APT41 Deploys Zero-Detection Backdoor to Harvest Cloud Credentials | Industry
Chinese state sponsored group APT41 has been observed using a novel backdoor that evades all major endpoint detection tools to silently harvest cloud service c…
Published on MyPrivateClaw
Apr 13, 2026, 7:02 PM UTC
Coverage date
Apr 11, 2026
Last updated
Apr 13, 2026, 7:02 PM UTC
News summary
Security researchers have identified a new campaign by APT41 (also tracked as Double Dragon and Winnti) deploying a previously undocumented backdoor designed specifically to harvest cloud provider credentials while evading endpoint detection and response (EDR) tools. Zero Detection Evasion The backdoor, which Dark Reading reports has zero detections on VirusTotal at time of publication, uses a combination of living off the land binaries (LOLBins), process hollowing into signed Windows processes, and encrypted C2 communications over legitimate cloud storage APIs to avoid behavioral detection. Cloud Credential Targeting Once established, the implant specifically targets credential stores for AWS, Azure, and GCP — including environment variables, instance metadata service (IMDS) endpoints, and application configuration files. Harvested credentials are exfiltrated via the same cloud storage…