APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials

APT41 is deploying a zero-detection backdoor targeting cloud credentials across AWS, Google Cloud, Azure, and Alibaba Cloud using typosquatting for C2 obfuscation. Any organization using these cloud platforms is at risk of credential theft and lateral movement into cloud infrastructure. This is a live campaign with no known CVEs, making detection signature-based approaches ineffective.

CRITICALAdvisoryApr 14, 2026

Action required

Hunt for suspicious cloud credential access patterns, failed authentication spikes, and unusual API calls from new principals. Correlate with DNS queries to typosquatted domains. Review cloud IAM logs for service account abuse and cross-account access attempts.

Affected products

Amazon Web ServicesGoogle CloudMicrosoft AzureAlibaba Cloud

Linked articles

APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials

Source links

https://www.darkreading.com/cloud-security/apt41-zero-detection-backdoor-harvest-cloud-credentials