APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

    Wednesday, August 7, 2024 In: Threat Research Print

    Date: 08/07/2024

    Severity: Medium

    Summary

    APT41, a well-known Chinese cyber espionage group, is suspected of breaching a Taiwanese government-linked research institute using the ShadowPad malware and Cobalt Strike toolkit. ShadowPad is used for persistent backdoor access, while Cobalt Strike facilitates lateral movement and command and control operations within the compromised network. This incident highlights the advanced tactics and tools employed by APT41 to target sensitive organizations and gather intelligence.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://www.nss.com.tw/s.png

    https://www.nss.com.tw/p.ps1 

    http://45.85.76.18:443/yPc1

    nss.com.tw 

    http://103.56.114.69:8085/p.ps1

    https://www.nss.com.tw/1.hta

    w2.chatgptsfit.com

    www.nss.com.tw

    chatgptsfit.com

    https://www.nss.com.tw/calc.exe

    IP Address

    103.56.114.69

    Hash

    0ff80e4db32d1d45a0c2afdfd7a1be961c0fbd9d43613a22a989f9024cc1b1e9

087c475a1b5b36b7939f5ff12dc711ba591dd2c4227ccaa28d322425ef4d0d4c

2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9

eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28

be7e1f1216ff707ad07d11e5d180fa1cbfba62f2e2414a20d827366bcc6be3c4

983f4e4be2c2cd36da67723f6e87d86994531bb1ef8e82b3fd3a1c0d6d072a0a

756ceb563d9283df1fd03252aee9e9621cd2cc7ddb45f596e16660fed1dd6442

2149d481b863bec2240ffb64c68f7fb437458885c903a7b0c21aa44f88a69d86

abb2fe1f67a48b931258e47531884ca5502cec73996e686ca82eeba536258f67

9dc827fb1c2e3c12ee39aa5ccf3b31f64051e0cdda9d2ac54caee6b235f52640

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "https://www.nss.com.tw/s.png" or url like "https://www.nss.com.tw/s.png" or userdomainname like "https://www.nss.com.tw/p.ps1" or url like "https://www.nss.com.tw/p.ps1" or userdomainname like "http://45.85.76.18:443/yPc1" or url like "http://45.85.76.18:443/yPc1" or userdomainname like "nss.com.tw" or url like "nss.com.tw" or userdomainname like "http://103.56.114.69:8085/p.ps1" or url like "http://103.56.114.69:8085/p.ps1" or userdomainname like "https://www.nss.com.tw/1.hta" or url like "https://www.nss.com.tw/1.hta" or userdomainname like "w2.chatgptsfit.com" or url like "w2.chatgptsfit.com" or userdomainname like "www.nss.com.tw" or url like "www.nss.com.tw" or userdomainname like "chatgptsfit.com" or url like "chatgptsfit.com" or userdomainname like "https://www.nss.com.tw/calc.exe" or url like "https://www.nss.com.tw/calc.exe"

    IP Address

    dstipaddress IN ("103.56.114.69") or ipaddress IN ("103.56.114.69") or publicipaddress IN ("103.56.114.69") or srcipaddress IN ("103.56.114.69")

    Hash

    sha256hash IN ("0ff80e4db32d1d45a0c2afdfd7a1be961c0fbd9d43613a22a989f9024cc1b1e9","9dc827fb1c2e3c12ee39aa5ccf3b31f64051e0cdda9d2ac54caee6b235f52640","087c475a1b5b36b7939f5ff12dc711ba591dd2c4227ccaa28d322425ef4d0d4c","2149d481b863bec2240ffb64c68f7fb437458885c903a7b0c21aa44f88a69d86","eba3138d0f3d2385b55b08d8886b1018834d194440691d33d612402ba8a11d28","756ceb563d9283df1fd03252aee9e9621cd2cc7ddb45f596e16660fed1dd6442","abb2fe1f67a48b931258e47531884ca5502cec73996e686ca82eeba536258f67","2e46fcadacfe9e2a63cfc18d95d5870de8b3414462bf14ba9e7c517678f235c9")

    Reference: 

    https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/

    https://github.com/Cisco-Talos/IOCs/blob/main/2024/08/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute.txt

     

     

     


    Tags

    APTMalwareExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.