APT PROFILE – MISSION2025

MISSION2025 is a Chinese state-sponsored advanced persistent threat (APT) group linked to APT41. Active since at least 2012, the group has conducted cyberespionage and financially motivated campaigns targeting over 40 industries globally. Its operations align with China’s strategic economic goals, particularly the “Made in China 2025” initiative, focusing on intellectual property (IP) theft, corporate espionage, and infrastructure compromise.

Alias: APT 41, APT-41, BARIUM, Blackfly, Brass Typhoon, BrazenBamboo, Double Dragon, Earth Baku, Earth Freybug, Earth Longzhi, Gref, Hodoo, IQGRABBER, Mana Mr. StealYoShoes, PassCV, RedGolf, SparklingGoblin, UNC78, UNIT2025, Winnti, Winnti Umbrella Group

Motivation: Cyberespionage, Financial Gain, Strategic Disruption

Target Technologies: Office Suites Software, Operating System, Web Application

Targeted Industries

Targeted Countries: U.S.A., UK, Japan, India, EU nations, Southeast Asia, and Taiwan

Tools Used:
LOWKEY, GH0ST, Meterpreter, BlackCoffee  MessageTap, Living off the Land, Crackshot, EASYNIGHT, Derusbi, HDRoot, FRONTWHEEL, XDOOR, ASPXSpy, DIRTCLEANER, TERA, HKDOOR, X-DOOR.

Credential Stealing malwares such as ACEHASH, BIOPASS RAT, Cobalt Strike, HighNote, PlugX, pwdump, Barlaiy, LIFEBOAT, Mimikatz, POTROAST, DOWNTIME, Jumpall, WIDETONE, Skip-2.0, China Chopper,  RedXOR, ZXShell, COLDJAVA, CROSSWALK, GearShift, NTDSDump, ROCKBOOT, WINTERLOVE, DEADEYE, ADORE.XSEC, PipeMon, TIDYELF, PACMAN, certutil, ShadowPad Winnti, xDll, HIGHNOON, LATELUNCH, SAGEHIRE

Malware used by MISSION2025:
DeepData Framework, China Chopper, Speculoos Backdoor, PRIVATELOG Loader, CUNNINGPIGEON Backdoor, gh0st RAT, Derusbi, SHADOWGAZE Backdoor, njRAT, BLACKCOFFEE, WINDJAMMER Malware, ASPXSpy, ZxShell, UNAPIMON Malware, DEATHLOTUS Backdoor, MoonBounce, Winnkit, WyrmSpy, TOUGHPROGRESS, DragonEgg, UNAPIMON, Winnti, ROCKBOOT, DUSTPAN, LightSpy

MITRE ATT&CK Techniques used by MISSION2025

Recently Exploited Vulnerabilities by MISSION2025

ATTACK FLOW DIAGRAM OF MISSION2025

MISSION2025’s Recent Campaign Highlights and Trends

MISSION2025(APT41) Recent Campaign Highlights

• Google Calendar for C2 (May 2025): One of the most notable recent campaigns involved APT41 utilizing Google Calendar for command and control (C2) communications.
  • Malware: The campaign used a new malware strain dubbed “TOUGHPROGRESS”.
  • Delivery: Spear-phishing emails containing a link to a ZIP archive hosted on an exploited government website. The archive contained an LNK file masquerading as a PDF and a directory with decoy JPG images.
  • C2 Mechanism: Once executed, TOUGHPROGRESS created zero-minute Google Calendar events to embed encrypted stolen data in event descriptions. The attackers then placed encrypted commands in other Calendar events on predetermined dates, which the malware polled, decrypted, and executed, and then wrote results back to new Calendar events. This method allows the malware to blend in with legitimate cloud service traffic, making detection difficult.
• Exploitation of Ivanti EPMM Flaws (May 2025): APT41 (tracked as UNC5221) has been attributed to exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software (CVE-2025-4427 and CVE-2025-4428). These intrusions were used to obtain a reverse shell and deploy malicious payloads like KrustyLoader, which delivers the Sliver C2 framework.
• Continued Use of Free Web Hosting for Distribution (since August 2024): APT41 has consistently used free web hosting services (like Cloudflare Worker subdomains, InfinityFree, TryCloudflare) to distribute various malware payloads, including VOLDEMORT, DUSTTRAP, and TOUGHPROGRESS. Links to these sites were sent to a wide range of targets across different industries and geographies.
• Focus on Government and Critical Infrastructure: Recent activities show continued targeting of government entities and critical infrastructure, particularly in sectors like telecommunications, transportation, and technology.
• Targeting US and Europe: While APT41 has a broad global reach, there was a significant increase in detections targeting the US in Q1 2025, alongside continued targeting of Europe.
• Persistent Presence in Government Networks: Reports suggest APT41 maintained access within high-level government departments for extended periods (e.g., nearly two years in a Southeast Asian government department to search for intelligence related to South China Sea policy).

