TI News Feed · Threat Intelligence Guides

APT41 (Wicked Panda / BARIUM): Threat Actor Profile

APT41 is unusual among top-tier adversaries — a Chinese state-sponsored espionage group that also runs financially motivated operations, tied to intrusions at 100+ victims across 14+ countries. A full profile.

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

APT41 is unusual among top-tier adversaries because it blends state-aligned espionage with financially motivated operations. MITRE describes it as a Chinese state-sponsored espionage group that also conducts financially motivated operations, active since at least 2012 and targeting many sectors in at least 14 countries.

APT41: at a glance

  • Aliases: Wicked Panda, Brass Typhoon, BARIUM, Winnti, Double Dragon
  • Country / affiliation: China — state-sponsored, with ties claimed by U.S. authorities
  • Assessed status (as of July 2026): Active
  • Primary objectives: Espionage, intellectual-property theft, supply-chain access, and side-channel criminal monetization
  • Financial destruction / gain: No clean public dollar total; ranked for 100+ global victims and blended espionage/financial activity
  • Type: Nation-state APT (espionage + financial crime)

Who is APT41?

The U.S. DOJ charged APT41-linked actors in campaigns against more than 100 victims globally, spanning healthcare, telecoms, and the video-game industry — where operators stole in-game currency for personal profit. The group remains active and operationally versatile in 2026-era ATT&CK curation.

Aliases and attribution

APT41 overlaps with the long-running 'Winnti' activity and is tracked as Wicked Panda (CrowdStrike), BARIUM (Microsoft, now Brass Typhoon), and Double Dragon. U.S. indictments tie named individuals to the group. Its dual espionage-and-profit model complicates cyber attribution, since the same operators pursue both state and personal objectives — a rare pattern among nation-state threat actor groups.

Financial impact and damage

There is no clean public dollar figure for APT41, but its impact is measured in breadth: 100+ organizations across 14+ countries, theft of source code, digital certificates, and intellectual property, plus supply-chain attack compromises that reached downstream victims. Its game-sector fraud (stealing and laundering in-game currency) is a rare documented case of a state group monetizing operations for personal gain.

APT41 timeline

  • 2012: Group becomes active
  • 2019: Public vendor reporting expands (FireEye/Mandiant 'Double Dragon' report)
  • 2020: DOJ charges tied to intrusions at 100+ victims
  • 2026: ATT&CK continues to track active operations

Notable attacks and campaigns

APT41 has conducted software supply-chain attack compromises (poisoning legitimate updates to reach many victims), targeted the video-game industry for currency theft, and exploited internet-facing applications and web shells for espionage. Its willingness to mix state espionage with for-profit crime makes it one of China's most versatile and dangerous groups.

Tactics, techniques, and procedures (TTPs)

The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.

  • T1134 — Access Token Manipulation: ATT&CK cites named-pipe impersonation for local SYSTEM escalation. Watch for named-pipe privilege-escalation behavior and token anomalies. See privilege escalation.
  • T1190 / T1505.003 — Exploit Public-Facing Apps + Web Shells: APT41 repeatedly uses internet-facing exploit chains and web shells. Monitor internet-facing apps for file-write anomalies and suspicious child processes.
  • T1595.002 — Active Scanning: Vulnerability Scanning: ATT&CK cites Acunetix and JexBoss in reconnaissance. Detect internal scanner activity outside approved scanning windows.

Detection and defense against APT41

APT41 favors internet-facing exploitation and supply-chain access, so exposure reduction and integrity monitoring are key:

  • Patch and monitor internet-facing applications for file-write anomalies and web shells.
  • Validate software update integrity and signer chains to counter supply-chain compromise.
  • Detect internal vulnerability-scanner activity outside approved windows.
  • Watch for named-pipe privilege escalation and token manipulation.
  • Hunt for espionage indicators (source-code access, certificate theft) alongside financial fraud.

The bottom line

APT41 is China's dual-hat threat actor — a state espionage group that also robs for profit — and its blend of capabilities keeps it among the most versatile adversaries of 2026. See how APT41 ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

Who is APT41?

APT41 is a Chinese state-sponsored threat group, also known as Wicked Panda, Brass Typhoon, and BARIUM, that uniquely blends government espionage with financially motivated cybercrime.

What is APT41 known for?

APT41 is known for espionage and intellectual-property theft, software supply-chain compromises, and financially motivated attacks such as stealing in-game currency from the video-game industry, hitting 100+ victims across 14+ countries.

Is APT41 still active?

Yes. APT41 remains active in 2026 and continues to be tracked in the MITRE ATT&CK framework under names including Brass Typhoon.

What country is APT41 from?

China. APT41 is assessed as Chinese state-sponsored, and U.S. indictments have tied named individuals to the group.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources: