Select Page

The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg.

“Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data,” Lookout said in a report shared with The Hacker News.

APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, is known to be operational since at least 2007, targeting a wide range of industries to conduct intellectual property theft.

Recent attacks mounted by the adversarial collective have leveraged an open-source red teaming tool known as Google Command and Control (GC2) as part of attacks aimed at media and job platforms in Taiwan and Italy.

The initial intrusion vector for the mobile surveillanceware campaign is not known, although it’s suspected to have involved the use of social engineering. Lookout said it first detected WyrmSpy as early as 2017 and DragonEgg at the start of 2021, with new samples of the latter spotted as recently as April 2023.

images from Hacker News