Chinese government-backed cyber espionage gang APT41 has most likely added a loader called DodgeBox and a backdoor called MoonWalk to its malware toolbox, according to cloud security service provider Zscaler's ThreatLabz research team.
China's Cyber Double Agents: Revealing APT 41's Secrets
APT41 – also known as Barium, Wicked Panda, Wicked Spider and Earth Baku – has links to the Chinese Ministry of State Security. In addition to digital espionage, the crew also engages in financially motivated crimes [PDF] at times. Google's security unit Mandiant believes this is how the gang funds its spying operations.
Over the years, the US government has accused APT41 members of breaking into computer networks belonging to more than 100 victims worldwide.
The tactics, techniques, and procedures (TTP) the Zscaler team observed in this campaign—including DLL sideloading—and the similarity of the DodgeBox malware code to the StealthVector malware, led the threat hunters to attribute the intrusion with medium confidence to APT41.
