Cyfirma researchers this week profiled MISSION2025, a Chinese state-sponsored threat group tied to APT41. Active since at least 2012, the group runs cyberespionage and financially driven campaigns across more than 40 industries worldwide. Its operations closely track with China’s economic priorities, especially the ‘Made in China 2025’ strategy, with a focus on stealing intellectual property, conducting corporate espionage, and compromising critical infrastructure.
The group operates under a long list of aliases, including APT41, BARIUM, Blackfly, Brass Typhoon, BrazenBamboo, Double Dragon, Earth Baku, Earth Freybug, Earth Longzhi, Gref, Hodoo, IQGRABBER, Mana, Mr. StealYoShoes, PassCV, RedGolf, SparklingGoblin, UNC78, UNIT2025, Winnti, and the Winnti Umbrella Group. It operates across the U.S., the U.K., Japan, India, EU nations, Southeast Asia, and Taiwan.
The researchers disclosed that MISSION2025 has targeted key sectors integral to national and economic security. These include aerospace, defense, and energy, along with healthcare systems and telecom networks. The group also directs its campaigns at financial institutions, manufacturing operations, and various forms of critical infrastructure, reflecting a clear intent to disrupt and exploit high-value industries worldwide.
They reveal that its primary motives include intelligence gathering, financial theft, and strategically timed disruption. Key targets include office productivity tools, operating systems, and web-based applications.
Based on recent observations, Cyfirma researchers identified MISSION2025’s (APT41’s) tactics, techniques, and procedures as aligned with the MITRE ATT&CK framework. For initial access, the group sends spearphishing emails with malicious attachments, such as ZIP archives containing LNK files that appear to be PDFs. They also deliver links to malicious payloads hosted on either compromised websites or free web hosting services.
APT41 actively exploits vulnerabilities in widely used enterprise applications, including Ivanti EPMM, and has historically used SQL injection flaws in web applications and server virtualization platforms to gain entry. Additionally, the group takes advantage of legitimate remote access services to establish initial access or maintain long-term persistence within targeted environments.
The researchers identified several execution techniques used by MISSION2025. The group relies on victims opening malicious files, such as LNK files or disguised documents, to trigger execution. They frequently use the Windows Command Shell through cmd[dot]exe to run various commands. PowerShell is also a common tool in their arsenal, often employed for fileless execution and scripting.
They make use of Windows Management Instrumentation, or WMI, for both executing commands and facilitating potential lateral movement within networks. Process injection is another tactic, with malware like PLUSINJECT injecting malicious code into legitimate processes, including process hollowing of svchost.exe. In some cases, they create or modify system services to ensure execution through service-level mechanisms.
The researchers also identified several persistence techniques used by MISSION2025. One method involves creating new Windows services to maintain access. The group also modifies registry run keys or uses the startup folder to ensure execution on system boot or user logon.
They take advantage of the Background Intelligent Transfer Service, or BITS, to maintain persistence or facilitate data transfer. Another tactic involves hijacking the execution flow by manipulating the way legitimate programs load DLLs, using methods such as DLL search order hijacking, DLL side-loading, or dynamic linker hijacking. Additionally, the group creates scheduled tasks to trigger malicious processes repeatedly.
MISSION2025 continues to evolve its tactics with a noticeable shift toward abusing legitimate cloud services for command-and-control operations. By using platforms like Google Calendar, Google Sheets, and Google Drive, the group disguises malicious traffic as normal user behavior, making detection far more difficult.
Their evasion techniques have grown more sophisticated, involving in-memory payloads tied to the TOUGHPROGRESS framework and its components such as PLUSDROP and PLUSINJECT. The use of Windows Common Log File System (CLFS) mechanisms and NTFS transaction manipulation further underlines their focus on staying hidden from traditional security tools.
APT41 has also advanced its use of modular malware, building multi-stage toolsets that can be easily updated or reconfigured to suit different attack phases or environments. PLUSDROP, PLUSINJECT, and TOUGHPROGRESS exemplify this approach by compartmentalizing malicious functions for better operational flexibility.
Initial access often comes through exploitation of public-facing vulnerabilities, with recent campaigns targeting flaws in commonly deployed software such as Ivanti EPMM. Once inside, the group demonstrates a high degree of customization, crafting social engineering lures, such as LNK files disguised as PDFs or embedded in decoy images, to match the target’s context.
Though espionage and intellectual property theft remain their core missions, APT41 has not hesitated to engage in financially motivated intrusions when the opportunity arises. Reports from early 2025 suggest their activity is rising, with a noticeable uptick compared to prior quarters, signaling a more aggressive and expansive operational tempo.
In April, Cyfirma detailed the external threat landscape of the manufacturing industry over the past three months, providing insights and data-driven statistics covering attack campaigns, phishing telemetry, and ransomware incidents. Observed campaigns are conducted by a diverse range of threat actors, most prominently Chinese nation-state groups and unidentified Vietnamese, Thai, and English-speaking groups, suggesting financial motivations are still prevalent in the manufacturing industry.
