APT41 Uses New Winnti Backdoor to Steal Credentials from Linux Cloud Servers
Key Takeaways APT41 is deploying a new, stealthy Winnti backdoor designed for Linux cloud servers. The malware targets AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud to steal credentials and...
Key Takeaways
- APT41 is deploying a new, stealthy Winnti backdoor designed for Linux cloud servers.
- The malware targets AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud to steal credentials and maintain long-term access.
- The backdoor utilizes an unusual SMTP-based command-and-control (C2) mechanism on port 25 and employs typosquatting domains for evasion.
- The implant is highly evasive, with zero detections on VirusTotal at the time of reporting, highlighting gaps in traditional endpoint security for cloud environments.
APT41 Unleashes New Winnti Backdoor for Linux Cloud Credential Theft
The formidable APT41 threat group has significantly advanced its Linux operational capabilities, now leveraging a sophisticated new Winnti backdoor to covertly compromise cloud servers. This development transforms these servers into platforms for extensive credential theft, marking a notable expansion in the group’s tactical repertoire.
Table Of Content
This latest iteration of the Winnti-family backdoor is a zero-detection ELF implant, meticulously engineered for Linux workloads across major cloud platforms including Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Alibaba Cloud. Its primary objective is the large-scale exfiltration of cloud credentials.
In contrast to campaigns that rely on overt exploits or ransomware, this operation underscores a strategic shift towards achieving persistent, stealthy access and maintaining operational control over critical cloud infrastructure. Further details on this campaign can be found in a comprehensive report.
Stealthy Operations and Evasive C2
The malware, subject to in-depth analysis by Breakglass Intelligence, functions as a persistent backdoor. It is engineered to mimic typical cloud network traffic, allowing it to harvest sensitive access tokens and configuration secrets from compromised instances without raising immediate suspicion.
Analysts at Breakglass Intelligence observed that the sample exhibited no detections on VirusTotal at the time of their reporting. This critical observation highlights a significant blind spot in current traditional endpoint security solutions when confronted with cloud-native threats.
Their investigation reveals that APT41 specifically targets instance metadata services, local credential files, and cloud-specific configuration paths. This comprehensive approach allows the group to gather all necessary information to facilitate deeper penetration into targeted cloud environments.
According to the Breakglass Intelligence report, the backdoor employs an unconventional yet highly effective command-and-control (C2) strategy. It leverages SMTP traffic over port 25, diverging from the more commonly used HTTPS-based channels. This choice allows the implant to masquerade its C2 communications as legitimate email traffic, which often faces less stringent inspection and inconsistent egress filtering within many cloud networks.
The malware then communicates with a series of typosquatting domains, designed to impersonate Alibaba, which are hosted on Alibaba Cloud infrastructure in Singapore. This tactic further aids in blending its malicious traffic with what might appear to be normal regional network activity.
The campaign also demonstrates a high degree of sophisticated planning regarding its infrastructure. The operators registered three domains impersonating Alibaba Cloud and the Chinese cybersecurity firm Qianxin within a tight 24-hour window, using the NameSilo registrar and enabling WHOIS privacy. This pattern, coupled with code lineage traceable to earlier Winnti ELF implants such as PWNLNX and the Linux KEYPLUG variant, provides strong evidence for attributing this campaign to APT41.
Cloud Credential Harvesting and Covert C2 Tactics
The core functionality of this new Winnti backdoor lies in its dedicated cloud credential harvesting engine. This engine systematically traverses the metadata and credential storage mechanisms of each major cloud provider.
- AWS: The implant queries the instance metadata endpoint at
169.254.169.254to extract IAM role credentials and also reads the standard~/.aws/credentialsfile if present. - GCP: It requests service account tokens from the metadata server and checks for application default credentials.
- Azure: The malware pulls managed identity tokens from the IMDS endpoint and scans
~/.azureprofiles. - Alibaba Cloud: It targets ECS metadata to obtain RAM role credentials and inspects local Alibaba CLI configuration files.
