Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/Threats/APT41 Uses New Winnti Backdoor to Steal Credentials from Linux Cloud Servers
Threats

APT41 Uses New Winnti Backdoor to Steal Credentials from Linux Cloud Servers

Key Takeaways APT41 is deploying a new, stealthy Winnti backdoor designed for Linux cloud servers. The malware targets AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud to steal credentials and...

Sarah simpson
Sarah simpson
April 14, 2026 4 Min Read
34 0

Key Takeaways

  • APT41 is deploying a new, stealthy Winnti backdoor designed for Linux cloud servers.
  • The malware targets AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud to steal credentials and maintain long-term access.
  • The backdoor utilizes an unusual SMTP-based command-and-control (C2) mechanism on port 25 and employs typosquatting domains for evasion.
  • The implant is highly evasive, with zero detections on VirusTotal at the time of reporting, highlighting gaps in traditional endpoint security for cloud environments.

APT41 Unleashes New Winnti Backdoor for Linux Cloud Credential Theft

The formidable APT41 threat group has significantly advanced its Linux operational capabilities, now leveraging a sophisticated new Winnti backdoor to covertly compromise cloud servers. This development transforms these servers into platforms for extensive credential theft, marking a notable expansion in the group’s tactical repertoire.

Table Of Content

  • Key Takeaways
  • APT41 Unleashes New Winnti Backdoor for Linux Cloud Credential Theft
  • Stealthy Operations and Evasive C2
  • Cloud Credential Harvesting and Covert C2 Tactics

This latest iteration of the Winnti-family backdoor is a zero-detection ELF implant, meticulously engineered for Linux workloads across major cloud platforms including Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Alibaba Cloud. Its primary objective is the large-scale exfiltration of cloud credentials.

In contrast to campaigns that rely on overt exploits or ransomware, this operation underscores a strategic shift towards achieving persistent, stealthy access and maintaining operational control over critical cloud infrastructure. Further details on this campaign can be found in a comprehensive report.

Stealthy Operations and Evasive C2

The malware, subject to in-depth analysis by Breakglass Intelligence, functions as a persistent backdoor. It is engineered to mimic typical cloud network traffic, allowing it to harvest sensitive access tokens and configuration secrets from compromised instances without raising immediate suspicion.

Analysts at Breakglass Intelligence observed that the sample exhibited no detections on VirusTotal at the time of their reporting. This critical observation highlights a significant blind spot in current traditional endpoint security solutions when confronted with cloud-native threats.

Their investigation reveals that APT41 specifically targets instance metadata services, local credential files, and cloud-specific configuration paths. This comprehensive approach allows the group to gather all necessary information to facilitate deeper penetration into targeted cloud environments.

According to the Breakglass Intelligence report, the backdoor employs an unconventional yet highly effective command-and-control (C2) strategy. It leverages SMTP traffic over port 25, diverging from the more commonly used HTTPS-based channels. This choice allows the implant to masquerade its C2 communications as legitimate email traffic, which often faces less stringent inspection and inconsistent egress filtering within many cloud networks.

The malware then communicates with a series of typosquatting domains, designed to impersonate Alibaba, which are hosted on Alibaba Cloud infrastructure in Singapore. This tactic further aids in blending its malicious traffic with what might appear to be normal regional network activity.

The campaign also demonstrates a high degree of sophisticated planning regarding its infrastructure. The operators registered three domains impersonating Alibaba Cloud and the Chinese cybersecurity firm Qianxin within a tight 24-hour window, using the NameSilo registrar and enabling WHOIS privacy. This pattern, coupled with code lineage traceable to earlier Winnti ELF implants such as PWNLNX and the Linux KEYPLUG variant, provides strong evidence for attributing this campaign to APT41.

Cloud Credential Harvesting and Covert C2 Tactics

The core functionality of this new Winnti backdoor lies in its dedicated cloud credential harvesting engine. This engine systematically traverses the metadata and credential storage mechanisms of each major cloud provider.

  • AWS: The implant queries the instance metadata endpoint at 169.254.169.254 to extract IAM role credentials and also reads the standard ~/.aws/credentials file if present.
  • GCP: It requests service account tokens from the metadata server and checks for application default credentials.
  • Azure: The malware pulls managed identity tokens from the IMDS endpoint and scans ~/.azure profiles.
  • Alibaba Cloud: It targets ECS metadata to obtain RAM role credentials and inspects local Alibaba CLI configuration files.

