Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 18, 2026 | 14:23 UTC
3996 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

APT41 Deploys Undetectable Backdoor to Steal Cloud Credentials from Major Providers

Thirumala Rao Padilam Thirumala Rao Padilam April 13, 2026
APT41 Deploys Undetectable Backdoor to Steal Cloud Credentials from Major Providers

The China-backed cyber espionage group APT41 has been observed delivering a backdoor designed to evade detection in order to harvest credentials from major cloud platforms such as AWS, Google Cloud, Azure, and Alibaba Cloud. The group employs typosquatting to conceal its command-and-control communications within these environments.

What happened

APT41, a prolific threat group linked to China, has expanded its focus to target cloud computing environments from multiple leading providers, including Amazon Web Services, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud. The group is delivering a backdoor that is characterized by its ability to avoid detection by standard security tools.

Why it matters

As cloud services become central to enterprise operations, compromising credentials within these environments presents a significant risk that can enable persistent access and data exfiltration. The use of typosquatting to disguise command-and-control (C2) channels further complicates detection and mitigation efforts, increasing the threat's stealth and longevity.

What security teams should do

Security teams should prioritize reviewing their cloud environments for unauthorized access and suspicious activity, paying attention to atypical DNS patterns that might indicate typosquatting used in C2 communication. Implementing and enforcing robust identity and access management policies, alongside continuous monitoring tailored for cloud-specific threats, can help detect and contain this type of activity.

Key technical details

The delivered backdoor demonstrates zero-detection capabilities, which likely involves advanced evasion techniques to bypass conventional antivirus and endpoint detection solutions. APT41's employment of typosquatting involves registering domain names that mimic legitimate cloud service domains with minor misspellings to obscure C2 communication and hinder detection.

Affected organizations/products

Cloud environments spanning AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud are targeted in this ongoing campaign by APT41. Specific organizations affected have not been disclosed publicly at this time.

Source attribution

https://www.darkreading.com/cloud-security/apt41-zero-detection-backdoor-harvest-cloud-credentials

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!