Threat Research

APT PROFILE – MISSION2025

Cyfirma
APT PROFILE – MISSION2025

MISSION2025, also known as APT41, is a Chinese state-sponsored threat group active since 2012, focusing on cyberespionage and financially motivated attacks aligned with China’s strategic goals. Their recent campaigns feature sophisticated use of cloud services for command and control and exploitation of software vulnerabilities to target governments and critical infrastructure globally. #MISSION2025 #APT41 #TOUGHPROGRESS #IvantiEPMM

Keypoints

  • MISSION2025 (APT41) is a Chinese APT group active since 2012, targeting over 40 industries with cyberespionage and financial motives.
  • They use diverse malware tools including TOUGHPROGRESS, PLUSINJECT, and KrustyLoader, leveraging modular malware for flexible attacks.
  • Recent campaigns include using Google Calendar events as a covert command and control (C2) mechanism to evade detection.
  • APT41 exploits public-facing vulnerabilities such as CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM to gain initial access and deploy malicious payloads.
  • The group consistently uses free web hosting platforms for malware distribution across multiple global targets.
  • There is a notable focus on government and critical infrastructure sectors, particularly in the US, Europe, and Southeast Asia.
  • APT41 employs advanced evasion techniques including process injection, in-memory payloads, and manipulation of Windows system mechanisms.

MITRE Techniques

  • [T1588.002] Establish Accounts – Creating or using accounts for resource development. (‘Resource Development’)
  • [T1542.003] Boot or Logon Autostart Execution: Windows Service – Creating new services or modifying existing ones for persistence. (‘Persistence’)
  • [T1027] Obfuscated Files or Information – Employing obfuscation to evade defenses. (‘Defense Evasion’)
  • [T1546.008] Event Triggered Execution: Windows Management Instrumentation (WMI) – Using WMI for execution and possibly lateral movement. (‘Execution’)
  • [T1112] Modify Registry – Altering registry keys to maintain presence or evade detection. (‘Persistence’)
  • [T1574.001] DLL Search Order Hijacking – Hijacking DLL loading to execute malicious code. (‘Persistence’)
  • [T1070.001] Indicator Removal on Host: Clear Windows Event Logs – Clearing logs to avoid detection. (‘Defense Evasion’)
  • [T1078] Valid Accounts – Using stolen credentials for access. (‘Credential Access’)
  • [T1543.003] Create or Modify System Process: Windows Service – Creating/modifying services to maintain persistence. (‘Persistence’)
  • [T1133] External Remote Services – Exploiting remote services for initial access. (‘Initial Access’)
  • [T1566.001] Phishing: Spearphishing Attachment – Delivering malware via email attachments. (‘Initial Access’)
  • [T1190] Exploit Public-Facing Application – Exploiting software vulnerabilities such as Ivanti EPMM. (‘Initial Access’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Creating scheduled tasks for execution persistence. (‘Persistence’)
  • [T1055] Process Injection – Injecting code into processes like svchost.exe to evade detection. (‘Execution’)
  • [T1110.002] Password Guessing – Credential brute forcing or harvesting. (‘Credential Access’)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Using PowerShell for execution. (‘Execution’)
  • [T1569.002] System Services: Service Execution – Executing payloads via system services. (‘Execution’)

Indicators of Compromise

  • [Malware] Various payloads including TOUGHPROGRESS, KrustyLoader, VOLDEMORT, DUSTTRAP – used for different phases of attacks and persistence.
  • [File Names] LNK files masquerading as PDFs used in spearphishing attachments to deliver malware.
  • [CVE Identifiers] Exploited vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM software for initial access.
  • [Domains] Usage of free web hosting platforms like Cloudflare Worker subdomains, InfinityFree, TryCloudflare for malware distribution.

Read more: https://www.cyfirma.com/research/apt-profile-mission2025/