Trends in MISSION2025(APT41) Operations

• Abuse of Legitimate Cloud Services for C2: This is a strong and evolving trend. By leveraging popular cloud services like Google Calendar, Google Sheets, Google Drive, and potentially others, APT41 makes its C2 traffic appear legitimate, complicating network-based detection.
• Sophisticated Evasion Techniques: The use of in-memory payloads (like TOUGHPROGRESS’s modular components: PLUSDROP, PLUSINJECT), Windows CLFS mechanism, and NTFS transaction manipulations highlights their focus on evading traditional security products and maintaining stealth.
• Modular Malware Development: APT41 continues to develop and deploy multi-stage, modular malware families (e.g., PLUSDROP, PLUSINJECT, TOUGHPROGRESS) that perform specific functions, allowing for flexible deployment and updates.
• Exploitation of Public-Facing Vulnerabilities: Exploiting vulnerabilities in widely used software (like Ivanti EPMM) remains a primary initial access vector.
• Adaptation to Target Environments: Their ability to tailor social engineering lures (e.g., LNK files disguised as PDFs, decoy images) and malware distribution methods indicates adaptability.
• Blend of Espionage and Financial Motives: While primarily state-sponsored for espionage and intellectual property theft, their historical activities show a willingness to engage in financially motivated intrusions.
• Increasing Activity: Some reports indicate a significant increase in APT41’s activity in early 2025 compared to previous quarters.

Tactics, Techniques, and Procedures (TTPs)

Based on observations, here are MISSION2025(APT41’s) TTPs mapped to the MITRE ATT&CK framework:

1. Initial Access
Spearphishing Attachment: Sending targeted emails with malicious attachments (e.g., ZIP archives containing LNK files masquerading as PDFs).
Spearphishing Link: Delivering links to malicious payloads hosted on compromised or free web hosting sites.
Exploit Public-Facing Application: Actively exploiting vulnerabilities in popular enterprise software (e.g., Ivanti EPMM, historical use of SQL injections in web applications, server virtualization software).
External Remote Services: Exploiting legitimate remote access solutions for initial access or persistence.

2. Execution
User Execution: Malicious File: Relying on victims to open malicious files (e.g., LNK files, disguised documents).
Command and Scripting Interpreter: Windows Command Shell: Using cmd.exe for various commands.
Command and Scripting Interpreter: PowerShell: Often used for fileless execution or scripting.
Windows Management Instrumentation (WMI): For execution and potentially lateral movement.
Process Injection: Injecting malicious code into legitimate processes (e.g., PLUSINJECT performing process hollowing on svchost.exe).
System Services: Service Execution: Creating or modifying services for execution.

3. Persistence
Create or Modify System Process: Windows Service: Creating new services for persistence.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: Modifying registry keys for autostart.
BITS Jobs: Utilizing Background Intelligent Transfer Service for persistence or data transfer.
Hijack Execution Flow: DLL Search Order Hijacking/DLL Side-Loading/Dynamic Linker Hijacking: Techniques to load malicious DLLs by manipulating legitimate program’s loading processes.
Scheduled Task/Job: Scheduled Task: Creating scheduled tasks for recurring execution.