{"id":49217,"date":"2022-11-09T00:00:00","date_gmt":"2022-11-09T00:00:00","guid":{"rendered":"urn:uuid:ed053cb7-9719-17d8-e470-fa79b0a05efb"},"modified":"2022-11-09T00:00:00","modified_gmt":"2022-11-09T00:00:00","slug":"hack-the-real-box-apt41s-new-subgroup-earth-longzhi","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/","title":{"rendered":"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-apt41-new-subgroup-earth-longzhi.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August. \"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,cyber crime,exploits &amp; vulnerabilities,phishing,cyber threats,apt &amp; targeted attacks,endpoints,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-11-09\"> <meta property=\"article:tag\" content=\"apt &amp; targeted attacks\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\"> <title>Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\"><br \/>\n<meta property=\"og:title\" content=\"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi\"><br \/>\n<meta property=\"og:description\" content=\"We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-apt41-new-subgroup-earth-longzhi.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi\"><br \/>\n<meta name=\"twitter:description\" content=\"We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-apt41-new-subgroup-earth-longzhi.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.173140086544\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"58877714\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.287841191067\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.129032258065\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">APT &amp; Targeted Attacks<\/p>\n<p class=\"article-details__description\">We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August. <\/p>\n<p class=\"article-details__author-by\">By: Hara Hiroaki, Ted Lee <time class=\"article-details__date\">November 09, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"45.273510409189\">\n<div readability=\"36.415649676956\">\n<p>In early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the incident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents targeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics, techniques, and procedures (TTPs), we discovered that the actor behind this attack has been active since 2020. After clustering each intrusion, we concluded that the threat actor is a new subgroup of advanced persistent threat (APT) group <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/earth-baku-returns\">APT41<\/a> that we call Earth Longzhi. In this entry, we reveal two campaigns by Earth Longzhi from 2020 to 2022 and introduce some of the group\u2019s arsenal in these campaigns. This entry was also presented at the <a href=\"https:\/\/hitcon.org\/2022\/agenda\/b8861eee-0d4b-4b8c-90c0-9fd9f4ccc8c4\">HITCON PEACE 2022<\/a> conference in August this year.<\/p>\n<p><span class=\"main-subtitle-black\">Campaign overview<\/span><\/p>\n<p>Since it first started being active in 2020, Earth Longzhi\u2019s long-running campaign can be divided into two based on the range of time and toolset. During its first campaign deployed from 2020 to 2021, Earth Longzhi targeted the government, infrastructure, and health industries in Taiwan and the banking sector in China. In its second campaign from 2021 to 2022, the group targeted high-profile victims in the defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-1-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure1-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 1. Earth Longzhi\u2019s victim countries from 2020 to 2022<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">Attack vector<\/span><\/p>\n<p>Both campaigns used spear-phishing emails as the primary entry vector to deliver Earth Longhzhi\u2019s malware. &nbsp;The attacker embeds the malware in a password-protected archive or shares a link to download a malware, luring the victim with information about a person. Upon opening the link, the victim is redirected to a Google Drive hosting a password-protected archive with a Cobalt Strike loader we call CroxLoader.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-2-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure2-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 2. Malware delivery via spear-phishing email in traditional Chinese<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>In some cases, we also found that the group exploited publicly available applications to deploy and execute a simple downloader to download a shellcode loader and the necessary hack tools for the routine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-3-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure3-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 3. Deliver malware through exploiting exposed applications <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p><span class=\"main-subtitle-black\">Campaign No. 1: May 2020 &#8211; Feb 2021<\/span><\/p>\n<p>We tracked Earth Longzhi mainly targeting the government, healthcare, academic, and infrastructure industries in Taiwan with a custom Cobalt Strike loader, which we have called Symatic loader, and custom hacking tools.