APT41 Hackers Exploiting Atexec and WmiExec Windows Modules for Malware Deployment

Kaspersky MDR analysts recently uncovered a sophisticated targeted attack by the Chinese-speaking cyberespionage group APT41 against government IT services in the African region, marking a notable escalation in the group’s activity on the continent, which had previously seen minimal incidents from this actor.

The attackers embedded hardcoded names of internal services, IP addresses, and proxy servers directly into their malware, demonstrating deep prior reconnaissance.

Detection and Initial Compromise

A key command-and-control (C2) server was established on a compromised SharePoint instance within the victim’s infrastructure, allowing stealthy internal communications.

The intrusion was first detected through suspicious activity on multiple workstations, triggered by alerts from the Impacket toolkit’s WmiExec module.

This manifested as a process chain involving svchost.exe spawning cmd.exe, with command outputs redirected to files on administrative network shares, named with dotted numerical patterns.

Similarly, the Atexec module was employed to create scheduled tasks for probing C2 availability, both directly and via internal proxies.

According to the Report, the source traced back to an unmonitored compromised host running Impacket under a service account, which was later integrated into telemetry for deeper analysis.

Following initial execution, attackers paused operations briefly before resuming with reconnaissance commands like netstat and tasklist to identify running processes and ports, likely scouting for security solutions such as EDR or XDR agents.

Privilege escalation involved dumping SYSTEM and SAM registry hives using reg.exe, successfully harvesting credentials from unsecured hosts despite blocks on monitored systems.

This highlighted the critical need for universal security agent deployment and strict privilege management, as attackers exploited a domain account with local admin rights and a backup account with domain admin privileges for lateral movement via SMB to transfer tools like Cobalt Strike and custom agents to paths such as C:\Windows\Tasks or C:\ProgramData.

Execution occurred remotely via WMI, with Cobalt Strike deployed as encrypted payloads (e.g., TXT or INI files) decrypted through DLL sideloading in legitimate applications like cookie_exporter.exe or TmPfw.exe.

The malicious DLLs included anti-analysis checks for debugging environments and language packs (e.g., avoiding Japanese, Korean, or Chinese systems), decrypting payloads with SSE-accelerated routines before injecting them into memory or new processes.

Custom C# Trojans, agents.exe and agentx.exe, communicated with a CommandHandler.aspx web shell on the SharePoint C2 for command execution and data exfiltration via upload.ashx, collecting browser histories, documents, and configurations.

Additional tools included a modified Pillager stealer for credentials and project data, compiled as wmicodegen.dll and sideloaded via convert-moftoprovider.exe; Checkout for browser and credit card info; RawCopy for raw registry file extraction; and a sideloaded Mimikatz DLL via java.exe for credential dumping.

Reverse shells were established using malicious HTA files downloaded from impersonated domains like github.githubassets.net, enabling persistent command access.

Retrospective analysis revealed an IIS web server as the initial entry point, hosting Cobalt Strike and a Neo-reGeorg web shell (detected as HEUR:Backdoor.MSIL.WebShell.gen) in ASP.NET temporary files, proxying external traffic for Impacket launches.

Attribution to APT41 is high-confidence, based on TTPs like Impacket/WMI usage, DLL sideloading, C:\Windows\Temp file placements, and similar C2 domains (e.g., s3-azure.com variants). The group adapted tools dynamically, rewriting executables into DLLs for evasion.

Lessons underscore comprehensive monitoring, full infrastructure coverage with automated blocking, and least-privilege principles to counter such adaptive threats, ultimately enabling eviction of the attackers.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!