APT41 cloud backdoor spotted
Researchers reported a sophisticated ‘zero‑detection’ backdoor that steals cloud credentials and aims to remain stealthy inside compromised environments, a tactic linked to the APT41 group. The finding highlights active threats against cloud identity and access systems in the wild. (x.com)
Cloud systems hand out short-term keys the way hotels issue room cards, and researchers say APT41 is now stealing those keys from infected Linux servers. (darkreading.com) The malware is a Linux executable in Executable and Linkable Format, the standard package for Linux programs, and Dark Reading reported on April 14 that it hit Amazon Web Services, Google Cloud, Microsoft Azure, and Alibaba Cloud environments. (darkreading.com) CSO reported the backdoor uses Simple Mail Transfer Protocol, the same protocol email servers use, over port 25 for command traffic and data theft, and hides behind typosquatted domains that mimic Alibaba Cloud. (csoonline.com) In cloud computing, each virtual machine can ask a local metadata service for temporary credentials tied to that machine’s role. Researchers said this backdoor queries those metadata services to pull credentials and other cloud details from compromised workloads. (csoonline.com) Dark Reading said the sample showed zero detections in security scanning at the time of discovery, a sign that common antivirus and endpoint tools had not yet flagged it. The report described the implant as built to stay quiet inside cloud environments rather than trigger obvious alarms. (darkreading.com) That focus fits a wider shift in intrusions against identity systems, where attackers go after access tokens and cloud roles instead of smashing servers. Google’s Threat Intelligence Group wrote in May 2025 that APT41 had already been abusing trusted cloud services for command-and-control to blend into normal traffic. (cloud.google.com) APT41 is not a new name. MITRE says the group has been active since at least 2012, is assessed as Chinese state-sponsored, and has also run financially motivated operations across sectors including healthcare, telecom, technology, finance, education, retail, and video games in 14 countries. (attack.mitre.org) MITRE also lists cloud-account compromise among the group’s observed techniques, which puts this latest credential-harvesting activity in line with a longer record of chasing access first and expanding later. (attack.mitre.org) The practical problem for defenders is that one cloud server with broad permissions can expose far more than one cloud server. APT41’s latest tooling, as described on April 14, is built around that math: steal the temporary key, stay unnoticed, and move through the cloud with the victim’s own credentials. (csoonline.com)