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-4-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure4-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 4. Timeline of attacks during the first campaign<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.829201101928\">\n<div readability=\"12.552341597796\">\n<p><span class=\"body-subhead-title\">Symatic loader<\/span><\/p>\n<p>Symatic is the primary loader used to load the Cobalt Strike payload in the first campaign. To avoid being detected, Symatic adopts the following techniques:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Restoring in-memory hooks in the user-mode face of the Windows kernel utility <i>ntdll.dll<\/i> by anti-hooking<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Masquerading the parent process by API <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-updateprocthreadattribute\">UpdateProcThreadAttribute<\/a><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Injecting a decrypted payload into the system built-in process (<i>dllhost.exe<\/i> or <i>rundll32.ex<\/i>e)<\/span><\/li>\n<\/ul>\n<p>Security solutions place the in-memory API hooks in <i>ntdll.dll<\/i> to monitor suspicious behavior. Symatic removes the API hooks first and gets the raw content of <i>ntdll.dll<\/i> from the disk. It then proceeds to replace the in-memory ntdll image to make sure there are no hooks placed in <i>ntdll.dll<\/i>.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure5-earth-longzhi-apt41-subgroup.png\" alt=\"figure5-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 5. Symatic Loader\u2019s detection evasion techniques<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>After restoring the ntdll, Symatic will spawn a new process for process injection. It is worth noting that it will masquerade the parent process of the newly created process to obfuscate the process chain.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure6-earth-longzhi-apt41-subgroup.png\" alt=\"figure6-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 6. Obfuscating the process chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><span class=\"body-subhead-title\">All-in-one hack tool<\/span><\/p>\n<p>For the post-exploitation operations of this campaign, Earth Longzhi also prepares an all-in-one tool to combine all the necessary tools in one package. Most of the tools included in this one package are either publicly available or were used in previous attack deployments. This compressed tool allows them to complete multiple operations by using a single executable in their operation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<caption>Table 1. All the tools needed for the routine in one executable<\/caption>\n<tbody readability=\"8.9234693877551\">\n<tr>\n<th scope=\"col\">Arguments<\/th>\n<th scope=\"col\">Function<\/th>\n<\/tr>\n<tr>\n<td>-P<\/td>\n<td><a href=\"https:\/\/github.com\/HiwinCN\/HTran\">HTRan<\/a><\/td>\n<\/tr>\n<tr>\n<td>-S<\/td>\n<td>Socks5 proxy<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-SQL<\/td>\n<td>Password scans against Microsoft SQL server (MSSQL) with a given dictionary<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-IPC<\/td>\n<td>Password scans over $IPC with a given dictionary<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-SFC<\/td>\n<td>Disables Windows File Protection via <i>SFC_OS.dll<\/i><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-filetime<\/td>\n<td>Modifies a specific file\u2019s timestamp<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-Port<\/td>\n<td>TCP (Transmission Control Protocol) port scanner<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-Runas<\/td>\n<td>Launches a process with higher privileges<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-Clone<\/td>\n<td>Clones specified users\u2019 relative ID (RID) in registry for RID spoofing<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-driver<\/td>\n<td>Gets information of local or remote drives (using NetShareEnum)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>-sqlcmd<\/td>\n<td>Command will be executed with SQLExecDirect<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure7-earth-longzhi-apt41-subgroup.png\" alt=\"figure7-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 7. All-in-one tool available since 2014<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p><span class=\"main-subtitle-black\">Second campaign: August 2021 to June 2022<\/span><\/p>\n<p>Earth Longzhi initiated the second campaign five months after the last attack in its first campaign. In this campaign, the APT group used various types of customized Cobalt Strike loaders, which we call CroxLoader, BigpipeLoader, and OutLoader. We also found other customized hacking tools.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-8-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure8-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 8. Timeline of attacks during the second campaign<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><span class=\"body-subhead-title\">Custom loaders<\/span><\/p>\n<p>We discovered several custom loaders of Cobalt Strike, including similar samples uploaded in VirusTotal. Each loader implemented a different algorithm to decrypt the payload, as follows:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<caption>Table 2. Summary of customized loaders in the second campaign<\/caption>\n<tbody readability=\"6\">\n<tr>\n<th scope=\"col\">Name<\/th>\n<th scope=\"col\">Observed<\/th>\n<th scope=\"col\">Algorithm<\/th>\n<th scope=\"col\">Extra feature<\/th>\n<\/tr>\n<tr readability=\"4\">\n<td>CroxLoader<\/td>\n<td>Oct 2021 onward<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">XOR 0xCC + SUB 0xA<\/span><\/li>\n<li><span class=\"rte-red-bullet\">RtlDecompressBuffer + XOR 0xCC<\/span><\/li>\n<\/ul>\n<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Process