APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials

СLOUD SECURITY CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials The prolific China-backed threat group is targeting AWS, Google, Azure, and Alibaba cloud environments and using typosquatting to obscure C2 communication. Elizabeth Montalbano,Contributing Writer April 13, 2026 4 Min Read SOURCE: PIXELS HUNTER VIA SHUTTERSTOCK The notorious Chinese threat group APT41 is using an undetectable backdoor malware to target Linux-based cloud workloads to steal credentials from Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Alibaba Cloud environments.  The backdoor attributed to APT41 (aka Winnti, Wicked Panda, Barium, Silver Dragon and Brass Typhoon) is written in the cloud-native executable and linkable format (ELF) and uses SMTP port 25 as a covert command-and-control (C2) channel to make its activity "invisible to conventional scanning tools like Shodan and Censys," according to a recent report from Breakglass Intelligence.  "The ELF binary is a stripped, statically linked x86-64 executable designed for persistence on Linux cloud instances," according to the report. "At the time of analysis, it carries zero detections on VirusTotal." The backdoor is the result of at least six years of investment by APT41 in developing cloud-native tooling, "progressing from basic reverse shells to purpose-built cloud credential harvesters with scanner-resistant C2," according to the report. The campaign also leverages typosquatting in a way that obscures its malicious network activity, making it especially difficult to track, researchers said. Related:TeamPCP Breaches Cloud, SaaS Instances With Stolen Credentials APT41, first identified in 2012, is among the most prolific China-linked threat groups currently active and is known for conducting espionage on behalf of Beijing while also pursuing cybercrime for financial gain. More a collective than one single group of threat actors, APT41 saw the US government indict five of its members in 2020 for participating in or contributing to attacks on more than 100 companies worldwide. However, those indictments have done little to deter the group's activities so far. Typosquatting for Evasion The recently discovered APT41 operation targets modern cloud workloads rather than traditional endpoints, using the ELF backdoor to harvest cloud provider credentials and metadata from various environments. Once deployed, the backdoor immediately starts probing the AWS instance metadata service — the familiar 169.254.169.254 endpoint — to extract temporary credentials tied to the host's cloud identity.  LOADING... In environments where permissions are overly broad, that single step can open the door to far wider access, according to Breakglass. The backdoor also queries other services for Azure, Alibaba, and GCP. Moreover, the group's use of three typosquatted domains makes the campaign particularly difficult to track. The operators rely on domains that closely resemble legitimate Alibaba Cloud services as well as use the Chinese cybersecurity brand Qianxin, employing classic typosquatting techniques that blend malicious traffic into the background noise of normal operations.  Related:CSA Launches CSAI Foundation for AI Security "All three domains were registered through NameSilo within a 24-hour burst window (January 20-21, 2026) with privacy protection enabled," according to the report. "This registration pattern is consistent with APT41 infrastructure procurement tradecraft — bulk registration through budget registrars with WHOIS privacy, followed by immediate deployment." Indeed, tapping legitimate cloud services to obscure C2 traffic is typical of APT41 behavior and is an oft-used tactic by threat actors to hide their malicious activities. Moreover, even when defenders identify the infrastructure, the C2 servers used in the campaign are deliberately unresponsive to casual probing, engaging only with traffic that mimics the malware's precise communication pattern, according to Breakglass. Detection and Prevention Cloud credentials are the keys to the kingdom, and once adversaries obtain them they can act as legitimate users within a cloud environment to create havoc by moving across services, escalating privileges, and maintaining access without leaving the usual malware footprints. Related:Native Launches With Security Control Plane for Multicloud To help detect if APT41 has violated an organization's cloud environment using the backdoor, Breakglass provided advice for network-based, host-based, and cloud-native detection of the malicious activity for immediate remediation.  To detect APT41 activity at the network level, defenders should monitor for outbound SMTP (port 25) traffic from non-mail workloads, which should not be initiating these connections. They also should set up an alert on UDP broadcast traffic to port 6006, a non-standard service port that would signal anomalous traffic. Further, organizations can lock or monitor connections to 43[.]99[.]48[.]196 and the three typosquatted domains, according to Breakglass. For host-based detections, defenders can audit for unexpected reads of cloud credential files, as well as monitor cloud instance metadata API calls from non-standard processes, since legitimate SDKs and command-line interfaces have known process names. They also can hunt for stripped, statically-linked ELF binaries in unexpected locations, including places such as: /tmp, /var/tmp, and /dev/shm. Cloud-native detection includes enabling AWS CloudTrail and Google Cloud Audit Logs and setting up alerts on credential usage from unexpected source IPs, reviewing IAM role assumption events for anomalous patterns, and implementing IMDSv2 (AWS) to require session tokens for metadata access, which raises the bar for credential theft, according to Breakglass. Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!   About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World More Webinars You May Also Like СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 СLOUD SECURITY SANS Top 5: Cyber Has Busted Out of the SOC by Becky Bracken MAY 01, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 СLOUD SECURITY Chinese APT Mustang Panda Debuts 4 New Attack Tools by Nate Nelson, Contributing Writer APR 18, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE