The China-backed threat group is targeting AWS, Google, Azure, and Alibaba cloud environments and using typosquatting to obscure C2 communication.

DR (DZone Research) offers insights into software development trends, industry surveys, and technology adoption patterns, providing reports, whitepapers, and analyst insights to help businesses make informed decisions and stay competitive in the ever-evolving tech landscape. By exploring DR's curated content, developers can gain insights into emerging technologies, developer preferences, and industry best practices for building innovative and market-leading software solutions. Whether you're a startup founder, product manager, or tech executive, DR offers resources to guide your strategic planning and drive business success.

Dark Reading

APT41, the China-backed threat group, has deployed a zero-detection ELF backdoor targeting Linux-based cloud workloads across AWS, GCP, Azure, and Alibaba Cloud. The malware uses SMTP port 25 as a covert C2 channel, making it invisible to conventional scanning tools like Shodan and Censys, and carries zero detections on VirusTotal. It immediately probes cloud instance metadata endpoints to harvest temporary credentials. The campaign also uses typosquatted domains mimicking Alibaba Cloud and the Qianxin cybersecurity brand, registered in bulk through NameSilo with WHOIS privacy. Defenders are advised to monitor outbound SMTP from non-mail workloads, audit cloud credential file reads, enable AWS CloudTrail and Google Cloud Audit Logs, and implement IMDSv2 to mitigate credential theft.

APT41 Delivers 'Undetectable' Backdoor to Steal Cloud Credentials