Kaspersky’s Managed Detection and Response (MDR) team has identified a targeted cyber espionage attack on a government IT organization in Africa.
The incident has been attributed to the Chinese-speaking APT41 group, known for persistent and stealthy operations.
The attackers aimed to steal sensitive corporate data, including credentials, internal documents, source code, and communications. While APT41’s presence in Africa has been limited, this attack signals an expansion of its activities in the region.
APT groups are distinguished by long-term, targeted campaigns instead of opportunistic attacks. APT41 has previously attacked organisations in at least 42 countries, focusing on industries such as telecommunications, education, healthcare, energy, and IT.
Hackers breached server, stole credentials and exploited SharePoint
According to Kaspersky, the attackers likely gained entry through a web server exposed to the Internet.
They harvested credentials using registry dumping techniques, obtaining two powerful domain accounts — one with administrator access to all workstations and another with domain-wide privileges. These accounts enabled them to compromise additional systems.
The attackers used two primary data-stealing tools. The first was a modified Pillager utility, converted into a Dynamic Link Library (DLL), which collected browser credentials, source code, emails, chat data, screenshots, Wi-Fi passwords, and software inventories.
The second, Checkout, harvested browser histories, downloaded files, and stored credit card information.
Additional tools included RawCopy and a DLL version of Mimikatz for extracting registry files and credentials. For command and control (C2), they deployed Cobalt Strike alongside a novel method using the organisation’s internal SharePoint server.
Web-shells and custom agents communicated through SharePoint, blending malicious traffic with legitimate operations.
“They chose SharePoint because it was already part of the infrastructure and less likely to draw attention,” explained Denis Kulik, Lead SOC Analyst at Kaspersky MDR.
Also read: Microsoft Patches SharePoint Vulnerabilities After Attacks on Over 85 Servers
Recommendations
Kulik stressed the importance of continuous monitoring and strict privilege management to defend against such attacks.
Kaspersky recommends deploying security agents on all systems, controlling account privileges, and using real-time protection tools like its EDR and XDR solutions.
Organisations are also encouraged to adopt managed security services, such as Kaspersky MDR, Incident Response, and Threat Intelligence, to detect, investigate, and mitigate advanced cyber threats effectively.
This incident underscores APT41’s evolving global reach and highlights the critical need for robust cybersecurity strategies across all regions.
About Author
