Classification: TLP:CLEAR — Unrestricted distribution (FIRST TLP 2.0)
Report ID: CTI-2026-APT41–001
Date: 2026–04–25
Analyst: Andrey Pautov (@1200km)
Status: Draft

Research notice: This report documents a representative APT41-style intrusion scenario constructed for adversary-emulation research and defender training. NovaTech Pharma, Operation DragonRx, the RxPhage implant, all IP addresses, credentials, and IOCs are fictional. The attack chain, techniques, and tooling are drawn from authoritative open-source APT41 reporting. This is a threat-intelligence product describing the attack as observed in the research scenario — not a confirmed APT41 intrusion. See the companion lab guide for hands-on reproduction: lab-architecture.md.

Operation DragonRx series:

CTI Report