Archived
In a concerning development on the cyber-espionage front, China-linked threat actor APT41 has been attributed to a new targeted campaign that infiltrates government IT infrastructure across Africa. The attackers used advanced techniques including command execution, credential harvesting, DLL side-loading, and covert command-and-control (C2) communication through internal systems like SharePoint servers.
While APT41 has a long-standing history of cyberattacks against global organizations across sectors such as energy, healthcare, telecom, and education, this is one of the few known large-scale campaigns that focuses on African targets—an area traditionally considered outside their operational focus.
[...]
This espionage campaign [...] represents a sophisticated intrusion that combines both custom-built and publicly available tools. It involves multiple attack stages: from initial access using Impacket modules, to privilege escalation via credential theft, to command execution using a compromised internal SharePoint server.
APT41’s strategy showcases a blend of traditional malware deployment and living-off-the-land (LotL) techniques, where trusted system tools and internal services are repurposed for malicious activities—making detection far more difficult.
The attackers demonstrated advanced knowledge of the victim’s infrastructure by embedding hardcoded IP addresses, internal service names, and proxy servers within their malware. The use of SharePoint as a C2 server is particularly unique, allowing the attackers to remain under the radar within internal network traffic.
[...]