In today is digital age, the world is constantly under threat from hackers. One such group has earned a place in the Federal Bureau of Investigation list of most wanted cybercriminals. The FBI lists China-backed APT41, also known as HOODOO, among the most wanted threat actors. This group is responsible for various cyber attacks, from stealing sensitive corporate information to conducting espionage operations against governments and organizations worldwide. Recently, APT41 made headlines by exploiting Google is Red Teaming Tool, a powerful platform designed to help companies assess their security vulnerabilities.
Table of Contents
ToggleAPT41, also known as BARIUM, Winnti, and Bronze Atlas, is notorious for actively employing phishing attacks to deceive victims into opening malicious emails. Google is Red Teaming Tool called “Google Command and Control” (GC2) was designed by Google to help organizations test their defenses against cyberattacks. However, APT41 managed to use it as an entry point for conducting sophisticated attacks on several high-profile targets worldwide. In this blog post, we will delve deeper into the methods used by APT41. They attempted to infiltrate an Italian job search company and Taiwanese media organizations by including malicious links to a password-protected file hosted in Google Drive.
Book a Free Demo Call with Our People Security Expert
Enter your details
How APT41 Abused Google Command & Control (GC2)?
Google’s Threat Analysis Group (TAG) revealed that Chinese hackers APT41 are abusing the Google Command and Control (GC2) red teaming tool as they are attacking organizations worldwide. A cybersecurity company is tracking the activities of APT41 since 2014, has claimed that this group of hackers is associated with a famous Chinses hackers group like BARIUM and Winnti.

Let us understand the tricks and tools employed by APT41 to implement the spear phishing attack on a Taiwanese media organization.
Breakdown of the APT41 Attack
- During October 2022, TAG claimed that it disrupted a campaign by HOODOO, a Chinese government-backed attacker known as APT41.
- Applying the spear phishing method, the attacker lures the employees of the Taiwanese media organization to download a malicious code file.
- The email provided links to a password-protected Google Drive file that contained the open-source GC2 tool, which was created in the Go programming language and gives attackers access to read commands from Google Sheets and exfiltrate data using the cloud storage service.

- After installation on the victim’s computer, the malware actively searches Google Sheets for commands from the attacker.
- Apart from using Google Drive for exfiltration purposes, APT41 leverages GC2 to download additional files from Drive onto compromised systems leading to exposure to the victim’s data.

The APT41 launched the same kind of attack in July 2022 to target an Italian job search website utilizing the same malware. Such attacks make it more difficult to find out the attacker as they are using publicly available tools. The program was specifically designed to function as a command and control tool without the need for complex setups like custom domains, VPS, or CDNs during Red Teaming activities. Additionally, the program strictly interacts with Google’s domains (*.google.com) to increase the detection challenge. This information is available in the project’s GitHub repository.
Who is APT41 Hacker Group?
APT41, often referred to by its infamous code names Double Dragon, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie, and Blackfly, is a well-known advanced persistent threat group that is thought to have connections to the Chinese Ministry of State Security (MSS). In September 2020, the US Department of Justice identified the group in connection with accusations against five Chinese and two Malaysian individuals. The allegations stated that the group had allegedly hacked over 100 companies worldwide. Several cybersecurity firms in 2019 claimed that Double Dragon operated for financial gain and received support from the Chinese Communist Party (CCP).

The Double Dragon refers to APT41 is dual focus on espionage and individual financial gain. They predominantly utilize devices typically associated with state-sponsored intelligence activities. Investigations have revealed that APT41 operates across various sectors, including telecommunications, healthcare, and technology. The group extensively conducts financial activities within the video game industry, targeting distributors, development studios, and publishers. A total number of 14 countries were targeted, including India, Turkey, the United Kingdom, the United States, Switzerland, Singapore, South Korea, France, Myanmar, Italy, Japan, the Netherlands, Thailand, and South Africa, among the numerous nations.

FBI Listed APT41 on ‘Most Wanted’ List
The U.S. government announced charges on September 16, 2020, against two Malaysian hackers, five alleged participants in a Chinese state-sponsored cyber ring, and more than 100 other businesses worldwide. The group initiated its first attack in 2012. Since then, it has conducted financially motivated operations against the online gaming sector. Additionally, the group has gathered strategic intelligence from significant targets across various industries.

Two of the Chinese hackers, Zhang Haoran and Tan Dailin, were accused in August 2019, according to a news statement from the U.S. Justice Department. The other three hackers, Jiang Lizhi, Qian Chuan, and Fu Qiang, as well as two Malaysian co-conspirators, were indicted separately in August 2020. The three Chinese hackers who were later charged have connections to Chengdu 404 Network Technology. This network security firm operated as a front for the People’s Republic of China.
APT41 is Attacks Throw Light on New Patterns Posed by Threat Actors
Utilization of Remote Monitoring and Management (RMM) Tools
Ransomware groups have increasingly started exploiting legitimate remote monitoring and management (RMM) tools, including Action1, to establish persistence on compromised networks and carry out commands, scripts, and binaries. Threat actors can misuse any tool designed for red team exercises or network administration, highlighting an alarming truth. These tools become instrumental in facilitating their malicious attacks. Organizations need comprehensive security awareness training to help employees recognize when tools are being abused.
Weaponizing Publicly Available Tools
The recent development holds significance for two key reasons. Firstly, it indicates a growing trend among Chinese threat groups to utilize publicly accessible tools such as Cobalt Strike and GC2 in order to complicate efforts aimed at attribution. The strategic shift in tactics aims to complicate the identification of the trustworthy source behind cyber attacks.
This observation was backed by the Threat Horizons Report April 2023 and revealed that threat actors increasingly leverage legitimate red teaming tools and remote monitoring and management (RMM) platforms to evade detection. Threat actors adopt commonly used tools. They can blend in with legitimate network activities, making it challenging for defenders to distinguish between malicious and benign actions.
Tactics, Techniques, and Procedures (TTPs) Applied by APT41
The Chinese group utilizes techniques that are difficult to detect and identify. APT41 actively employs these techniques in its financially motivated activities, which encompass software supply-chain compromises. Through this method, they are able to inject code into legitimate files for distribution, posing a threat to other organizations by stealing data and manipulating systems. They often rely on sophisticated malware to extract data without being detected. The group also employs boot kits, a type of malware that is challenging to identify and locate among other cyberespionage and cybercrime organizations.
This complexity makes it more difficult for security systems to identify malicious code. Furthermore, they have utilized the Lowkey malware and the Deadeye launcher to conduct immediate reconnaissance while evading detection. APT41 frequently employs spear-phishing emails for both cyberespionage and financial attacks. To increase their chances of success, the organization has sent deceptive emails requesting information from high-level targets, using acquired personal information. Their targets have included bitcoin exchanges for financial gain and media organizations for espionage purposes.
Softwares used by APT41 Hacker Group
APT 41, as reported by the Department of Health and Human Services of the United States, utilizes various software tools for malicious activities. These tools include:
- BLACK COFFEE– A versatile tool capable of acting as a reverse shell, aiding in enumeration and deletion, as well as facilitating command and control (C2) communications while employing obfuscation techniques.
- China Chopper– A web shell designed to grant unauthorized access to enterprise networks, allowing the attackers to infiltrate and operate within the targeted systems.
- Cobalt Strike– A commercially available tool frequently employed by attackers to deploy and execute malicious payloads, enabling them to carry out their intended actions.
- Gh0st Rat– A remote access tool (RAT) utilized by APT 41 to gain unauthorized control over compromised systems and establish continued access for subsequent malicious activities.
- Mimikatz– A credential dumping tool employed by the group to extract plain-text Windows account information, aiding them in obtaining sensitive credentials for further exploitation.
- PlugX– A RAT equipped with modular plugins, offering APT 41 additional capabilities to exploit and control compromised systems as per their specific requirements.
- ShadowPad- A modular backdoor commonly utilized by APT 41 for command and control communication, providing them with a means to remotely control compromised systems and carry out malicious activities.
Best Ways to Prevent APTs
Stressing the value of employee awareness is crucial in the contemporary cloud services ecosystem. Organizations may improve their security posture and secure priceless assets by increasing employee awareness. With the popularity of cloud-based services, fraudsters are using spear phishing attacks and other social engineering techniques to exploit these systems flaws. For instance, current data indicates a 400 percent increase in credential-stuffing attacks over the previous year. Consider the following key points to safeguard your ecosystem:
Protection from Phishing Attacks
When handling emails, employees need to be watchful and cautious to avoid falling for phishing scams that try to deceive them into disclosing personal information or clicking on hazardous links. Implementing vishing awareness and simulation training can help staff recognize voice-based impersonation attempts as well.
Protecting Sensitive Data
When using cloud services, employees must be aware of the significance of handling and safeguarding sensitive data appropriately. This includes using strong passwords, avoiding sharing login information, and adhering to secure file-sharing procedures.
Awareness of Social Engineering Tactics
Organizations should actively inform employees about common social engineering techniques employed by attackers, such as impersonation or manipulation. These techniques exploit employees confidence, tricking them into divulging sensitive information. Learn more about social engineering examples to better understand these threats.
Detecting Suspicious Activity
It is important for staff members to be able to see suspicious activity in cloud services, such as unauthorized access attempts, irregular file sharing or deletion, or unexpected system behaviors, and to report any issues as soon as they arise.
Regular Security Awareness Training
The organization should regularly conduct security training to ensure staff members are aware of new risks, best practices for cloud security, and the company is policies and procedures for using the cloud and protecting data. Our learning management system helps automate this process at scale.
Organizations can considerably improve their entire security posture to reduce risks and guarantee the safe and responsible use of cloud technology. According to a recent survey, 78 percent of customers would cease doing business with a company if their data was hacked. So, employee education aims to avoid cyberattacks while also preserving stakeholder and customer confidence.
Conclusion
APT41 remains one of the most sophisticated and persistent threat actors operating today. Their willingness to abuse legitimate tools like Google is red teaming software demonstrates how traditional security boundaries are blurring. Organizations must stay vigilant by implementing comprehensive security awareness training, maintaining strong detection capabilities, and ensuring employees can recognize and report suspicious activity. The threat posed by APT41 and similar groups continues to evolve, making ongoing education and proactive defense strategies essential for protecting against these advanced persistent threats.
For more information on protecting your organization from APT41 and other advanced threats, consider implementing security awareness training and phishing incident response programs tailored to your organization is needs.
FAQs
What is a Red Teaming Tool?
A red teaming tool simulates real cyberattacks to test an organization's security posture. GC2 (Google Command and Control) is one such tool designed for legitimate security assessments. Unfortunately, APT41 weaponized this tool to conduct command-and-control operations during its attacks.
What is Living off the Land (LOTL)?
LOTL is a hacking technique using legitimate, pre-installed tools on victim systems to conduct operations while avoiding detection. APT41 uses this extensively by leveraging built-in Windows utilities and cloud services rather than deploying custom malware.
Why is Employee Awareness Critical?
Employee awareness prevents APT41 attacks at the initial stage. Training staff to recognize phishing emails, verify unexpected requests, and report suspicious activity stops breaches before malware installation. Check out our incident response program to learn proper response procedures.

