Dashboard / Threat Actors / SparklingGoblin

🇨🇳

SparklingGoblin

APT Group Information theft and espionage Financial crime 1 zero-day CVE ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

Hong Kong

Sectors Targeted

Civic and Social Organizations 8134 Colleges, Universities, and Professional Schools 6113

Details

Origin 🇨🇳 CN

Last Updated 08 Nov 2023

MITRE ATT&CK 147

T1001 T1001.003 T1003 T1003.001 T1003.002 T1003.003 T1005 T1008 T1012 T1014 T1016 T1018 T1021 T1021.001 T1021.002 T1027 - Obfuscated Files or Information T1027.002 T1027.013 T1030 T1033 T1036 T1036.004 T1036.005 T1037 T1041 - Exfiltration Over C2 Channel T1046 T1047 T1048 T1048.003 T1049 T1053 - Scheduled Task/Job T1053.005 T1055 - Process Injection T1056 - Input Capture T1056.001 T1059 T1059.001 T1059.003 T1059.004 T1059.007 T1069 T1070 T1070.001 T1070.003 T1070.004 T1071 - Application Layer Protocol T1071.001 T1071.002 T1071.004 T1074 T1074.001 T1078 T1078.003 T1082 - System Information Discovery T1083 T1087 T1087.001 T1087.002 T1090 T1098 T1098.007 T1102 - Web Service T1102.001 T1104 T1105 - Ingress Tool Transfer T1106 - Native API T1110 T1112 T1119 T1133 T1134 T1135 T1136 T1136.001 T1140 - Deobfuscate/Decode Files or Information T1190 T1195 T1195.002 T1197 T1203 - Exploitation for Client Execution T1204 - User Execution T1213 T1213.003 T1213.006 T1218 - Signed Binary Proxy Execution T1218.001 T1218.011 T1480 T1480.001 T1484 T1484.001 T1486 T1496 T1496.001 T1505 T1505.003 T1542 T1542.003 T1543 T1543.003 T1546 T1546.008 T1547 - Boot or Logon Autostart Execution T1547.001 T1550 T1550.002 T1553 T1553.002 T1555 T1555.003 T1560 T1560.001 T1560.003 T1562 T1562.006 T1566 - Phishing T1566.001 T1567 T1567.002 T1568 T1568.002 T1569 T1569.002 T1570 T1573 T1573.002 T1574 - Hijack Execution Flow T1574.001 T1574.006 T1583 T1583.007 T1586 T1586.003 T1588 T1588.002 T1588.003 T1593 T1593.002 T1594 T1595 T1595.002 T1595.003 T1596 T1596.005 T1599 T1656 T1680

Related Zero-Days 1

CVE-2025-8088

Known Names 12 entries

APT 41 FireEye

Double Dragon FireEye

TG-2633 SecureWorks

Bronze Atlas SecureWorks

Red Kelpie PWC

Blackfly Symantec

Earth Baku Trend Micro

SparklingGoblin ESET

Grayfly Symantec

TA415 Proofpoint

BrazenBamboo Volexity

G0096 MITRE

Observed Target Countries 37

Based on ETDA data — countries highlighted in red

Australia Bahrain Brazil Canada Chile Denmark Finland France Georgia Hong Kong India Indonesia Italy Japan Malaysia Mexico Myanmar Netherlands Pakistan Philippines Poland Qatar Saudi Arabia Singapore South Korea South Africa Spain Sri Lanka Sweden Switzerland Taiwan Thailand Turkey UAE UK USA Vietnam

Description

(FireEye) FireEye Threat Intelligence assesses with high confidence that APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control. Activity traces back to 2012 when individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely state-sponsored activity. This is remarkable because explicit financially motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests these two motivations were balanced concurrently from 2014 onward. • APT41 overlaps at least partically with public reporting on group including {{Barium}} and {{Winnti Group, Wicked Panda}}. In some cases the primary observed similarity in the publicly reported Winnti activity was the use of the same malware – including HIGHNOON – across otherwise separate clusters of activity. • Previous FireEye Threat Intelligence reporting on the use of HIGHNOON and related activity was grouped together under both {{Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon}} and Mana, although we now understand this to be the work of several Chinese cyber espionage groups that share tools and digital certificates. • APT41 reflects our current understanding of what was previously reported as GREF, as well as additional indicators and activity gathered during our extensive review of our intelligence holdings. APT 41 has 2 subgroups: 1. {{Subgroup: Earth Longzhi}} 2. {{Subgroup: Earth Freybug}} Also see {{Earth Lusca}} and {{RedGolf}}.

