The Chinese cyber threat group APT41 conducted an extended campaign targeting the networks of at least six U.S. state governments. For over a year, APT41 exploited internet-facing web applications and leveraged a zero-day vulnerability in the USAHerds application used by many state governments, gaining access to the broader networks of state governments.