Researchers uncovered three phishing schemes targeting Indian nationals. APT41 a Chinese state-sponsored cyberthreat group that has carried out espionage activity in parallel with financially motivated operations. The group targets many industries, including travel, telecommunications, healthcare, news, and education.

Researches identified the phishing in India and APT41 by monitoring previously documented activity associated with commercial malware called “Cobalt Strike”. The action used a bespoke, malleable C2 profile that displayed similarities to other attacks.

The researchers found sufficient grounds to associate past and new campaigns by identifying nearly identical HTTP GET profile blocks and mapping out similarities in Beacon configuration data. A few clusters with unique configuration metadata suggested association with APT41.

The phishing lures an favourite APT41 tactic typically used in conjunction with information stealers, keyloggers and backdoors loaded and executed Cobalt Strike Beacons onto the target’s network. Once on the user’s machine, the threat blended in, using a customized profile to shield its network traffic.

The three phishing lures came in the form of PDFs to distract the user while shady activity went on in the background. One scheme used an embedded PowerShell script, one a self extracting archive, and another a zip file.

These findings show that the APT41 group is still regularly conducting new campaigns, and that they will likely continue to do so in the future.