APT41 Taps Google Red-Teaming Tool in Targeted Info-Stealing Attacks

China-linked APT41 group targeted a Taiwanese media organization and an Italian job agency with standard, open source penetration test tools, in a change in strategy.

The advanced persistent threat known as APT41 has pressed into service an open source, red-teaming tool, Google Command and Control (GC2), for use in cyber espionage attacks marking a shift in its tactics.
According to the Google Threat Analysis Group (TAG) team, the APT41 group, also known as HOODOO,
Winnti,
and Bronze Atlas, recently targeted a Taiwanese media organization with phishing emails which contained links to a password protected file hosted in Drive.
When the file was opened, it fetched the GC2 payload. As detailed in the
TAG April Threat Horizons report
, this tool gets its commands from Google Sheets, most likely to hide the malicious activity, and exfiltrates data to Google Drive. The GC2 tool also enables the attacker to download additional files from Drive on to the victims system.
APT41 also previously used GC2 last July to target an Italian job search website, according to TAG.
TAG researchers noted that incidents such as this highlight several trends by China-affiliated threat actors, such as using publicly available tooling, the proliferation of tools written in the
Go programming language
, and the targeting of Taiwanese media.
Chinese APT groups have increasingly used publicly available (and legitimate) tools such as Cobalt Strike and other penetration testing software, which is available on sites like GitHub; theres also been a shift to using lesser-known red teaming tools such as
Brute Ratel
and Sliver to evade detection during their attacks.
The use of such living off the land tactics is well known in financially motivated cyberattackers, but less so among APTs that are better resourced and can develop custom tools. Yet Christopher Porter, head of threat intelligence for Google Cloud, said in the report that it is only prudent to consider that state-sponsored cyber threat actors may steal from the playbooks of cybercriminals to target such systems.
He adds, A familiar domain name disarms many of the natural defenses we all have when viewing a suspicious email, and the degree to which it is trusted will often be hard coded into security systems screening for spam or malware,” he says. He also flagged the use of cloud services for stealth and legitimacy: Cloud providers are useful targets for these kinds of operations, either as hosts for malware or providing the infrastructure for command-and-control.
The groups activities illustrate the continued overlap of public sector threat actors targeting private sector organizations with limited government ties, according to the TAG analysis.
Last year the same group was
discovered deploying the Spyder Loader malware
as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong, as well as
targeting multiple US government agencies
using the Log4j vulnerability.
Bronze Atlas
is one of the most prolific groups we have been tracking for a long time, says Marc Burnard, senior security researcher for Secureworks Counter Threat Unit, having tracked it since at least 2007. And during that time, the group has been very prolific, he says.
Burnard says APT41 has gone after a range of targets, including government, healthcare, high-tech manufacturing, telcos, aviation, non-governmental organizations (NGOs), and targets in line with Chinas political and economic interests.
They are primarily focused on stealing intellectual property, and they have also been involved in targeting political intelligence as well, he notes.
Asked why this particular Taiwanese media company would be targeted, Burnard admits there could be several reasons, including the China-Taiwan political situation, a goal of using the victim to target other organizations and individuals, or there could be a destructive element too.
As mentioned, the TAG report found that the attackers sent phishing emails to the victim containing links to legitimate cloud services in order to avoid detection — links to a
trusted cloud service
dont set off email filters. Burnard points out that this is part of a style change for the group, as up until the last few years it was quite noisy in its attacks, and not too worried about the activity being detected.
However, since the 2020
indictment of seven alleged cybercriminals
, which reportedly included members of APT41, the activity has been more stealthy and Burnard says the APT is now moving towards using legitimate tools like Cobalt Strike, and towards cloud services, to hide their intent and activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
APT41 Taps Google Red-Teaming Tool in Targeted Info-Stealing Attacks