Kaspersky Uncovers APT41 Cyber Espionage Targeting Southern African Entity

Cybersecurity experts from Kaspersky’s Managed Detection and Response (MDR) service have uncovered a targeted cyber espionage attack on a government-related organisation in Southern Africa, attributed with high confidence to APT41, a Chinese-speaking Advanced Persistent Threat (APT) group. This development marks a significant escalation in the threat actor’s operations, which have, until now, shown only limited activity in the Southern African region.

The investigation sheds light on the sophisticated tactics, techniques, and procedures (TTPs) employed by APT41 — a group known globally for cyber espionage and information theft across various industries. In this incident, the attackers infiltrated IT systems with the goal of exfiltrating sensitive data, including internal documents, credentials, source code, and secure communications.

APT41: A Stealthy Global Threat

APT41 is a state-sponsored threat actor, suspected to operate under the interests of Chinese intelligence. It is known for conducting long-term, stealthy intrusions rather than opportunistic attacks. The group has previously targeted over 42 countries across sectors like telecommunications, education, healthcare, IT, and energy.

Though the group’s footprint in Southern Africa has been minimal historically, this new incident signals a possible broadening of geographic interest and targets, specifically government IT services and sensitive state-owned enterprises.

Exploiting Vulnerabilities to Establish Access

According to Kaspersky’s analysis, the attackers likely gained initial access via an exposed web server, exploiting unpatched vulnerabilities. Once inside, they used a credential harvesting technique—known as registry dumping—to steal two key domain accounts:

• One with local admin privileges across all workstations

• Another tied to a backup solution with domain-wide administrator rights

These high-privilege accounts allowed the attackers to pivot laterally across systems, deploying additional tools for data collection.

Data Theft Through Modified Malware

Two custom stealers were observed during the intrusion:

1. Pillager (Modified Utility)

Originally compiled as an executable, the tool was converted into a Dynamic Link Library (DLL) for stealth and embedded functionality. It was used to collect:

• Browser-stored credentials

• Database login details

• Project source code

• Screenshots

• Active chat session data

• Email conversations

• Wi-Fi and operating system credentials

2. Checkout Stealer

This malware specialized in gathering:

• Browser histories

• Downloaded files

• Browser-saved credit card information

Together, these tools allowed the attackers to exfiltrate highly sensitive data, posing significant risks to national infrastructure and confidential systems.

Cobalt Strike and SharePoint for Command and Control

The attackers also deployed the Cobalt Strike framework, a popular tool used in penetration testing but frequently abused by threat actors for Command and Control (C2) operations. In a notable tactic, the group also used the victim’s internal SharePoint server as a C2 channel by embedding custom web-shell agents. This allowed them to communicate and control compromised machines using legitimate infrastructure, reducing the chances of detection.

“They may have chosen SharePoint because it was an internal service unlikely to raise suspicion,” said Denis Kulik, Lead SOC Analyst at Kaspersky MDR. “It offered a convenient, covert pathway for exfiltration and remote access.”

Other tools used during the campaign include RawCopy and a DLL-compiled version of Mimikatz, both employed to dump registry files and extract system credentials.

Expert Recommendations for Defence

Kaspersky warns that defending against such advanced, persistent attacks requires more than conventional cybersecurity measures. To reduce exposure to similar threats, organisations are urged to implement the following best practices:

• Deploy endpoint protection on all workstations, with no exceptions.

• Audit user privileges, especially for accounts that operate across multiple systems.

• Use Kaspersky Next security products, which offer real-time threat detection, Extended Detection and Response (XDR), and full visibility into ongoing risks.

• Employ Kaspersky’s managed security services such as:

  • Managed Detection and Response (MDR)

  • Compromise Assessment

  • Incident Response

• Enhance your internal security team's situational awareness using Kaspersky Threat Intelligence, which provides deep insights into attacker behavior and risk signals.

For further technical insight into the incident, a detailed report is available via Securelist, Kaspersky’s threat intelligence blog.

About Kaspersky Security Services

Kaspersky’s Security Services team handles hundreds of cybersecurity projects annually for Fortune Global 500 clients, spanning:

• Incident response

• Managed detection

• Red teaming and penetration testing

• SOC consulting

• Application security

• Digital risk protection

These services are designed to provide end-to-end protection across the incident management cycle — from identification and mitigation to recovery and strategic improvement.

Regional Cybersecurity at a Crossroads

This incident serves as a critical warning for governments and organisations across Africa, especially in regions where cybersecurity investments remain low, and advanced threat detection capabilities are limited.

As APT groups expand their presence in under-monitored regions, it is imperative for public and private sector entities to elevate their cyber resilience, improve incident response capacity, and build trusted partnerships with cybersecurity leaders.

“The attack demonstrates the rising complexity of cyber threats facing Southern Africa,” added Denis Kulik. “Without comprehensive monitoring and expert-led response capabilities, organisations will struggle to defend themselves.”