injection<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Decoy document<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>BigpipeLoader<\/td>\n<td>Aug 2021 onward&nbsp;<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Base64 + RSA + AES128-CFB<\/span><\/li>\n<li><span class=\"rte-red-bullet\">AES128-CFB<\/span><\/li>\n<\/ul>\n<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Multi-threading decryption over named pipe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Decoy document<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>MultiPipeLoader<\/td>\n<td>Aug 2021<\/td>\n<td>Base64 + AES128-CFB<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Multi-threading decryption over named pipe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Decoy document<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>OutLoader<\/td>\n<td>Sep 2021<\/td>\n<td>AES128-CFB<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Downloads payload from an external server<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Decoy document<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">CroxLoader<\/span><\/p>\n<p>During the deployment of the second campaign, we found two different variants of CroxLoader with respective patterns of use. The first variant is commonly used when attackers use publicly facing applications as the entry point of attack. It decrypts the embedded payload and injects the decrypted payload into the remote process. Meanwhile, the second variant of CroxLoader is often deployed through spearphishing emails to lure victims into opening it. The variant used for each targeted victim depends on the applicable attack scenario.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-9-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure9-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 9. TTPs of the CroxLoader variants<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p><span class=\"body-subhead-title\">BigpipeLoader<\/span><\/p>\n<p>Since this loader will read\/write encrypted payload through a named pipe, we named this shellcode loader BigpipeLoader. In one of our threat hunting sessions, we found two variants of this loader with different execution procedures. The first variant of BigpipeLoader just drops the decoy file and loads the Cobalt Strike payload into the memory, then proceeds to execute it. In the second variant, however, the attacker creates a dropper, which drops the malicious <i>WTSAPI32.dll<\/i> designed to be sideloaded by a legitimate application with the file name \u201c<i>wusa.exe<\/i>\u201d. This launches the encrypted BigpipeLoader (<i>chrome.inf<\/i>). Both variants of BigpipeLoader use the AES-128-CFB algorithm to decrypt the payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-10-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure10-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 10. TTPs of the BigpipeLoader variants<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"46.116150442478\">\n<div readability=\"38.266592920354\">\n<p>Meanwhile, MultipipeLoader and OutLoader are similar to CroxLoader and BigpipeLoader but have slightly different features. MultipipeLoader uses multiple threads to read\/write the encrypted payload like BigpipeLoader, but it implements a similar decryption routine as CroxLoader.&nbsp;Meanwhile, OutLoader tries to download the payload from a remote server, while its other function is the same as BigpipeLoader. From these minimal variations, we believe the attacker is trying to develop new loaders by combining existing features of other, previously used loaders.&nbsp;<\/p>\n<p><span class=\"body-subhead-title\">Post-exploitation<\/span><\/p>\n<p>During the investigation of the second campaign, we collected multiple hacking tools used for privilege escalation (<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one.html\">PrintNightmare<\/a> and <a href=\"https:\/\/github.com\/itm4n\/PrintSpoofer\">PrintSpoofer<\/a>), credential dumping (custom standalone <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\">Mimikatz<\/a>), and defense evasion (disablement of security products). Instead of using public tools as they are, the threat actors are able to reimplement or develop their own tools based on some open-source projects. In the following subsections, we introduce these hack tools.<\/p>\n<p><b>Custom standalone Mimikatz<\/b><\/p>\n<p>Earth Longzhi reimplemented some modules of Mimikatz (shown in Table 3) as standalone binaries. Upon comparing the binary and source code, the attacker just removed the necessary code snippet from the public code and compiled it as standalone binary. We call this technique &#8220;Bring-Your-Own Mimikatz.&#8221; &nbsp;The reimplementation of open-source hacking tools such as Mimikatz is common among red-team community groups for reducing chances of detection.<\/p>\n<p>We also observed the standalone version of the <i>sekurlsa::logonpasswords<\/i> module, which abuses the vulnerable driver <i>RTCore64.sys<\/i> to disable the Protected Process Light (PPL) mechanism to dump credentials from <i>lsass.exe<\/i>. We will introduce how this vulnerable driver helps to bypass the PPL.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<caption>Table 3. Reimplemented Mimikatz modules and their functions<\/caption>\n<tbody readability=\"5.9572192513369\">\n<tr>\n<th scope=\"col\">Reimplemented Mimikatz modules<\/th>\n<th scope=\"col\">Description of reimplemented function<\/th>\n<\/tr>\n<tr readability=\"3\">\n<td>sekurlsa::logonpasswords<\/td>\n<td>To dump credentials from <i>lsass.exe<\/i>; some variants support disabling PPL by using the vulnerable driver.