APT41, also known as Wicked Panda, Barium, and Winnti, exploited Tomcat Apache Manager servers’ web shells to facilitate dropper execution and backdoor distribution before leveraging the DUSTTRAP multi-stage plugin framework to conceal malicious activity, according to a report from Mandiant. Such attacks also involved the usage of a command-line utility to enable Oracle database exfiltration.
Source: SC Magazine