Tools Used 78

9002 RAT AceHash ADORE.XSEC AntSword ASPXSpy Barlaiy BEACON BlackCoffee BLUEBEAM certutil China Chopper Cobalt Strike COLDJAVA Crackshot CrossWalk DBoxAgent DEADEYE DEPLOYLOG Derusbi DIRTCLEANER DragonEgg DUSTPAN DUSTTRAP EasyNight FunnySwitch GearShift Gh0st RAT HDRoot HighNoon HighNote HKDOOR HUI Loader Jumpall KEYPLUG LATELUNCH LIFEBOAT Lowkey MessageTap Meterpreter Mimikatz MoonBounce MoonWalk njRAT NTDSDump PACMAN PINEGROVE PipeMon PlugX POTROAST PRIVATELOG pwdump RedXOR ROCKBOOT SAGEHIRE SerialVlogger ShadowHammer ShadowPad Winnti SideWalk Skip-2.0 SPARKLOG Speculoos Spyder SQLULDR2 STASHLOG SWEETCANDLE TERA TIDYELF Voldemort WIDETONE WINNKIT Winnti WINTERLOVE WyrmSpy xDll XDOOR XMRig ZXShell Living off the Land

Operations 37

2016 Autumn Breach of TeamViewer https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/

2017-07 ShadowPad is one of the largest known supply-chain attacks. Had it not been detected and patched so quickly, it could potentially have targeted hundreds of organizations worldwide. https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world

2018-06 Operation “ShadowHammer” A supply-chain attack dubbed “Operation ShadowHammer” has been uncovered, targeting users of the ASUS Live Update Utility with a backdoor injection. The China-backed BARIUM APT is suspected to be at the helm of the project. According to Kaspersky Lab, the campaign ran from June to at least November 2018 and may have impacted more than a million users worldwide – though the adversaries appear to have been after specific victims in Asia. https://threatpost.com/asus-pc-backdoors-shadowhammer/143129/

2019 Operation “CuckooBees” Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation https://www.cybereason.com/blog/operation-cuckoobees-cybereason-uncovers-massive-chinese-intellectual-property-theft-operation https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong

2019-03 Although the malware uses different configurations in each case, the three affected software products included the same backdoor code and were launched using the same mechanism. While two of the compromised products no longer include the backdoor, one of the affected developers is still distributing the trojanized version: ironically, the game is named Infestation, and is produced by Thai developer Electronics Extreme. https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/

2019-04 In April 2019, FireEye’s Managed Defense team identified suspicious activity on a publicly-accessible web server at a U.S.-based research university. This activity, indicated that the attackers were exploiting CVE-2019-3396, a vulnerability in Atlassian Confluence Server that allowed for path traversal and remote code execution. https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html

2019-08 APT41’s newest espionage tool, MESSAGETAP, was discovered during a 2019 investigation at a telecommunications network provider within a cluster of Linux servers. Specifically, these Linux servers operated as Short Message Service Center (SMSC) servers. https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html

2019-10 Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/

2019-11 In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules. The Winnti malware was also found at these universities a few weeks prior to ShadowPad. https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/

2020-01 Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

2020-02 In February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and develop MMO (Massively Multiplayer Online) games. Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players. https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

2020 New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/

2020-03 During threat research in March 2020, PT Expert Security Center specialists found a previously unknown backdoor and named it xDll, based on the original name found in the code. As a result of a configuration flaw of the malware's command and control (C2) server, some server directories were externally accessible. https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/

2020-04 Hackers linked to Chinese government stole millions in Covid benefits, Secret Service says https://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636

2020-07 APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign https://www.trendmicro.com/en_us/research/21/h/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html

2020-10 Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41 https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41

2021 APT41 World Tour 2021 on a tight schedule https://blog.group-ib.com/apt41-world-tour-2021

2021-02 You never walk alone: The SideWalk backdoor gets a Linux variant https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/

2021 Early New Wave of Espionage Activity Targets Asian Governments https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

2021-03 Operation “ColunmTK” Big airline heist https://blog.group-ib.com/colunmtk_apt41

2021 Spring MoonBounce: the dark side of UEFI firmware https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

2021-05 Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments https://www.mandiant.com/resources/apt41-us-state-governments

2021-07 BIOPASS RAT: New Malware Sniffs Victims via Live Streaming https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html

2021-08 The SideWalk may be as dangerous as the CROSSWALK https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

2022-08 Winnti APT group docks in Sri Lanka for new campaign https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf

2022 Late Blackfly: Espionage Group Targets Materials Technology https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials

2022 Late A Dive into Earth Baku’s Latest Campaign https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html

2023 APT41 Has Arisen From the DUST https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust

2023-07 APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/

2024 Chinese APT Uses VPN Bug to Exploit Worldwide OT Orgs https://www.darkreading.com/ics-ot-security/chinese-apt-vpn-bug-worldwide-ot-orgs

2024-03 Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign https://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html

2024-04 DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1 MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2 https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1 https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2

2024-04 LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign

2024-07 BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/

2024-08 The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort

2024-10 Mark Your Calendar: APT41 Innovative Tactics https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

2025-07 The SOC files: Rumble in the jungle or APT41’s new target in Africa https://securelist.com/apt41-in-africa/116986/

Reports & References 9

http://content.fireeye.com/apt41/rpt-apt41 https://arstechnica.com/information-technology/2018/05/researchers-link-a-decade-of-potent-hacks-to-chinese-intelligence-group/ https://www.kaspersky.com/about/press-releases/2019_operation-shadowhammer-new-supply-chain-attack https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41 https://www.infosecurity-magazine.com/news/chinas-apt41-manages-library/ https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf https://www.cyfirma.com/outofband/the-origins-of-apt-41-and-shadowpad-lineage/

ETDA Profile

APT 41

Origin

China

First Seen 2012

Sponsor State-sponsored

Motivation

Financial crime Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0096/

View on ETDA APT Groups ↗