&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>lsadump::dcsync<\/td>\n<td>To perform a DCSync attack<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>lsadump::backupkeys + dpapi::chrome<\/td>\n<td>To combine two different modules to retrieve a backup key from domain controller (DC) and use the key to decrypt chrome\u2019s credential data protected by Data Protection API (DPAPI)&nbsp;<\/td>\n<\/tr>\n<tr readability=\"1.9191919191919\">\n<td>misc::memssp<\/td>\n<td>To dump credentials through Security Support Provider (SSP); implemented based on <a href=\"https:\/\/blog.xpnsec.com\/exploring-mimikatz-part-2\/\">@XPN<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.753369272237\">\n<div readability=\"18.359838274933\">\n<p><b>Security product disablement<\/b><\/p>\n<p>For disabling security products, we found two different tools, which we named ProcBurner and AVBurner. Both tools abuse the vulnerable driver (<i>RTCore64.sys<\/i>) to modify the specified value in the kernel object. <i>RTCore64.sys<\/i> is a component of <a href=\"https:\/\/www.msi.com\/Landing\/afterburner\/graphics-cards\">Afterburner<\/a>. In 2019, this driver was assigned as <a href=\"https:\/\/www.cvedetails.com\/cve\/CVE-2019-16098\/\">CVE-2019-16098<\/a>, which allows authenticated users to read\/write any arbitrary address including kernel space. However, the outdated version of vulnerable driver still has a valid signature. As a result, the attacker can deliver the outdated version of the driver into the victim machine and abuse it for various purposes, such as for anti-antivirus or anti-EDR. This technique is known as &#8220;Bring-Your-Own Vulnerable Driver.&#8221;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure11-earth-longzhi-apt41-subgroup.png\" alt=\"figure11-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 11. CVE-2019-16098 in RTCore64.sys<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>ProcBurner is designed to terminate specific running processes. Simply put, it tries to change the protection of the target process by forcibly patching the access permission in the kernel space using the vulnerable <i>RTCore64.sys<\/i>. We show the workflow of ProcBurner&nbsp; here (note that the environment used is Windows 10 20H2 x64):<\/p>\n<ol>\n<li>OpenProcess with PROCESS_QUERY_LIMITED_INFORMATION (=0x1000).<\/li>\n<li>Return HANDLE of target process ( 0x1d8).<\/li>\n<li>Get the address of HANDLE_TABLE_ENTRY object of target handle by tracking back from EPROCESS object.<\/li>\n<li>Send IOCTL request to mask HANDLE_TABLE_ENTRY. GrantedAccessBits of target process with PROCESS_ALL_ACCESS (=0x1fffff).&nbsp;<\/li>\n<li>Vulnerable <i>RTCore64.sys<\/i> writes the requested bitmask value.<\/li>\n<li>Terminate process.<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-12-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure12-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 12. The workflow of ProcBurner<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"44\">\n<div readability=\"33\">\n<p>Specific to ProcBurner, it can check the currently running operating system version before patching. ProcBurner hard-codes the offset of kernel objects\u2019 field, which can be different for each build version. If ProcBurner supports the offset correctly, it should work on any of the versions listed. The following versions are supported:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Windows 7 SP1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows Server 2008 R2 SP1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 8.1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows Server 2012 R2<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 10 1607<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 10 1809<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows Server 2018 1809<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 10 20H2<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 10 21H1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 11 21H2<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 11 22449<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 11 22523<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows 11 22557<\/span><\/li>\n<\/ul>\n<p>For AVBurner, this tool is designed for removing the kernel callback routine to unregister the AV\/EDR product. To understand how AVBurner works, we will briefly introduce kernel callback.<\/p>\n<p>Kernel callback is a Windows OS mechanism to allow drivers, including antivirus drivers, to register callback routines to receive notifications on certain events such as process, thread, or registry creation. <i>Ntoskrnl.exe<\/i> provides several APIs for drivers to register callbacks for each event. For example, for monitoring process creation, PsSetCreateProcessNotifyRoutine is exported. This API receives the function pointer to invoke when any process is created. When PsSetCreateProcessNotifyRoutine is called, it invokes PspSetCreateProcessNotifyRoutine. In this function, Windows kernel registers the given callback function at the end of a callback array named PspCreateProcessNotifyRoutine. After this, when any process is created, Windows kernel enumerates this table to find the callback function.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-13-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure13-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 13. AV.sys registers callback for process creation event by calling the PsSetCreateProcessNotifyRoutine API<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>AVBurner abuses <i>RTCore64.sys<\/i> to enumerate the PspCreateProcessNotifyRoutine array to find the target driver. The workflow of AVBurner is as follows:<\/p>\n<ol>\n<li>Get addresses of PsSetCreateProcessNotifyRoutine and IoCreateDriver.<\/li>\n<li>Search for a specific sequence of bytes to find the address of PspCreateProcessNotifyRoutine between the above addresses (PsSetCreateProcessNotifyRoutine and IoCreateDriver).<\/li>\n<li>PspCreateProcessNotifyRoutine is a table of callback functions that contains the custom pointer to object EX_CALLBACK_ROUTINE_BLOCK. The address of the said object can be calculated by removing the last four bits of the pointer.<\/li>\n<li>EX_CALLBACK_ROUTINE_BLOCK.Function (offset=0x08) contains a pointer to the callback function (Driver.sys in this case). Get the driver\u2019s file path that the callback function belongs to, and if the driver\u2019s file property has target string (such as Trend), AVBURNER overwrites the pointer with NULL, resulting in the removal of the callback registration.<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-14-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure14-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 14. The workflow of AVBurner<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p><span class=\"main-subtitle-black\">Attribution<\/span><\/p>\n<p>We attributed these threat actors to APT41\u2019s subgroup Earth Longzhi based on the following factors.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-15-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure15-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 15. Finding Earth Longzhi\u2019s position in the APT41 organizational structure<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.856975381008\">\n<div readability=\"22.32590855803\">\n<p><span class=\"body-subhead-title\">Victimology<\/span><\/p>\n<p>The affected regions and targeted sectors are countries of interest located in the East and Southeast Asia, which is close to the victimology identified in our <a href=\"https:\/\/documents.trendmicro.com\/assets\/white_papers\/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf\">research<\/a> on another APT41 subgroup, Earth Baku.<\/p>\n<p><span class=\"body-subhead-title\">Shared Cobalt Strike metadata with other APT41 subgroups<\/span><\/p>\n<p>After checking all the metadata of the Cobalt Strike payloads, we found that most of payloads shared the same watermark, <i>426352781<\/i>, and public key <i>9ee3e0425ade426af0cb07094aa29ebc<\/i>. This watermark and public key combination is also used by <a href=\"https:\/\/documents.trendmicro.com\/assets\/white_papers\/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf\">Earth Baku<\/a> and <a href=\"https:\/\/hitcon.org\/2021\/agenda\/1abeaad2-5152-4468-91ac-d50a39dd7834\/Winnti%20is%20Coming%20-%20Evolution%20after%20Prosecution.pdf\">GroupCC<\/a>, which are also believed to be subgroups of APT41. The identified watermark has not yet been attributed to other threat actors. The use of the same watermark and public key indicates Earth Longzhi sharesing the Cobalt Strike team server, as well as Cobalt Strike package and license with the other APT41 subgroups.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-16-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure16-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 16. Timeline of attacks with shared Cobalt Strike metadata<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.372163388805\">\n<div readability=\"15.491679273828\">\n<p><span class=\"body-subhead-title\">Code similarities of shellcode loaders and overlapping TTPs<\/span><\/p>\n<p>We also found that the decryption algorithms in Symatic Loader and CroxLoader are quite similar to the one identified with <a href=\"https:\/\/hitcon.org\/2021\/agenda\/1abeaad2-5152-4468-91ac-d50a39dd7834\/Winnti%20is%20Coming%20-%20Evolution%20after%20Prosecution.pdf\">GroupCC<\/a>. &nbsp;All of the said loaders use &lt;<i>(sub 0xA) XOR 0xCC&gt;<\/i> as their decryption algorithm. As for the similar TTPs, Earth Longzhi also adopted the Python Fastly CDN used by GroupCC to hide the actual command-and-control (C&amp;C) server address. At the time we were analyzing Earth Longzhi, we did not find reports documenting the abuse of Python CDN, other than the <a href=\"https:\/\/hitcon.org\/2021\/agenda\/1abeaad2-5152-4468-91ac-d50a39dd7834\/Winnti%20is%20Coming%20-%20Evolution%20after%20Prosecution.pdf\">GroupCC report<\/a> by Team T5. Hence, we consider it as evidence of the relationship between Earth Longzhi and GroupCC.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/figure-17-earth-longzhi-apt41-subgroup.jpg\" alt=\"figure17-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"><figcaption>Figure 17. Decryption algorithm used by GroupCC (top), CroxLoader (left), and Symatic loader (bottom)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49.719593410445\">\n<div readability=\"44.747634069401\">\n<p><span class=\"main-subtitle-black\">Conclusion<\/span><\/p>\n<p>We profile Earth Longzhi as an APT group that mainly targets the Asia-Pacific region. After investigating two different campaigns, we verified that its target sectors are in industries pertinent to Asia-Pacific countries\u2019 national security and economies. The activities in these campaigns show that the group &nbsp;&nbsp;is knowledgeable on red-team operations. The group uses social engineering techniques to spread its malware and deploy customized hack tools to bypass the protection of security products and steal sensitive data from compromised machines. From an overall security perspective, it seems that Earth Longzhi is playing <a href=\"https:\/\/www.hackthebox.com\/\">Hack The Box<\/a>, an online platform for penetration testing, but in the real world.