APT41 is a well-known cybercriminal syndicate with many aliases: Wicked Panda, Barium, Brass Typhoon and Winnti. The group is notorious for targeting organizations across multiple sectors, including telecom and energy providers, educational institutions, and health care organizations in at least 42 countries.
Regardless of its name, the group is known to be a Chinese state-backed hacking operation with a decided focus on cyber espionage.
In July, a cybersecurity company revealed that its detection and response experts “observed a cyber espionage attack on a Southern African organization and linked it to the Chinese-speaking group APT41.”
“This incident reveals that the attackers have targeted government IT [information technology] services in one of the countries in the region, attempting to steal sensitive corporate data — including credentials, internal documents, source code, and communications,” cybersecurity analysts reported.
In contrast to the opportunistic, isolated incidents that comprise most cybercrime, an advanced persistent threat (APT) is a type of cybercrime in which a sophisticated, stealthy threat actor, typically a state or state-sponsored group, gains unauthorized access to a network and remains hidden for an extended period to achieve specific goals.
“It’s worth noting that, prior to the incident, Africa had experienced the least activity from this APT,” researchers Denis Kulik and Daniil Pogorelov wrote in a heavily documented incident report published in July.
Technology reporter Jai Vijayan said APT41 is one of the most prolific China-linked threat groups around.
“The group — actually, a collective of subgroups — has been active since at least 2012, and it’s notable for conducting espionage on behalf of Beijing while also pursuing cybercrime for financial gain,” he wrote in a July 22 article for cybersecurity website Dark Reading.
The attack “involved APT41’s typical tactics, techniques, and procedures. It included the usual blend of custom malware, credential harvesting, and the strategic use of compromised legitimate infrastructure to maintain persistence and evade detection.”
Cybercrime is exploding across the continent as technology and internet access proliferate, but cybersecurity lags in most countries.
Interpol’s 2025 Africa Cyberthreat Assessment Report warned that South Africa continues to be a top target, particularly in finance and government. South Africa suffered the most ransomware detections on the continent in 2024, with 17,849, according to Trend Micro.
In a June report, the South African Reserve Bank said that data breaches in 2024 cost the country $2.78 million. It ominously warned that a single cyberattack on the financial system “could simultaneously impair multiple institutions, triggering a systemic event.”
Experts say the country is an attractive target for cybercriminals because of its abundant digital infrastructure and widespread vulnerabilities such as inadequate cybersecurity systems, a general lack of awareness and weak law enforcement responses to date.
Among the high-profile attacks on the government, the Department of Defence acknowledged in 2023 that cybercriminals accessed 1.6 terabytes of sensitive data, allegedly including military contracts, “internal call signs” and personal information.
In 2021, South Africa’s Department of Justice and Constitutional Development was hit by a ransomware attack that encrypted all of its information systems, causing widespread disruptions to its services for days.
South Africa’s most notable incidents in 2025 include:
- The South African Weather Service said a ransomware attack disrupted its systems in January.
- Hackers leaked data from Cell C, a major telecommunications network, onto the dark web after an April ransomware attack.
- In May, South African Airways disclosed that a cyberattack temporarily disrupted its operational systems.
Kulik said the APT41 attack in Southern Africa could not have been prevented without major investments in cybersecurity.
“In general, defending against such sophisticated attacks is impossible without comprehensive expertise and continuous monitoring of the entire infrastructure,” he said. “It is essential to maintain full security coverage across all systems with solutions capable of automatically blocking malicious activity at an early stage — and to avoid granting user accounts excessive privileges.”