Presentation information

Evolution after prosecution: Psychedelic APT41

Aragorn Tseng (TeamT5), Charles Li (TeamT5), Peter Syu (TeamT5) & Tom Lai (TeamT5)
live only
UTC on Day 3
FRIDAY 02 OCTOBER
Since APT41 was sued by the FBI last year, the group has not disappeared. Instead, they have used more innovative and less well noticed techniques to evade detection by security products, such as:


  • Avoiding memory detection through dll hollowing technique and one miscellaneous method.

  • Using DPAPI to encrypt the real payload to make forensics more difficult.

  • Abusing the certificate to hide the payload in a signed PE file.

  • Using Cloudflare Worker to hide the real IP address.

  • Using legitimate tools like InstallUtil to execute code and bypass application whitelisting.


In addition to malware that is known to be used by APT41, we also found some newly developed malware. There are two new pieces of listening port malware, RBRAT and a Stone variant. We also found a shellcode-based backdoor, DNHash, and the method it used to call the Windows API was also innovative, making the reversing more difficult.
The group is also more careful in their usage of C2. They use DNS tunnelling extensively as well as Cloudflare Worker to hide their real C2 IP.

We have observed that APT41 targeted telecommunications companies, key medical institutions, governments, and major infrastructures in various countries in 2021.
The prosecution did not deter them, but instead prompted them to evolve their attack techniques, and make it harder for researchers to track and detect.

In this talk we will provide more details about the campaigns of APT41, including its innovative TTPs, newly developed malware, lateral movement techniques, and the strategies they used for C2 after they were sued by the FBI. We will also propose some methods to prevent their latest attack techniques.
Aragorn Tseng
TeamT5 Aragorn is a malware researcher at TeamT5. He has worked on incident response and tracking APT campaigns in Taiwan's law enforcement agencies for two years. His research fields include malware analysis, incident response, APT campaign tracking and applying deep learning to cybersecurity issues. He has spoken at conferences including Black Hat Asia, CodeBlue, HITCON and JSAC.
Charles Li
TeamT5 Charles is the Chief Analyst at TeamT5. He leads the TeamT5 analyst team in threat intelligence research. He has been studying cyber attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He often publishes research and gives training courses at security conferences.
Peter Syu
TeamT5 Peter is a security researcher at TeamT5. Peter's research mainly focuses on incident response and malware analysis. Some of his work has been presented at international security conferences.
Tom Lai
TeamT5 Tom is a security engineer at TeamT5. Tom's research mainly focuses on incident response and malware analysis. Some of his work has been presented at international security conferences.
arrow left Back

Evolution after prosecution: Psychedelic APT41

Aragorn Tseng (TeamT5), Charles Li (TeamT5), Peter Syu (TeamT5) & Tom Lai (TeamT5)
Since APT41 was sued by the FBI last year, the group has not disappeared. Instead, they have used more innovative and less well noticed techniques to evade detection by security products, such as:


  • Avoiding memory detection through dll hollowing technique and one miscellaneous method.

  • Using DPAPI to encrypt the real payload to make forensics more difficult.

  • Abusing the certificate to hide the payload in a signed PE file.

  • Using Cloudflare Worker to hide the real IP address.

  • Using legitimate tools like InstallUtil to execute code and bypass application whitelisting.


In addition to malware that is known to be used by APT41, we also found some newly developed malware. There are two new pieces of listening port malware, RBRAT and a Stone variant. We also found a shellcode-based backdoor, DNHash, and the method it used to call the Windows API was also innovative, making the reversing more difficult.
The group is also more careful in their usage of C2. They use DNS tunnelling extensively as well as Cloudflare Worker to hide their real C2 IP.

We have observed that APT41 targeted telecommunications companies, key medical institutions, governments, and major infrastructures in various countries in 2021.
The prosecution did not deter them, but instead prompted them to evolve their attack techniques, and make it harder for researchers to track and detect.

In this talk we will provide more details about the campaigns of APT41, including its innovative TTPs, newly developed malware, lateral movement techniques, and the strategies they used for C2 after they were sued by the FBI. We will also propose some methods to prevent their latest attack techniques.
Aragorn Tseng
TeamT5 Aragorn is a malware researcher at TeamT5. He has worked on incident response and tracking APT campaigns in Taiwan's law enforcement agencies for two years. His research fields include malware analysis, incident response, APT campaign tracking and applying deep learning to cybersecurity issues. He has spoken at conferences including Black Hat Asia, CodeBlue, HITCON and JSAC.
Charles Li
TeamT5 Charles is the Chief Analyst at TeamT5. He leads the TeamT5 analyst team in threat intelligence research. He has been studying cyber attacks and campaign tracking for more than 10 years. His research interests include vulnerability research, reverse engineering and APT attacks. He often publishes research and gives training courses at security conferences.
Peter Syu
TeamT5 Peter is a security researcher at TeamT5. Peter's research mainly focuses on incident response and malware analysis. Some of his work has been presented at international security conferences.
Tom Lai
TeamT5 Tom is a security engineer at TeamT5. Tom's research mainly focuses on incident response and malware analysis. Some of his work has been presented at international security conferences.