SOC files: an APT41 attack on government IT services in Africa

Aug. 20, 2025, 12:47 p.m.

Description

Kaspersky's MDR team detected a targeted attack by APT41 against government IT services in Africa. The attackers used Impacket tools, Cobalt Strike, and custom agents for lateral movement and data collection. They leveraged DLL sideloading techniques and publicly available tools like Mimikatz and RawCopy. The group established persistence through scheduled tasks and services, and exfiltrated data via a compromised SharePoint server. The attack showcased APT41's ability to adapt their tools to the target infrastructure and leverage internal services for command and control. The incident highlights the importance of comprehensive monitoring and proper privilege management in defending against sophisticated threats.

External References

https://securelist.com/apt41-in-africa/116986
https://otx.alienvault.com/pulse/68a5a89257ad374e405f6097
Tags
cobalt strike
government
dll sideloading
africa
credential harvesting
lateral movement
mimikatz
data exfiltration
web shell
sharepoint
targeted attack
2025-07-21
checkout
pillager
2025-08-20

Date

  • Created: Aug. 20, 2025, 10:50 a.m.
  • Published: Aug. 20, 2025, 10:50 a.m.
  • Modified: Aug. 20, 2025, 12:47 p.m.

Attack Patterns

  • Checkout
  • Pillager
  • Mimikatz
  • Cobalt Strike - S0154
  • APT41

Additional Informations

  • Government
  • Central African Republic
  • South Africa