Menu
Browse

Cyber Threat Actor: APT41

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
38 incidents
Profile

Barrium, also known as APT41 and Wicked Panda, is a threat actor group that has been publicly linked to China-based operations. Multiple sources describe the group as a Chinese state‑sponsored collective, noting its ties to the Chinese government and its activity under various aliases used by different security vendors. The group’s location is identified as China in the available context.

The actor targets a wide range of sectors including technology firms, manufacturers, financial institutions, cryptocurrency exchanges, educational organizations, government agencies, power sector entities, and religious institutions. Its objectives have been observed to include financial gain, such as the theft of COVID‑relief funds and ransomware attacks that extort money, as well as espionage aimed at gathering intelligence from government bodies, diplomatic organizations, and critical infrastructure. In addition, the group has caused disruption by paralyzing IT systems, halting production and sales operations, and forcing victims to rebuild networks after ransomware incidents.

Observed tactics, techniques, and procedures involve the use of multiple malware families and tools. These include the macOS backdoor JokerSpy, the Winnti trojan, the ShadowPad backdoor, the PortReuse network implant, PlugX, Poison Ivy, Cobalt Strike beacons, and the Swiftbelt enumeration tool. Initial access has been achieved through backdoored legitimate software development applications such as IntelliJ IDEA, iTerm, and Visual Studio Code, phishing emails with malicious links, supply‑chain compromises of update mechanisms, and exploitation of vulnerabilities in Microsoft Exchange Servers. The group’s tooling style features multi‑architecture binaries, Python implants, Swift‑based utilities, and attempts to masquerade malicious files as legitimate system components like XProtectCheck.

Representative campaigns attributed to Barrium/APT41/Wicked Panda include the theft of at least twenty million dollars from US COVID‑relief programs, a supply‑chain attack that distributed trojanized updates to a Mongolian government chat application, the intrusion of a Japanese cryptocurrency exchange using the JokerSpy macOS backdoor, the deployment of ShadowPad malware against Hong Kong universities, a ransomware operation targeting Taiwan’s state oil company, and a series of intrusions against Vatican and Catholic organizations leveraging PlugX‑laden phishing lures. These activities illustrate the group’s blend of financially motivated theft, espionage, and disruptive effects across multiple industries and regions.

Incidents
Attributed incidents available to members
38 incidents
Sources
Sources available to members
14 sources