All harvested secrets are encrypted using a hardcoded AES-256 key and temporarily stored locally before exfiltration via the SMTP-based C2 channel.

The command-and-control design incorporates a selective handshake mechanism on the C2 server at 43.99.48.196, making detection even more challenging. The server only fully responds to clients that present a valid token embedded within the initial EHLO string. When automated scanners like Shodan or Censys connect without this token, they receive only a standard SMTP banner followed by a benign 220 response before the connection terminates. This prevents the host from appearing suspicious in automated internet-wide scans.

Only implants possessing the correct token receive encoded tasking embedded within SMTP reply codes and extended messages. This establishes a quiet control layer for APT41 that is exceptionally difficult for defenders to map from external vantage points. Additional information is available in the <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/8e936bda-2377-49c2-9544-cecec9a47c/APT41-Turns-Linux-Cloud-Servers-Into-Credential-Theft-Targets-With-New-Winnti-Backdoor.pdf?AWSAccessKeyId=ASIA2F3EMEYE6CLCLGB2&Signature=XAvfzLQDYFA1G3SdC0lka7ohNq0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEMH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIA470n5oaoCvdF57TYrXOHNEO657QDjPm%2FhHfDM5c4hmAiEA%2F%2F9qh3BP6XRHmZr8cde8FR7lexR8O0h8602lEBLGeBsq%2FAQIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDIgBdrp01q7twQ74ZSrQBOLKRyVTf6CJ2S%2F8scPOhgD9e%2FYjL7sweEmA4BKY5r0KQXJRT7f9Rk5t8l2HtZKOAjIfRjL2SvcPgChQENbdy89AhC%2B%2BbAnAB8DhxlPMI2HDRnGXduYV4jAfZyZyU4mIo%2FuUrraxE66UQn5Qj9EXwT9p%2FpnHHytZJn2zLy2G5hwXBhr11gQ9i%2FCNclz8AUzHLF%2Bn%2FHjwe278JtPYqOLhrMrx1suAhppLlB7AivGk3MI4fKB2BtXTXICV5qdJvHAYtVg3MssGGE5XbUNnHm2yw3Z7N971iO91OuFNo%2Fl5z1uUVaQEJkA5V2GeiHN%2B3aPkXC4w0f%2FmnGy8vk3ikJuv5Sk%2BudivrBBBsWJrmwnqVcKkrnzN0%2FYX7Ucs%2BW8r7yL1lRxd3fR7wO3FQmrbUxB6dnpqZIBEFtiP2CfS1hdeeS7xEsy3telLKPev0ctZCH9vKA%2BoXoXOfsU0jsDsyIy%2FeiTo0cPjrPYqQ91MTqtLL2W1zkuS6hoEwr43GsZ4r7NBFHTSSIGvkK8c9T%2BpAlVyuOwyEP3fZhf9LxFrTl1HcryePh%2F%2FmsZej5kXsCtBEZ%2Fsqd15Xgabl9jxx6FWemkrM9eOL9L7Onb%2F%2BlPIB556l16NzWXeIJxa4m7nzgiTBO83qMz3QdH89bBcAvhjqGYxm1jetI1hxmsNOcJ8O7i3MTnndvTqyB8MUB8YO81SymbOmyQ0aqUcGjCqbWSC0ve%2BlQjMPViNQnxiKbmLWyISdnkpJ3J3vBXJHKIa4hbk%2FAiIph9MS%2Faf%2B68ke0pwm3F84j4wg4H4zgY6mAEIoDH%2FFC%2BaTtahY0KnGscL81zWzrtMslQtwo6sYW64zsCKNXazwdCiyOhVOt%2FSQm%2BDfFYjqGNqgJMG9mNQzeew5wLx8Sk814%2BLH3VgUMydsKs9C52

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

CybersecurityExploitMalwareransomwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Fake Proxifier Installer on GitHub Spreads ClipBanker Malware

Next Post

W3LL Phishing Kit Takedown Disrupts Global Credential Theft and MFA Bypass

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us