Tracked as Barium, Wicked Panda, Winnti, and Wicked Spider, the cyber-espionage group is said to have hacked over 100 organizations worldwide,
APT41’s activity spans over more than a decade, with victims located in the United States, Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam. Researchers tracked the hacker groups called Grayfly and Blackfly
Grayfly activity, which has been observed in recent years, is associated with the indictment against Jiang, Qian, and Fu, who hold senior positions in a Chinese company named Chengdu 404.
Malware used by the threat actor includes Barlaiy/POISONPLUG and Crosswalk/ProxIP (Backdoor.Motnug), with many victims compromised through public facing web servers. Backdoor.Motnug, remote accessing to the breached environment and also provides proxy access to hard-to-reach segments of the network.
Blackfly,has been active since at least 2010 and is mainly known for the targeting of video gaming companies. .
Malware used by the threat actor includes PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad). One specific artifact observed in the group’s attacks was the use of the names of security vendors when naming their malicious binaries.
The link between Grayfly and Blackfly, the security firm says, is drawn by two other Chinese nationals that the U.S. indicted as part of the APT41 group, namely Zhang Haoran and Tan Dailin. They allegedly worked at Chengdu 404 for a while, but also collaborated with the Blackfly actors for extra cash.
“Grayfly and Blackfly have been prolific attackers in recent years and, while it remains to be seen what impact the charges will have on their operations, the publicity surrounding the indictments will certainly be unwelcome among attackers who wish to maintain a low profile,”.