Chinas APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload

The state-sponsored threat actor has switched up its tactics, also adding an automated SQL-injection tool to its bag of tricks for initial access.

An analysis of China-backed advanced persistent threat (APT) actor APT41s activities has shown the group to be using a unique — and somewhat inexplicable — method for deploying its main Cobalt Strike payload on victim systems.
Researchers from Singapore-based Group-IB also discovered that the adversary is using a variety of dual-use tools for conducting reconnaissance.
So far, Group-IB has identified at least 13 major organizations worldwide that have been compromised over four separate campaigns, with the APT gaining varying levels of access. Victims included organizations in the government, healthcare, manufacturing, logistics, hospitality, and media sectors in the US as well as China, India, Taiwan, and Vietnam.
The security vendor concluded that the actual number of APT41s victims
could be much higher
, based — among other things — on the fact that it observed signs of APT-related activity at a total of 80 private and government organizations in 2021.
One interesting aspect of the campaigns that Group-IB analyzed was the tendency by APT41 to encode its main custom Cobalt Strike binary in Base64, then break it up into smaller chunks of 775 characters. These are then added to a text file. In one instance, the threat actors had to repeat the action 154 times to write the entire payload to the file.
In another instance, Group-IB researchers observed the threat actor breaking up the code into chunks of 1,024 characters before writing the payload to a text file using 128 iterations of the process.
Nikita Rostovcev, an analyst within Group-IBs APT research team, says its unclear why APT41 might have adopted the strategy but surmises it may be an attempt at remaining under the radar.
We do not fully know why the attackers chose this method because SQLmap has a large data transfer limit, which means it was done intentionally, most likely in order to prevent its detection, he says.
However, detecting the ruse is not difficult, especially considering that the payload was encoded in Base64 at the end, he adds: This is a unique finding. We have not seen any other attackers use this method in their attacks.
Group-IBs analysis shows the threat actors had shifted tactics for initial access, performing SQL injection attacks using the SQLmap tool to gain a foothold to some target organizations. SQLmap automatically discovers and exploits SQL vulnerabilities. The SQL injection attacks allow APT41 actors to gain command shell access on some targeted servers.
The tactic marks a deviation from APT41s usual pattern of using phishing, watering-hole attacks, and stolen credentials as an initial access vectors.
APT41 mainly went after databases with information about existing user accounts, employee lists, and passwords stored in plaintext and hashed form. In total, APT41 actors attacked 86 vulnerable websites and applications belonging to the targeted organizations, and they were able to compromise half of them via SQL injection.
Typically, attackers from APT41 are interested in information about existing users and their accounts and any data that can be used for further lateral movement, Rostovcev says.
Once the threat actor has gained access to a target network it has been known to deploy numerous other custom tools to carry out its mission. In its report earlier this year, Cybereason identified some of these tools as DeployLog, for deploying the threat groups main kernel-level rootkit, an initial payload called Spyder Loader; a tool for storing payloads called StashLog; and one for privilege escalation dubbed PrivateLog.
In the 2021 campaigns that Group-IB investigated, it discovered APT41 actors using tools such as Acunetixs Web vulnerability scanner, Nmap, and OneForAll, and pen-testing tools such as subdomain3, subDomainsBrute, and Sublist3r.
All these utilities — except Acunetix — are available to the public and used not only in hackers attacks but in penetration tests, for example, Rostovcev says.
Rostovcev describes the tools as falling into multiple categories, including those that can be used to look for hidden directors and forgotten backup archives, and those for scanning ports and the services running on them.
APT41 (aka Winnti, Wicked Panda, Barium, and Blackfly) is a well-known APT group that first surfaced in 2010 with attacks on the likes of Google and Yahoo. The group is believed to be working on behalf of the Chinese government — or at least with its tacit support. Some have described APT41 as
representing a collection of cyber threat actors
carrying out directives from Chinas intelligence agencies.
Though the US government
indicted five APT41 members in 2020
and multiple security vendors have chronicled its activities and TTPs, the threat actor has continued its activities unfazed. The Cybereason report shows that APT41 stole hundreds of gigabytes of sensitive data from 30 organizations in North America in a
recent cyber-espionage campaign
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinas APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload