diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
index cb118ab7aae..6ba2bd2c59d 100644
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
@@ -69,11 +69,6 @@ class MicrosoftAspNetCoreMvcNonControllerAttribute extends MicrosoftAspNetCoreMv
   }
 }
 
-/** A `Microsoft.AspNetCore.Mvc.Controller` attribute. */
-class MicrosoftAspNetCoreMvcControllerAttribute extends MicrosoftAspNetCoreMvcAttribute {
-  MicrosoftAspNetCoreMvcControllerAttribute() { this.getType().hasName("ControllerAttribute") }
-}
-
 /** The `Microsoft.AspNetCore.Antiforgery` namespace. */
 class MicrosoftAspNetCoreAntiforgeryNamespace extends Namespace {
   MicrosoftAspNetCoreAntiforgeryNamespace() {
@@ -196,7 +191,7 @@ class MicrosoftAspNetCoreMvcControllerBaseClass extends Class {
 
 /**
  * A valid ASP.NET Core controller according to:
- *  https://docs.microsoft.com/en-us/aspnet/core/mvc/controllers/actions?view=aspnetcore-3.1
+ * https://docs.microsoft.com/en-us/aspnet/core/mvc/controllers/actions?view=aspnetcore-3.1
  * https://github.com/dotnet/aspnetcore/blob/b3c93967ba508b8ef139add27132d9483c1a9eb4/src/Mvc/Mvc.Core/src/Controllers/ControllerFeatureProvider.cs#L39-L75
  */
 class MicrosoftAspNetCoreMvcController extends Class {
@@ -212,9 +207,16 @@ class MicrosoftAspNetCoreMvcController extends Class {
     not this.isAbstract() and
     not this.containsTypeParameters() and
     (
-      this.getABaseType*() instanceof MicrosoftAspNetCoreMvcControllerBaseClass or
-      this.getABaseType*().getName().matches("%Controller") or
-      this.getABaseType*().getAnAttribute() instanceof MicrosoftAspNetCoreMvcControllerAttribute
+      this.getABaseType*() instanceof MicrosoftAspNetCoreMvcControllerBaseClass
+      or
+      this.getABaseType*().getName().matches("%Controller")
+      or
+      this.getABaseType*()
+          .getAnAttribute()
+          .getType()
+          .getABaseType*()
+          // ApiControllerAttribute is derived from ControllerAttribute
+          .hasQualifiedName("Microsoft.AspNetCore.Mvc.ControllerAttribute")
     ) and
     not this.getABaseType*().getAnAttribute() instanceof
       MicrosoftAspNetCoreMvcNonControllerAttribute