Common Information
| Type | Value |
|---|---|
| Value |
BARIUM |
| Category | Actor |
| Type | Microsoft-Activity-Group |
| Misp Type | Cluster |
| Description | Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-10-30 | 7 | 5 Critical Threat Actors You Need to Know About - ReliaQuest | ||
| Details | Website | 2024-10-02 | 6 | Chinese Threat Groups That Use Ransomware and Ransomware Groups That Use Chinese Names | ||
| Details | Website | 2024-09-03 | 6 | Threat Intelligence RoundUp: August | ||
| Details | Website | 2024-07-12 | 1 | China's APT41 crew adds stealthy malware to its toolbox | ||
| Details | Website | 2024-05-21 | 43 | Uncovering an undetected KeyPlug implant attacking industries in Italy - Yoroi | ||
| Details | Website | 2023-11-03 | 5 | Vertical Target Series: Industrials and Industrial Sub-Verticals | ||
| Details | Website | 2023-09-06 | 22 | Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS | ||
| Details | Website | 2023-07-27 | 8 | Rewterz Threat Alert – APT Group Gamaredon aka Shuckworm – Active IOCs | ||
| Details | Website | 2023-07-27 | 27 | Rewterz Threat Alert – China-linked Group APT41 Targets Mobile Devices With New WyrmSpy and DragonEgg Spyware – Active IOCs | ||
| Details | Website | 2023-07-27 | 6 | Rewterz Threat Advisory – Multiple Jenkins Plugins Vulnerabilities | ||
| Details | Website | 2023-07-27 | 3 | Rewterz Threat Advisory – CVE-2023-1893 – WordPress Login Configurator Plugin Vulnerability | ||
| Details | Website | 2023-07-27 | 7 | Rewterz Threat Advisory – Multiple Trend Micro Apex Central Vulnerabilities | ||
| Details | Website | 2023-07-26 | 5 | Rewterz Threat Alert – CVE-2023-38606 – Apple macOS, iOS and iPadOS Vulnerability Exploited in the Wild | ||
| Details | Website | 2023-07-26 | 18 | Rewterz Threat Alert – Banking Sector Targeted In Open-Source Software Supply Chain Attacks – Active IOCs | ||
| Details | Website | 2023-07-24 | 40 | Optiv’s gTIC Prioritized Software and Services List + MITRE Tactics Part IV: Microsoft Software and Products | ||
| Details | Website | 2023-07-24 | 48 | Rewterz Threat Alert – China-linked Group APT41 Targets Mobile Devices With New WyrmSpy and DragonEgg Spyware – Active IOCs | ||
| Details | Website | 2023-07-24 | 2 | Rewterz Threat Advisory – CVE-2023-3446 – OpenSSL Vulnerability | ||
| Details | Website | 2023-07-22 | 3 | Chinese Threat Group APT41 Linked to Daring Android Malware Attack! | ||
| Details | Website | 2023-07-20 | 1 | Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware - RedPacket Security | ||
| Details | Website | 2023-07-19 | 3 | Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware | ||
| Details | Website | 2023-07-19 | 26 | What Is Advanced Persistent Threat (APT)? | ||
| Details | Website | 2023-07-19 | 1 | Why Should Enterprises Care About APTs? Defend Against Chinese, Russian Cyber Espionage Hacking Groups and Other Nation-State Actors | ||
| Details | Website | 2023-07-19 | 53 | WyrmSpy and DragonEgg: Lookout Attributes Android Spyware to China’s APT41 | Threat Intel | ||
| Details | Website | 2023-07-14 | 1 | Hackers target Pakistani government, bank and telecom provider with China-made malware | ||
| Details | Website | 2023-05-04 | 2 | APT41 exploits the Google Command and Control (GC2) tool |