All harvested secrets are encrypted using a hardcoded AES-256 key and temporarily stored locally before exfiltration via the SMTP-based C2 channel.
The command-and-control design incorporates a selective handshake mechanism on the C2 server at 43.99.48.196, making detection even more challenging. The server only fully responds to clients that present a valid token embedded within the initial EHLO string. When automated scanners like Shodan or Censys connect without this token, they receive only a standard SMTP banner followed by a benign 220 response before the connection terminates. This prevents the host from appearing suspicious in automated internet-wide scans.
Only implants possessing the correct token receive encoded tasking embedded within SMTP reply codes and extended messages. This establishes a quiet control layer for APT41 that is exceptionally difficult for defenders to map from external vantage points. Additional information is available in the <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/8e936bda-2377-49c2-9544-cecec9a47c/APT41-Turns-Linux-Cloud-Servers-Into-Credential-Theft-Targets-With-New-Winnti-Backdoor.pdf?AWSAccessKeyId=ASIA2F3EMEYE6CLCLGB2&Signature=XAvfzLQDYFA1G3SdC0lka7ohNq0%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEMH%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIA470n5oaoCvdF57TYrXOHNEO657QDjPm%2FhHfDM5c4hmAiEA%2F%2F9qh3BP6XRHmZr8cde8FR7lexR8O0h8602lEBLGeBsq%2FAQIiv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDIgBdrp01q7twQ74ZSrQBOLKRyVTf6CJ2S%2F8scPOhgD9e%2FYjL7sweEmA4BKY5r0KQXJRT7f9Rk5t8l2HtZKOAjIfRjL2SvcPgChQENbdy89AhC%2B%2BbAnAB8DhxlPMI2HDRnGXduYV4jAfZyZyU4mIo%2FuUrraxE66UQn5Qj9EXwT9p%2FpnHHytZJn2zLy2G5hwXBhr11gQ9i%2FCNclz8AUzHLF%2Bn%2FHjwe278JtPYqOLhrMrx1suAhppLlB7AivGk3MI4fKB2BtXTXICV5qdJvHAYtVg3MssGGE5XbUNnHm2yw3Z7N971iO91OuFNo%2Fl5z1uUVaQEJkA5V2GeiHN%2B3aPkXC4w0f%2FmnGy8vk3ikJuv5Sk%2BudivrBBBsWJrmwnqVcKkrnzN0%2FYX7Ucs%2BW8r7yL1lRxd3fR7wO3FQmrbUxB6dnpqZIBEFtiP2CfS1hdeeS7xEsy3telLKPev0ctZCH9vKA%2BoXoXOfsU0jsDsyIy%2FeiTo0cPjrPYqQ91MTqtLL2W1zkuS6hoEwr43GsZ4r7NBFHTSSIGvkK8c9T%2BpAlVyuOwyEP3fZhf9LxFrTl1HcryePh%2F%2FmsZej5kXsCtBEZ%2Fsqd15Xgabl9jxx6FWemkrM9eOL9L7Onb%2F%2BlPIB556l16NzWXeIJxa4m7nzgiTBO83qMz3QdH89bBcAvhjqGYxm1jetI1hxmsNOcJ8O7i3MTnndvTqyB8MUB8YO81SymbOmyQ0aqUcGjCqbWSC0ve%2BlQjMPViNQnxiKbmLWyISdnkpJ3J3vBXJHKIa4hbk%2FAiIph9MS%2Faf%2B68ke0pwm3F84j4wg4H4zgY6mAEIoDH%2FFC%2BaTtahY0KnGscL81zWzrtMslQtwo6sYW64zsCKNXazwdCiyOhVOt%2FSQm%2BDfFYjqGNqgJMG9mNQzeew5wLx8Sk814%2BLH3VgUMydsKs9C52
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.