SOCRadar® Cyber Intelligence Inc. | Deep Web Profile: APT41/Double Dragon


Mar 15, 2022
4 Mins Read

Deep Web Profile: APT41/Double Dragon

APT41 (also known as Double Dragon) is a well-known cyber threat group that carries out Chinese state-sponsored espionage as well as financially motivated operations that may be outside the authority of the Chinese government. Explicit financial motivation is uncommon among Chinese state-sponsored threat groups, and evidence implies that APT41 has been involved in both cyber-crime and cyber-espionage operations since 2014.

The name “Double Dragon” comes from the fact that they are involved in both espionage and individual financial gain. The equipment they utilize is typically used for intelligence gathering by governments.

1. APT41 Has Focused on the Video Game Industry Initially

APT41 or Double Dragon mostly target the game industry
APT41 or Double Dragon mostly target the game industry

The video game sector has been the initial focus of APT41’s financially motivated activity, with the group manipulating virtual currency and even attempting to distribute ransomware. The gang is skilled at lateral movement – Tactic ID TA0008 of MITRE ATT&CK Framework – within targeted networks, including pivoting between Windows and Linux systems until it gains access to game development environments.

Starting cybercrime operations by getting access to video game production settings, APT41 built the tactics, methods, and procedures (TTPs) that were later used in supply chain attacks against software businesses by injecting malware into software updates.

2. Targeted Businesses in 14 Countries in Various Sectors

The victims of APT41 are businesses from all over the world.
The victims of APT41 are businesses from all over the world.

Over seven years, APT41 has targeted organizations in 14 countries (and Hong Kong): France, India, Italy, Japan, Myanmar, the Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, the United Kingdom, and the United States. Targeting verticals in APT41 espionage operations against entities in these countries is congruent with Chinese national policy aims.

APT41 has been discovered operating in various industries, including healthcare, telecommunications, and technology. Many of the group’s financial activities are focused on the video game business, such as development studios, distributors, and publishers.

3. Several APT41 Members Charged by US Department of Justice in 2020

The US Department of Justice announced previously sealed charges against 5 Chinese and 2 Malaysian citizens, alleged APT41 members, for hacking more than 100 companies worldwide on September 16, 2020. It reported the theft of code, code signing certificates, customer data, and business information as part of the attacks.

4. APT41 Has Implanted MoonBounce in UEFI Firmware Recently

Researchers announced on January 20, 2022, they discovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the alteration of one element in the firmware — a core element called SPI flash, which is placed on the motherboard. APT41 is thought to be responsible for the alteration with MoonBounce, a custom UEFI firmware implant used in targeted attacks.

5. Known for Exploiting Vulnerabilities on the Internet-Facing Technologies

APT41 exploits many well-known vulnerabilities
APT41 exploits many well-known vulnerabilities

Chinese state-sponsored cyber activity targeting US political, economic, military, educational, and CI personnel and organizations has become increasingly sophisticated, according to the report released by CISA in July 2021. Through proactive and retroactive investigation, the NSA, CISA, and FBI have found the following tendencies in APT41 as well as other Chinese state-sponsored malicious threat actors:

  • Acquisition of infrastructure and capabilities such as virtual private servers (VPSs) and common open-source or commercial penetration tools (e.g., Cobalt Strike).
  • The exploitation of public vulnerabilities in major internet-facing applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products.
  • Encrypted multi-hop proxies using small office and home office (SOHO) devices as operational nodes to evade detection.


Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access