Podcast: Double Dragon: How China’s APT 41 Works for the State by Day and Itself by Night

It’s 3am in Chengdu, China. A young man named Zhang sits in a high-rise apartment, the glow of three monitors reflected in his glasses. By day, Zhang is a patriot. He works for a front company that contracts for the Ministry of State Security. He’s spent the last eight hours meticulously mapping the internal network of a European government ministry. Tova Dvorin (00:27.296) But his shift ended an hour ago. Now he’s working for himself. Adrian (00:31.36) Zhang switches browsers. He opens a different set of tools, tools designed for a very different purpose. He isn’t looking for diplomatic cables anymore, he’s looking for virtual oil and gold. He’s spent weeks inside the backend servers of a major online gaming company. Tova Dvorin (00:47.456) With a few keystrokes, he triggers a script that mints thousands of dollars worth of in-game currency and funnels it into a series of mule accounts. He’ll sell that currency on the gray market by dawn. Adrian (00:57.312) Zhang is a member of APT 41. In the intelligence world they call them double dragon, very eastern concept. One head serves the state, the other head serves the wallet. Tova Dvorin (01:10.174) I’m Tova Dvorin and welcome back to the SafeBreach studios for the Cyber Resilience Brief, a SafeBreach podcast. Listeners, today we continue with part three of our deep dive into Chinese cyber threats, the Dragon’s digital shadow. Adrian (01:22.318) And I’m Adrian Cully, your co-host and offensive cybersecurity engineer. Tova Dvorin (01:26.612) So in this episode, we’re looking at the group that breaks all the rules of traditional espionage, APT 41. They are prolific, they are arrogant, and they are arguably the most talented hackers on the planet. know, Adrienne, usually we think of state-sponsored hackers like soldiers, people who follow a chain of command and work for a salary. But APT 41 is different. They operate on what analysts call the mercenary model. Adrian (01:48.736) It’s a very Chinese solution to a problem. The Ministry of State Security, the MSS, needs elite talent. But the best hackers don’t always want to work for a government salary. So the MSS makes them a deal. You give us 40 hours a week on the targets we choose and then your off hours? We’ll look the other way whilst you’re in your own criminal enterprise. Tova Dvorin (02:08.638) It’s essentially a state-sanctioned protection racket. As long as you don’t hack targets inside China, and as long as you hit the government’s marks, you’re untouchable. Adrian (02:16.33) And they are busy. APT 41, also known as Barium, WinNTi or Wicked Panda has been linked to attacks in over 30 countries. We’re talking about healthcare, high tech, telecommunications, even higher education. Tova Dvorin (02:31.968) Wow, but it was their 2024 and 2025 activity that really set off alarms. They’ve moved beyond just stealing data. They’ve pioneered the supply chain compromise. Adrian (02:41.518) So this is the holy grail for a hacker. Why break into 10,000 houses when you can just poison the water supply that feeds them all Tova Dvorin (02:50.25) Let’s talk about that poisoning for a second. In the cyber world, the supply chain attack is when you hack the software before it gets to the customer. Adrian (02:56.742) Right, think about when your computer says system update available. You click yes because you trust the company that made the software. APT41 exploits that trust. Tova Dvorin (03:07.37) And they’ve done this before with things like CC cleaner and ASIS updates. But in 2025, we saw a new, much more dangerous evolution of this tactic. Adrian (03:15.872) Investigators recently uncovered a campaign by a new cell. It’s been labeled UAT8837 at the moment, but it has all the fingerprints of APT41. Instead of hacking the whole software package, they’re targeting DLLs, Dynamic Link Libraries. Tova Dvorin (03:31.984) Okay, could you give me a technical translation for us non-coders? Adrian (03:35.532) So of course, a DLL is a shared tool. Multiple programs can use this. Imagine a construction site where every worker uses the same communal wrench. If you poison that wrench, every worker gets sick. Tova Dvorin (03:48.658) Okay, so by trojanizing these shared libraries in industrial software, they aren’t just hitting one company. They are embedding themselves in every company that uses that software. Adrian (03:57.838) and they’ve been targeting the building blocks of the digital world, software development tools. If you control the tools the developers use to write code, you essentially own everything they build in the future. It’s a generational threat. Tova Dvorin (04:11.827) You know, one of the most fascinating and weirdly specific targets for APT-41 is the video game industry. Adrian (04:17.23) Sounds trivial right, but like why would a state-sponsored group care about World of Warcraft or Genshin Impact? Tova Dvorin (04:26.382) it’s not about the games, it’s about the infrastructure and the money, and I’m assuming also the reach. Adrian (04:31.086) Exactly. Gaming companies have massive server networks and incredibly sophisticated anti-cheat software. If you can bypass