Vd VfzYlY

China-Linked APT41 Deploys Stealthy Linux Backdoor with SMTP Command-Control

Security researchers have uncovered a previously undocumented Linux backdoor attributed to China-linked APT41 (Winnti) group, actively targeting cloud workloads across AWS, Google Cloud Platform, Azure, and Alibaba Cloud. This zero-day ELF implant currently shows zero detections on VirusTotal and operates via an innovative SMTP-based covert channel.

The malware transforms compromised Linux servers into stealthy credential theft nodes, communicating over SMTP port 25 – a protocol rarely scrutinized in cloud environments. Instead of traditional HTTPS or DNS callbacks, the backdoor exchanges encoded payloads within SMTP message bodies, receiving hidden commands within SMTP reply codes. This technique bypasses many security controls, granting APT41 a persistent covert channel in enterprise networks.

The discovery represents a significant evolution in APT41’s cloud-centric operations. Security researcher TuringAlex first surfaced the sample, with Xlab_qax confirming its lineage to the Winnti family. The C2 server at 43[.]99[.]48[.]196 (Alibaba Cloud, Singapore) requires a tokenized “EHLO” handshake, rendering the server invisible to automated scanners like Shodan or Censys.

Credential Harvesting Across Major Clouds

The backdoor aggressively extracts credentials from multiple cloud providers:

  • AWS: Exploits IAM roles via 169.254.169.254 metadata endpoint and local ~/.aws/credentials files
  • GCP: Queries service account tokens and default credentials
  • Azure: Scrapes managed identity tokens from local endpoints
  • Alibaba Cloud: Harvests RAM role credentials and config files

All stolen data is encrypted using a hardcoded AES-256 key before exfiltration. Researchers identified three typosquat domains impersonating Alibaba Cloud services:

  • ai[.]qianxing[.]co
  • ns1[.]a1iyun[.]top (using homoglyph “1” for “l”)
  • ai[.]aliyuncs[.]help

These domains were registered within a 24-hour window via NameSilo and hosted on Alibaba Cloud Singapore infrastructure – a bulk-registration pattern consistent with APT41’s historical operations. The implant also employs a UDP broadcast beacon system (255.255.255.255:6006) for lateral task propagation, minimizing additional C2 traffic.

Winnti’s Six-Year Linux Arsenal Evolution

The backdoor represents a significant advancement in APT41’s Linux malware lineage:

Year Malware Variant Key Features
2020 PWNLNX Basic ELF backdoor with XOR encoding
2021-2022 Winnti 4.0 Linux Modular variants with rootkit components
2023 KEYPLUG (Linux) Transition to HTTPS C2
2024-2026 Cloud-Backdoor Metadata harvesters with SMTP C2

This progression demonstrates APT41’s strategic shift from basic implants to cloud-native credential harvesters designed for persistence in multi-cloud environments. The discovery underscores the critical need for cloud defenses to scrutinize non-web protocols like SMTP for covert communication channels, as zero-detection capabilities continue to evolve.

Related Articles

Back to top button