APT41 Deploys New ELF Backdoor to Harvest Cloud Credentials
AI-generated from multiple sources. Verify before acting on this reporting.
BEIJING (AP) — A state-linked cyber espionage group known as APT41 has deployed a new malware variant designed to harvest credentials from major cloud computing environments, security researchers said on Sunday. The attack, detected on April 13, 2026, targets Amazon Web Services, Google Cloud, Microsoft Azure, and Alibaba Cloud using a previously undetected ELF backdoor.
The group, also referred to by cybersecurity firms as Winnti, Wicked Panda, Barium, Silver Dragon, and Brass Typhoon, has a history of dual-purpose operations. While the group has long been associated with espionage activities conducted on behalf of Beijing, it simultaneously pursues cybercrime operations for financial gain. This latest campaign appears to leverage both objectives, aiming to infiltrate cloud infrastructure to access sensitive data and potentially monetize the breach.
The malware utilizes a typosquatting technique to trick users into downloading malicious files. Once executed, the ELF backdoor establishes a command-and-control channel through SMTP port 25, a standard port for email transmission that often bypasses security filters. This method allows the attackers to maintain persistent access to compromised systems without triggering standard intrusion detection mechanisms.
Security analysts noted that the malware is specifically engineered to evade detection by current antivirus solutions. The use of the ELF format, typically associated with Unix-based systems, suggests a broadening of the group's operational scope beyond Windows environments. The campaign is active globally, with no specific geographic concentration of targets identified at this time.
The infiltration of cloud environments poses significant risks to organizations relying on these platforms for data storage and processing. Compromised credentials could allow attackers to access sensitive intellectual property, customer data, and internal communications. The use of SMTP port 25 for command-and-control traffic complicates mitigation efforts, as blocking this port could disrupt legitimate email services.
Cloud service providers have not yet issued public advisories regarding the specific threat. However, security experts recommend that organizations monitor for unusual outbound traffic on port 25 and review access logs for unauthorized credential usage. The deployment of the ELF backdoor marks a significant evolution in APT41's toolkit, indicating a continued investment in sophisticated attack vectors.
The full extent of the compromise remains unclear. Investigators are working to determine how many organizations have been affected and whether any data has already been exfiltrated. The group's ability to operate across multiple cloud platforms suggests a high level of technical capability and resources. As the investigation continues, the potential for further exploitation of cloud infrastructure remains a critical concern for global cybersecurity.