APT41 Targets Linux Cloud Servers With New Winnti Backdoor

China-linked cloud credential heist runs on typos and SMTP

Indicators and detection Despite the use of stealth, the researchers were able to connect the dots with the help of independent research by @Xlab_qax, who attributed the campaign and its lineage to APT41 with high confidence. Indicators shared by the researchers include files and network signatures (domain and ports). They also included a list of MITRE ATT&CK tactics for a broader understanding of the years-long campaign. Breakglass disclosure p…

How China-based hackers ELFed their way into the cloud and stole credentials

China-aligned hackers have deployed a Linux-based ELF backdoor to steal cloud credentials at scale from workloads across AWS, GCP, Azure, and Alibaba Cloud environments. According to Breakglass Intelligence findings, the backdoor uses a “zero-detection” technique, employing SMTP port 25 as a covert command-and-control (C2) channel to harvest cloud provider credentials and metadata. “A selective C2 handshake validation mechanism renders the serve…

APT41 Targets Linux Cloud Servers With New Winnti Backdoor

A previously undocumented Linux backdoor attributed to China-linked threat group APT41 (Winnti) has been uncovered, targeting cloud workloads across AWS, GCP, Azure, and Alibaba Cloud. The ELF-based implant, currently showing zero detections on VirusTotal, transforms Linux servers into stealthy credential theft nodes using a novel SMTP-based command-and-control (C2) mechanism. The discovery indicates a new phase in APT41’s Linux and cloud-target…