VERY IMPORTANT

Lac Watch has been observing attacks using SigLoader (also known as DESLoader, Ecipekac) since the beginning of 2021. This series of attacks using SigLoader was reported at the Japan Security Analyst Conference (JSAC) in January 2021 and also as an attack campaign A41APT on Kaspersky's blog in March 2021. While investigating attacks that exploit Sigloader, Lac Watch has identified multiple malware "Cobalt Strike loader" that exploits Microsoft's digitally signed DLL files, which is different from SigLoader . This is an introduction to the relationship between this Cobalt Strike loader and the attacker group "APT41" hidden behind it.