Security researchers from BlackBerry have linked several recent malware campaigns to China-based threat group APT41. The research revealed that the campaigns were using COVID-themed phishing bait to target victims in India.

Attack tactics

The attackers are believed to have used phishing emails laden with documents as an initial infection vector. The phishing email claimed to be COVID-19 advisories sent by the Indian government.
  • Once a user's system is infected using phishing bait, the threat uses its customized profile to hide network traffic.
  • The email attachments contain LNK files or ZIP archives. Some of the phishing emails included information related to the latest income tax legislation targeting residents not living in India.


  • One set of intrusions used similar phishing lures that were spotted in September 2020 and linked to the Evilnum group. However, the indicators of compromise in the recent attack indicate a linkage with the APT41 group.
  • The recent research provided further info regarding previous findings by Mandiant in March 2020. The campaign was conducted by APT41 by exploiting various publicly known vulnerabilities.
  • In that campaign, a Cobalt Strike Beacon loader was using a C2 profile that was spotted again in recent campaigns.
  • In fact, a similar C2 profile was uploaded to GitHub on March 29. It was uploaded by a researcher with the pseudonym ‘1135,’ to spot a fresh cluster of domains linked to APT41.


Experts believe that state-sponsored attackers have enough resources to operate separate campaigns and avoid detections. Moreover, COVID-19 baits continue to be relevant as the pandemic is not over yet. Security teams need to use shared threat intel services and utilize other collective resources to withstand and fight against such threat groups.

Cyware Publisher