• Home
• News

Cybersecurity experts at Kaspersky’s Managed Detection and Response (MDR) service have uncovered a targeted cyber espionage campaign against a Southern African organization, linking the attack to the Chinese-speaking threat group APT41.

Although APT41 has shown limited activity in the Southern African region, Kaspersky’s findings indicate that the group specifically targeted government IT services in one of the countries, aiming to steal highly sensitive corporate data, including user credentials, internal documents, source code, and communications.

APT41 is part of a broader class of Advanced Persistent Threat (APT) actors, known for conducting prolonged, covert attacks on specific entities, often for intelligence gathering rather than financial gain. According to Kaspersky, the tactics, techniques, and procedures (TTPs) used in this incident bear a high-confidence attribution to APT41, whose operations span at least 42 countries across industries such as telecommunications, healthcare, education, energy, and IT.

Attack Vector and Tools

The attackers are believed to have gained initial access via a vulnerable web server exposed to the internet. By performing a registry dumping technique, they obtained two key corporate domain accounts — one with local admin rights and another linked to backup services with domain admin privileges — enabling lateral movement within the network.

Among the tools deployed were two credential and data-stealing utilities: a modified version of Pillager, and Checkout. The attackers compiled Pillager into a DLL format to extract a wide range of data, including saved passwords, screenshots, emails, source code, and Wi-Fi credentials. Checkout complemented these efforts by targeting browser-stored credentials, download histories, and even saved credit card data.

The operation also involved tools such as RawCopy, a DLL version of Mimikatz, and Cobalt Strike for command-and-control (C2) communication. Notably, the attackers utilized an internal SharePoint server as a stealthy C2 channel, communicating through custom agents and a web shell — a method likely chosen to blend in with legitimate traffic and evade detection.

> “Using a legitimate internal service like SharePoint for C2 communications demonstrates how adversaries are evolving their techniques to remain under the radar,” said Denis Kulik, Lead SOC Analyst at Kaspersky MDR. “Such attacks underscore the need for constant infrastructure monitoring and the elimination of excessive account privileges.”

Mitigation Recommendations

Kaspersky recommends several best practices to defend against similar threats:

Deploy endpoint protection agents on all workstations without exception.

Audit user and service account privileges to prevent over-permissioned access.

Use comprehensive cybersecurity platforms like Kaspersky Next, which offer real-time protection, visibility, and extended detection and response (EDR/XDR) capabilities.

Consider managed services such as Compromise Assessment, MDR, and Incident Response for full-spectrum protection and incident handling.

Equip InfoSec teams with up-to-date Threat Intelligence to anticipate and respond to evolving risks effectively.

A detailed technical breakdown of the attack is available on Kaspersky’s Securelist platform.