APT41 Adds New Malware To Compromise Entities Across Multiple Sectors

Mandiant discovered an APT41 intrusion where the threat actor used ANTSWORD and BLUEBEAM web shells for persistence on a Tomcat Apache Manager server active since at least 2023. APT41 used these web shells to execute certutil.exe to download the DUSTPAN dropper which stealthily loaded a Cobalt Strike beacon. As the intrusion progressed APT41 escalated their tactics by deploying the DUSTTRAP dropper. DUSTTRAP would decrypt and execute a malicious payload in memory minimizing forensic traces. The payload established communication with either APT41-controlled infrastructure or compromised Google Workspace accounts. These accounts were remediated to prevent further unauthorized access. Additionally APT41 used two legitimate tools SQLULDR2 to export data from Oracle databases and PINEGROVE to efficiently exfiltrate large volumes of sensitive data.