<\/p>\n<p>APT41 groups are seemingly using less custom malware but are getting more accustomed to using more commodity malware such as Cobalt Strike. They are also now more focused on developing new loaders and hacking tools to bypass security products. AVBurner is a formidable example of this, as it disables solutions that still use the dated and vulnerable driver, while both ProcBurner and AVBurner focus on kernel-level security \u2014 a noticeable emerging pattern among APT groups and cybercrime. In addition, Earth Longzhi, as a subgroup of APT41, appears familiar with offensive security teams such as red teams.<\/p>\n<p>In the process of attribution, we also discovered that the group uses shared Cobalt Strike licenses and imitates the TTPs used with other APT41 subgroups. The behavior of sharing tools between different groups could point to the following circumstances:<\/p>\n<ol>\n<li>These threat actors are no longer static groups. Although the organizational structure will keep changing from time to time, the tools will be inherited by the subsequent newly organized groups.<\/li>\n<li>The tool developers and campaign operators share the tools with their collaborator groups.<\/li>\n<\/ol>\n<p>Following these indications, tool-based attribution and analysis will likely become more complicated and will be a challenge to threat researchers in figuring links among different groups. Researchers of APT groups and other cybercriminals will also have to consider other aspects and integrate collected information such as code similarities and victim profiles, among other technical characteristics for consideration. Security providers and solutions will also have to reassess and, if possible, avoid or disable the use of vulnerable drivers. At the very least, organizations\u2019 security teams should be allowed to enable features such as monitoring of vulnerable driver installation, if available. Fortunately for researchers and operational security teams, these groups\u2019 use of publicly available tools and previously deployed routines can be detected faster and can be tested using their TTPs.<\/p>\n<p><span class=\"main-subtitle-black\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>Find the full list of IOCs <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/IOCs-hack-the-real-box-apt41-new-subgroup-earth-longzhi.txt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p><span class=\"main-subtitle-black\">MITRE ATT&amp;CK<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi\/mitre-table-earth-longzhi-apt41-subgroup.jpg\" alt=\"MITRE-earth-longzhi-apt41-subgroup-campaigns-hitcon-peace-2022\"> <\/figure>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":49218,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9521,9511,9508,9555,9513,9577],"class_list":["post-49217","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware","tag-trend-micro-research-phishing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-09T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-apt41-new-subgroup-earth-longzhi.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi\",\"datePublished\":\"2022-11-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/\"},\"wordCount\":2830,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi-scaled.jpg\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Phishing\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/\",\"name\":\"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi-scaled.jpg\",\"datePublished\":\"2022-11-09T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/11\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi-scaled.jpg\",\"width\":2560,\"height\":1597},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/","og_locale":"en_US","og_type":"article","og_title":"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-11-09T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/cover-apt41-new-subgroup-earth-longzhi.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi","datePublished":"2022-11-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/"},"wordCount":2830,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi-scaled.jpg","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Malware","Trend Micro Research : Phishing"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/","url":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/","name":"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi-scaled.jpg","datePublished":"2022-11-09T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi-scaled.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi-scaled.jpg","width":2560,"height":1597},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/hack-the-real-box-apt41s-new-subgroup-earth-longzhi\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Hack the Real Box: APT41\u2019s New Subgroup Earth Longzhi"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49217"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49217\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49218"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}