL side-loading.
The malicious DLLs incorporate a check to verify the language packs installed on the host and proceed with the execution only if the following language packs are not detected: Japanese, Korean (South Korea), Chinese (Mainland China), and Chinese (Taiwan).
The attack is also characterized by the use of a hacked SharePoint server for C2 purposes, using it to send commands that are run by a C#-based malware uploaded to the victim hosts.
“They distributed files named agents.exe and agentx.exe via the SMB protocol to communicate with the server,” Kaspersky explained. “Each of these files is actually a C# trojan whose primary function is to execute commands it receives from a web shell named CommandHandler.aspx, which is installed on the SharePoint server.”
This method blends traditional malware deployment with living-off-the-land tactics, where trusted services like SharePoint are turned into covert control channels. These behaviors align with techniques categorized under MITRE ATT&CK, including T1071.001 (Web Protocols) and T1047 (WMI), making them difficult to detect using signature-based tools alone.
Furthermore, the threat actors have been spotted carrying out follow-on activity on machines deemed valuable post initial reconnaissance. This is accomplished by running a cmd.exe command to download from an external resource a malicious HTML Application (HTA) file containing embedded JavaScript and run it using mshta.exe.
The exact nature of the payload delivered via the external URL, a domain impersonating GitHub (“github.githubassets[.]net”) so as to evade detection, is currently unknown. However, an analysis of one of the previously distributed scripts shows that it’s designed to spawn a reverse shell, thereby granting the attackers the ability to execute commands on the infected system.
Also put to use in the attacks are stealers and credential-harvesting utilities to gather sensitive data and exfiltrate the details via the SharePoint server. Some of the tools deployed by the adversary are listed below –
- Pillager, albeit a modified version, to steal credentials from browsers, databases, and administrative utilities like MobaXterm; source code; screenshots; chat sessions and data; email messages; SSH and FTP sessions; list of installed apps; output of the systeminfo and tasklist commands; and account information from chat apps and email clients
- Checkout to steal information about downloaded files and credit card data saved in web browsers like Yandex, Opera, OperaGX, Vivaldi, Google Chrome, Brave, and Cốc Cốc.
- RawCopy to copy raw registry files
- Mimikatz to dump account credentials
“The attackers wield a wide array of both custom-built and publicly available tools,” Kaspersky said. “Specifically, they use penetration testing tools like Cobalt Strike at various stages of an attack.”
“The attackers are quick to adapt to their target’s infrastructure, updating their malicious tools to account for specific characteristics. They can even leverage internal services for C2 communication and data exfiltration.”
This operation also highlights the blurred line between red team tools and real-world adversary simulation, where threat actors use public frameworks like Impacket, Mimikatz, and Cobalt Strike alongside custom implants. These overlaps pose challenges for detection teams focused on lateral movement, credential access, and defense evasion across Windows environments.
