Cyber security experts at Kaspersky’s Managed Detection and Response (MDR) service have identified a cyber espionage attack targeting an organisation in southern Africa, attributing the incident to the Chinese-speaking advanced persistent threat (APT) group APT41.
Kaspersky could not reveal the organisation but did issue a statement in which it explained that APTs are threat actors known for sustained, stealthy campaigns against specific targets, in contrast to more opportunistic cyber criminal activity.
The company said it linked the attack to APT41 with "high confidence" based on the tactics, techniques and procedures observed.
Kaspersky added the primary motive behind the intrusion was to extract sensitive data from compromised systems within the organisation's network, including credentials, internal documents, source code and communication records.
While APT41 has shown limited activity in southern Africa, this incident suggests the group is now targeting government IT services in the region.
APT41 is known for cyber espionage campaigns against a wide range of sectors, including telecommunications, education, healthcare, IT and energy. The group has conducted operations in at least 42 countries.
Registry dumping
According to Kaspersky’s analysis, the attackers likely gained access through an internet-exposed web server. They employed a credential-harvesting technique known as registry dumping to obtain two key domain accounts – one with local administrator rights across all workstations and another tied to a backup solution with domain administrator privileges.
These credentials enabled lateral movement within the network.
Among the tools used was a modified version of the Pillager utility, repackaged as a Dynamic Link Library (DLL). The tool was used to exfiltrate a wide range of information: saved credentials, browser data, source code, screenshots, chat session logs, e-mails, installed software lists, operating system data and WiFi credentials.
Another tool, Checkout, was used to harvest saved credentials, browser history, credit card data and information on downloaded files. The attackers also deployed RawCopy and a DLL version of Mimikatz to extract registry data and credentials, and used Cobalt Strike for command and control (C2) operations.
Denis Kulik, lead SOC analyst at Kaspersky MDR, said the attackers also leveraged the organisation's internal SharePoint server as a C2 channel.
“Interestingly, as one of their C2 communication channels besides Cobalt Strike, the attackers chose the SharePoint server within the victim's infrastructure. They communicated with it using custom C2 agents connected with a web-shell. They may have chosen SharePoint because it was an internal service already present in the infrastructure and unlikely to raise suspicion. Moreover, in that case, it probably offered the most convenient way to exfiltrate data and control compromised hosts through a legitimate communication channel.”
Asked whether the incident indicates increased APT41 activity in the region, Kulik said Kaspersky has not observed additional attacks in southern Africa by the group.
He added that registry dumping, as defined by the MITRE ATT&CK framework, remains one of the most globally prevalent techniques. APT41 often leverages legitimate tools and commands, such as cmd.exe /c reg save and the IMPACKET toolkit, to extract credentials.
Kulik said defending against such advanced threats requires continuous infrastructure monitoring and minimising account privileges.
Kaspersky recommends organisations deploy endpoint detection agents on all workstations and conduct regular reviews of user and service account privileges, ensure minimal access rights and provide InfoSec teams with deep visibility.
Share