www.darkreading.com 4/13/2026, 3:41:12 PM · via preferred

APT41 uses Linux cloud backdoor to steal credentials via SMTP

CyberSIXT Evidence Panel Source marked as original reporting
Threat Actor

APR 41 is described as delivering a so‑called zero‑detection backdoor designed to harvest cloud credentials from Linux-based cloud workloads across AWS, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud environments, with the backdoor written as a cloud‑native ELF binary and using SMTP port 25 as a covert C2 channel to evade detection.

The operation is said to feature typosquatting to obscure malicious activity, including domains resembling Alibaba Cloud services and a Chinese cybersecurity brand, Qianxin, in its infrastructure. At the time of analysis, the ELF binary reportedly showed zero detections on VirusTotal and immediately began probing the AWS instance metadata service (169.254.169[.]254) to exfiltrate temporary credentials tied to the host’s cloud identity, while also querying Azure, Alibaba and GCP services.

The campaign is attributed to the China‑backed threat group APT41 (also known as Winnti, Wicked Panda, Barium, Silver Dragon and Brass Typhoon), with Breakglass Intelligence describing six years of development in cloud tooling and credential harvesting capabilities. Breakglass notes that three typosquatted domains were registered in a 24‑hour window on 20–21 January 2026, highlighting the group’s use of bulk registrations with privacy protection and immediate deployment.

Analysts advise monitoring for outbound SMTP traffic from non‑mail workloads, credential‑usage alerts from unexpected source IPs, and auditing cloud‑credential files and IMDS calls to detect and remediate affected environments, according to Breakglass. 13 April 2026.

View full article

Article by CyberSIXT