APT41 Turns Linux Cloud Servers Into Credential Theft Targets With

The notorious APT41 group continues to evolve its Linux capabilities, now deploying a new Winnti backdoor to quietly transform cloud servers into sophisticated platforms for credential theft. This development, detailed in a recent report, marks a significant advancement in the threat actor’s operational scope.

The group’s latest Winnti-family backdoor is a zero‑detection ELF implant designed specifically for Linux workloads running on AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud, with a clear focus on stealing cloud credentials at scale.

Instead of noisy exploits or ransomware, this campaign prioritizes long‑term access, stealth, and operational control over critical cloud infrastructure.

The malware, analyzed in depth by Breakglass Intelligence, operates as a persistent backdoor that blends into normal cloud traffic patterns while harvesting sensitive access tokens and configuration secrets from compromised instances.

Breakglass Intelligence analysts noted that the sample had no detections on VirusTotal at the time of reporting, underscoring the gap between traditional endpoint defenses and today’s cloud‑native threats.

Their research shows that APT41 is targeting instance metadata services, local credential files, and cloud‑specific configuration paths to collect everything needed to pivot deeper into cloud environments.

According to the Breakglass Intelligence report, the backdoor uses an unusual but effective command‑and‑control strategy built around SMTP traffic over port 25, rather than more common HTTPS‑based channels.

This choice allows the implant to disguise its C2 as email traffic, which often receives weaker inspection and inconsistent egress filtering in many cloud networks.

The malware then communicates with a set of Alibaba‑themed typosquat domains hosted on Alibaba Cloud infrastructure in Singapore, further helping it blend into what might look like normal regional traffic.

At the same time, the campaign shows a high degree of planning on the infrastructure side. The operators registered three domains that impersonate Alibaba Cloud and Chinese cybersecurity brand Qianxin, all within a tight 24‑hour window through the NameSilo registrar and with WHOIS privacy enabled.

This pattern, combined with code lineage linking back to earlier Winnti ELF implants such as PWNLNX and the Linux KEYPLUG variant, supports a confident attribution to APT41.

Cloud credential harvesting and covert C2

At the heart of this new Winnti backdoor is a focused cloud credential harvesting engine that systematically walks through each major provider’s metadata and credential storage mechanisms.

On AWS, the implant queries the instance metadata endpoint at 169.254.169.254 to extract IAM role credentials, while also reading the standard ~/.aws/credentials file if it exists.

On GCP, it requests service account tokens from the metadata server and checks for application default credentials, and on Azure it pulls managed identity tokens from the IMDS endpoint and scans ~/.azure profiles.

For Alibaba Cloud, the malware targets ECS metadata to obtain RAM role credentials and inspects the local Alibaba CLI configuration files. All collected secrets are encrypted using a hardcoded AES‑256 key and staged locally prior to exfiltration through the SMTP‑based C2 channel.

The command‑and‑control design makes detection even harder by adding a selective handshake step on the C2 server at 43.99.48.196, which only responds fully to clients that present a valid token embedded in the initial EHLO string.

When scanners such as Shodan or Censys connect without this token, they see nothing more than a normal SMTP banner followed by a benign 220 response before the connection closes, so the host never appears as suspicious in automated internet‑wide scans.

Only implants that know the right token receive encoded tasking in SMTP reply codes and extended messages, giving APT41 a quiet control layer that is extremely difficult for defenders to map from the outside.

Inside the cloud network, the implant supports lateral movement by periodically sending UDP broadcast beacons to 255.255.255.255 on port 6006, allowing other compromised hosts to discover each other and share tasking without extra direct C2 traffic.

This peer‑to‑peer coordination means that even if some outbound traffic is blocked or monitored, the operator can still move laterally and maintain control over a cluster of infected systems.

To counter this, Breakglass Intelligence recommends tightening controls around outbound SMTP traffic from non‑mail workloads, monitoring for unusual UDP broadcasts to port 6006, auditing access to metadata services and local credential stores, and hunting for stripped, statically linked ELF binaries in temporary paths such as /tmp, /var/tmp, and /dev/shm.

Cloud teams are also urged to enable cloud audit logs, enforce stronger metadata protections such as IMDSv2 on AWS, and closely review IAM role usage from unexpected source IPs to detect and contain this evolving Winnti cloud campaign.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.