The China-linked advanced persistent threat (APT) group known as APT41 is suspected of using an “advanced and upgraded version” of the malware StealthVector to deploy a previously undocumented backdoor called MoonWalk.
Zscaler ThreatLabz, which discovered this new loader strain in April 2024, has named the new variant of StealthVector – also known as DUSTPAN – as DodgeBox.
“DodgeBox is a loader that proceeds to load a new backdoor named MoonWalk,” said security researchers Yin Hong Chang and Sudeep Singh. “MoonWalk shares many evasion techniques implemented in DodgeBox and utilizes Google Drive for command-and-control (C2) communication.”
APT41, a prolific state-sponsored threat actor linked to China, has been active since at least 2007. It is also tracked by the cybersecurity community under various names, including Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda, and Winnti.
In September 2020, the U.S. Department of Justice (DoJ) announced the indictment of several individuals associated with APT41 for orchestrating intrusion campaigns targeting over 100 companies worldwide. The intrusions facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information, while also enabling other criminal schemes, including ransomware and cryptojacking.
In recent years, APT41 has been linked to breaches of U.S. state government networks between May 2021 and February 2022 and attacks on Taiwanese media organizations using the open-source red teaming tool Google Command and Control (GC2).
Trend Micro first documented the use of StealthVector by APT41 in August 2021, describing it as a shellcode loader written in C/C++ used to deliver Cobalt Strike Beacon and a shellcode implant named ScrambleCross (aka SideWalk).
DodgeBox is considered an improved version of StealthVector, incorporating various evasion techniques such as call stack spoofing, DLL side-loading, and DLL hollowing. The exact distribution method of the malware remains unknown.
“APT41 employs DLL side-loading to execute DodgeBox,” the researchers noted. “They utilize a legitimate executable (taskhost.exe), signed by Sandboxie, to sideload a malicious DLL (sbiedll.dll).”
The malicious DLL, DodgeBox, is a DLL loader written in C that decrypts and launches a second-stage payload, the MoonWalk backdoor.
The attribution of DodgeBox to APT41 is based on the similarities between DodgeBox and StealthVector, the use of DLL side-loading (a technique widely employed by China-nexus groups to deliver malware such as PlugX), and the submission of DodgeBox samples to VirusTotal from Thailand and Taiwan, regions of strategic interest to China.
“DodgeBox is a newly identified malware loader that employs multiple techniques to evade both static and behavioral detection,” the researchers concluded. “It offers various capabilities, including decrypting and loading embedded DLLs, conducting environment checks and bindings, and executing cleanup procedures.”
 group known as APT41 is suspected of using an "advanced and upgraded version" of the malware StealthVector to deploy a previously undocumented backdoor called MoonWalk.Zscaler ThreatLabz, which discovered this new loader strain in April 2024, has named the new variant of StealthVector – also known as DUSTPAN – as DodgeBox.){kind=link}