A recent targeted cyberattack against government IT services in Africa has been attributed to the Chinese-speaking threat group APT41, marking a significant expansion of the group’s activity in the region.
Kaspersky’s Managed Detection and Response (MDR) analysts uncovered the operation, which leveraged advanced techniques, including exploiting Windows modules Atexec and WmiExec, to distribute malware, harvest credentials, and enable lateral movement across compromised infrastructures.
Technical Exploits: Impacket Toolkit Powers Intrusion
The attackers began by exploiting unmonitored hosts within the victim organization, deploying the Impacket toolkit—specifically, the Atexec and WmiExec modules.
These modules enabled the remote execution of Windows commands and the creation of process chains.svchost.exe ➔ exe ➔ cmd.exe).
The attackers cleverly wrote command outputs to files on administrative network shares, using file naming conventions that blended into legitimate workflows.
Their initial goal: assess the security posture by dumping processes and network ports, then exfiltrate critical registry hives (SYSTEM and SAM) for credential harvesting.
On inadequately protected workstations, this resulted in the theft of domain credentials, including a backup solution account with domain administrator privileges.
Such access facilitated the transfer of advanced malware using the SMB protocol to hidden directories such as C:\Windows\Tasks\ and C:\ProgramData\.
Weaponizing Cobalt Strike and Custom Agents
To maintain persistence and control, APT41 deployed Cobalt Strike beacons via DLL sideloading.
Attackers placed legitimate applications alongside specially crafted malicious DLLs, which decrypted and executed encrypted Cobalt Strike payloads stored as innocuous-looking files. config.ini.
This sideloading was observed across multiple software, ensuring evasion of security tools.
A key innovation in this attack was the use of a captive SharePoint server within the victim’s infrastructure as a command-and-control (C2) node.
Custom C# agents (e.g., agents.exe, agentx.exe) running on compromised hosts connected to web shells (CommandHandler.aspx), enabling remote command execution and data exfiltration via the internal SharePoint network.
Credential Theft and Exfiltration Arsenal
APT41’s toolkit further included recompiled versions of well-known infostealers such as Pillager and Checkout (archiving browser credentials, chat sessions, and system information), as well as credential dumping tools like Mimikatz (deployed via DLL sideloading under legitimate processes such as java.exe).
Raw registry files were extracted using low-level utilities like RawCopy.
Lessons and Attribution
Kaspersky attributed the attack to APT41 based on distinct TTPs: extensive use of process masquerading, DLL sideloading, and a mix of public and bespoke offensive tools.
The incident underscores the urgent need for comprehensive endpoint monitoring, minimal privilege strategies, and rapid response capabilities across all organizational assets.
The campaign’s technical sophistication and adaptability highlight the growing challenges posed by state-backed threat actors worldwide.
IOCs
Files
2F9D2D8C4F2C50CC4D2E156B9985E7CA
9B4F0F94133650B19474AF6B5709E773
A052536E671C513221F788DE2E62316C
91D10C25497CADB7249D47AE8EC94766
C3ED337E2891736DB6334A5F1D37DC0F
9B00B6F93B70F09D8B35FA9A22B3CBA1
15097A32B515D10AD6D793D2D820F2A8
A236DCE873845BA4D3CCD8D5A4E1AEFD
