APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries. Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
6 mentions · 4 sources"the activity was assessed with medium-to-high confidence as attributable to Earth Krahang."
"China-linked Earth Krahang, for example, targeted Mexico, Brazil, and Paraguay in 2024"
"Spyder Backdoor Used by Winnti Threat Group"
"Since at least September 2025, Earth Dahu has also incorporated CVE-2025-8088 into its operations"
"Draculoader: A generic shellcode loader deployed by UAT-8302, also used by the Earth Estries and Earth Naga APT groups who have histories of targeting government agencies in Southeast Asia and elsewhere."
"two separate Russia-linked APT groups, Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (UAC-0226), are still actively building new exploit samples and delivering fresh lure documents through it"
Hedge terms observed