that, you can bypass almost anything. But for APT 41, the gaming industry is also their personal ATM. Tova Dvorin (04:47.423) And in 2024, major branch of a gaming giant was traced back to APT 41 members. They weren’t looking for state secrets. They stole the source code for the game’s virtual economy. Adrian (04:57.944) They then use that code to generate millions of dollars in digital assets, which they then launder through cryptocurrency exchanges. This isn’t just kids in a basement. This is a multi-million dollar business that funds their lifestyle, their hardware, and their official government operations. Tova Dvorin (05:13.247) Reminder, by the way, that if you work for a cryptocurrency exchange or you put your money through one, look into MPC to secure your assets, but I digress. This also makes them incredibly hard to stop. Because APT 41 is so well funded, they can buy zero days, those unpatched vulnerabilities that we’ve talked about before on the open market. They don’t even have to find them. They could just outbid everyone else to create them. By the way, quick pause, we’re only at five minutes and 30 seconds. Adrian (05:41.08) Okay, that’s short. I can talk a little bit when we get into the last section because we’ve got a lot of coverage for APT 41. Tova Dvorin (05:47.463) Okay, great. So as we look into the landscape in early 2026, we’re seeing the double dragon model morphing again. There’s a new group on the radar, UAT 7290. Adrian (05:59.488) And analysts believe this is a special project unit spun off from the original APT 41 core. Their focus in the last six months has been almost entirely supply chain integrity. Tova Dvorin (06:11.827) Specifically, they’ve been targeting North American software developers who work on critical SAS, Software as a Service. These are the programs that hospitals use to manage patient data or that logistics companies use to track shipping containers. Adrian (06:23.66) What’s chilling is their patience, Tova. UAT 7290 doesn’t trigger their malware right away. They’ve been found sitting inside dev environments for 18 months, just watching how the code is written, learning the voice of the developers, so that when they finally do insert their back doors, they look perfectly natural. It’s basically code level social engineering. Tova Dvorin (06:48.499) Yeah, it almost sounds like code living off the land when you think about it. Or if you want to use another analogy, it’s like a cuckoo bird that lays an egg in another bird’s nest, and by the time the egg hatches, the host thinks it’s one of their own. Adrian (06:59.15) And because of the new 2026 cyber security law in China, these groups are now working with a 48-hour head start on every new exploit. It’s making them faster, bolder and more dangerous than ever. Tova Dvorin (07:14.833) APT-41 represents the professionalization of the threat. They aren’t just hackers anymore. They are a hybrid of intelligence officers, software engineers, and high stakes criminals. If you are in healthcare, telecoms, technology, or the video gaming industries, run our APT-41 Offensive Security Scenario and find out where your gaps are. Remediate and repeat. Please do this before they do it for you. Adrian (07:36.674) Yeah, have extensive knowledge of APT-41. We have extensive coverage across the entire kill chain, all the way from reconnaissance to infiltration, right the way through to exfiltration, command and control, impact. We can really, really help you plug those gaps, achieve continuous coverage. And we’re updating all the time. Our threat teams are constantly monitoring these. tactics, techniques and procedures that are aligned with the Chinese Ministry of State Security as a whole and APT 41. So there’s also value in we’re constantly updating our APT 41 scenario. The result that you got three months ago, six months ago and last week will almost certainly guaranteed be different to the result that you will get today. do not only. run the scenario and harvest the results and remediate but do keep repeating. Tova Dvorin (08:34.431) Absolutely, it’s the value of continuous. Run continuously, keep on continuously running. Adrian (08:41.422) So we’ve, another way to think about it, it’s a reminder that in the digital world, trust is a vulnerability. And remember, adopt a zero trust approach, but have zero trust in that zero trust approach. Otherwise it isn’t zero trust, is it? Tova Dvorin (08:57.469) right. So until now we’ve talked about the typhoons and their infrastructure targets. We talked about the double dragons and their supply chain attacks, but there’s one more group that we need to discuss. Adrian (09:10.04) This group doesn’t care about your power grid or your virtual oil and gold, they care about your mind. Tova Dvorin (09:17.631) And that means that next time in our series on China, we’re looking at Mustang Panda. They are the masters of social engineering and NGO targeting. We’ll look at how they use captive portal attacks to hijack the communications of human rights activists and diplomats. Adrian (09:32.354) and we’ll also explore how they turn your own curiosity against you. Tova Dvorin (09:37.961) But until next time, stay safe, stay safe with Safe Breach.