The notorious Chinese threat group APT41 is using an undetectable backdoor malware to target Linux-based cloud workloads to steal credentials from Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Alibaba Cloud environments.
The backdoor attributed to APT41 (aka Winnti, Wicked Panda, Barium, Silver Dragon and Brass Typhoon) is written in the cloud-native executable and linkable format (ELF) and uses SMTP port 25 as a covert command-and-control (C2) channel to make its activity “invisible to conventional scanning tools like Shodan and Censys,” according to a recent report from Breakglass Intelligence.
“The ELF binary is a stripped, statically linked x86-64 executable designed for persistence on Linux cloud instances,” according to the report. “At the time of analysis, it carries zero detections on VirusTotal.”
The backdoor is the result of at least six years of investment by APT41 in developing cloud-native tooling, “progressing from basic reverse shells to purpose-built cloud credential harvesters with scanner-resistant C2,” according to the report. The campaign also leverages typosquatting in a way that obscures its malicious network activity, making it especially difficult to track, researchers said.
APT41, first identified in 2012, is among the most prolific China-linked threat groups currently active and is known for conducting espionage on behalf of Beijing while also pursuing cybercrime for financial gain. More a collective than one single group of threat actors, APT41 saw the US government indict five of its members in 2020 for participating in or contributing to attacks on more than 100 companies worldwide. However, those indictments have done little to deter the group’s activities so far.
Typosquatting for Evasion
The recently discovered APT41 operation targets modern cloud workloads rather than traditional endpoints, using the ELF backdoor to harvest cloud provider credentials and metadata from various environments. Once deployed, the backdoor immediately starts probing the AWS instance metadata service — the familiar 169.254.169.254 endpoint — to extract temporary credentials tied to the host’s cloud identity.
In environments where permissions are overly broad, that single step can open the door to far wider access, according to Breakglass. The backdoor also queries other services for Azure, Alibaba, and GCP.
Moreover, the group’s use of three typosquatted domains makes the campaign particularly difficult to track. The operators rely on domains that closely resemble legitimate Alibaba Cloud services as well as use the Chinese cybersecurity brand Qianxin, employing classic typosquatting techniques that blend malicious traffic into the background noise of normal operations.
“All three domains were registered through NameSilo within a 24-hour burst window (January 20-21, 2026) with privacy protection enabled,” according to the report. “This registration pattern is consistent with APT41 infrastructure procurement tradecraft — bulk registration through budget registrars with WHOIS privacy, followed by immediate deployment.”
Indeed, tapping legitimate cloud services to obscure C2 traffic is typical of APT41 behavior and is an oft-used tactic by threat actors to hide their malicious activities. Moreover, even when defenders identify the infrastructure, the C2 servers used in the campaign are deliberately unresponsive to casual probing, engaging only with traffic that mimics the malware’s precise communication pattern, according to Breakglass.
Detection and Prevention
Cloud credentials are the keys to the kingdom, and once adversaries obtain them they can act as legitimate users within a cloud environment to create havoc by moving across services, escalating privileges, and maintaining access without leaving the usual malware footprints.
To help detect if APT41 has violated an organization’s cloud environment using the backdoor, Breakglass provided advice for network-based, host-based, and cloud-native detection of the malicious activity for immediate remediation.
To detect APT41 activity at the network level, defenders should monitor for outbound SMTP (port 25) traffic from non-mail workloads, which should not be initiating these connections. They also should set up an alert on UDP broadcast traffic to port 6006, a non-standard service port that would signal anomalous traffic. Further, organizations can lock or monitor connections to 43[.]99[.]48[.]196 and the three typosquatted domains, according to Breakglass.
For host-based detections, defenders can audit for unexpected reads of cloud credential files, as well as monitor cloud instance metadata API calls from non-standard processes, since legitimate SDKs and command-line interfaces have known process names. They also can hunt for stripped, statically-linked ELF binaries in unexpected locations, including places such as: /tmp, /var/tmp, and /dev/shm.
Cloud-native detection includes enabling AWS CloudTrail and Google Cloud Audit Logs and setting up alerts on credential usage from unexpected source IPs, reviewing IAM role assumption events for anomalous patterns, and implementing IMDSv2 (AWS) to require session tokens for metadata access, which raises the bar for credential theft, according to Breakglass.
Don’t miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here’s Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
