Chinese-linked APT41 Group Behind Cyber Espionage Attack on Southern African Government Entity, Kaspersky

Kaspersky has revealed a sophisticated cyber espionage operation targeting a government IT department in Southern Africa. The attack has been attributed with high confidence to APT41, a well-known Chinese-speaking advanced persistent threat (APT) group.

Although this group has shown limited activity in the region in the past, the incident suggests a potential shift in its geographical focus and an increased interest in Africa’s governmental and corporate digital infrastructure.

The primary aim of the attack was to extract sensitive information, including login credentials, internal documents, source code, email correspondence, and real-time communications. APT41 is known for conducting long-term, stealthy operations focused on intelligence gathering, distinguishing it from opportunistic cybercriminal groups.

According to Kaspersky’s Managed Detection and Response (MDR) experts, the attackers may have gained initial access to the network through a publicly exposed web server. Using a credential harvesting technique known as registry dumping, they obtained two key corporate accounts: one with administrator access to all workstations and another tied to a backup solution with domain-level privileges. These credentials enabled the attackers to move laterally within the network, compromising multiple systems.

Two distinct data-stealing tools were used in the operation. The first, a modified version of the Pillager utility, was repurposed into a Dynamic Link Library (DLL) and used to extract saved credentials from browsers and databases, source code, screenshots, emails, installed software details, operating system credentials, and Wi-Fi data. The second tool, known as Checkout, was deployed to gather browser history, downloaded files, stored passwords, and credit card data. The attackers also used other known cyber tools including RawCopy, a DLL-compiled version of Mimikatz, and Cobalt Strike, which facilitated command and control communications across the compromised infrastructure.

One of the more notable aspects of the attack was the use of the organisation’s internal SharePoint server for covert command and control communications. Kaspersky reports that the attackers embedded custom web-shells into the server and used them to communicate through what appeared to be a legitimate channel, likely to avoid detection and maintain persistent access.

Denis Kulik, Lead SOC Analyst at Kaspersky, noted that using an internal system like SharePoint for malicious communication highlights the attackers’ strategic precision. He stressed the importance of continuous infrastructure monitoring, explaining that such advanced threats are difficult to detect without expert oversight and robust cybersecurity frameworks.

Kaspersky is urging organisations to take immediate steps to strengthen their cybersecurity posture. The firm recommends ensuring that security software is installed across all endpoints within an organisation and that service and user account privileges are carefully reviewed and limited. It further advises companies to adopt advanced security technologies such as the Kaspersky Next product line, which provides real-time threat detection, visibility, investigation capabilities, and flexible protection tiers based on organisational needs. Businesses are also encouraged to leverage managed services such as Kaspersky’s Compromise Assessment, MDR, and Incident Response offerings to ensure a complete incident management cycle — from detection to resolution — even for teams with limited internal resources.

Denis Kulik also underscored the importance of equipping internal cybersecurity teams with real-time threat intelligence. By using updated threat data, organisations can gain deeper insight into risks specific to their infrastructure, helping security teams to identify and respond to cyberattacks more effectively.

This latest incident is a clear reminder that sophisticated cyber threats are no longer confined to traditionally targeted regions. Africa’s growing digital infrastructure and expanding government IT systems are becoming increasingly attractive to global cyber espionage actors.

Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke