{"id":55737,"date":"2024-04-02T00:00:00","date_gmt":"2024-04-02T00:00:00","guid":{"rendered":"urn:uuid:5b0a82bc-ab82-981d-e48d-4f6e9a1b7a80"},"modified":"2024-04-02T00:00:00","modified_gmt":"2024-04-02T00:00:00","slug":"earth-freybug-uses-unapimon-for-unhooking-critical-apis","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/","title":{"rendered":"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/earth-freybug-cover:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/earth-freybug-cover.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><b>First cc.bat for reconnaissance<\/b><\/p>\n<p>Once the scheduled task is triggered, a previously deployed batch file, <i>%System%\\cc.bat<\/i>, is executed in the remote machine. Based on our telemetry, this batch file launches commands to gather system information. Among the commands executed are:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>powershell.exe&nbsp; -command &#8220;Get-NetAdapter |select InterfaceGuid&#8221;<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>arp&nbsp; -a<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\">i<i>pconfig&nbsp; \/all<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>fsutil&nbsp; fsinfo drives<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>query&nbsp; user<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; localgroup administrators<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>systeminfo<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>whoami<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>netstat&nbsp; -anb -p tcp<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; start<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>tasklist&nbsp; \/v<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; session<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; share<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; accounts<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; use<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; user<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; view<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; view \/domain<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; time \\\\127.0.0.1<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>net&nbsp; localgroup administrators \/domain<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>wmic&nbsp; nic get &#8220;guid&#8221;<\/i><\/span><i><\/i><\/li>\n<\/ul>\n<p>The system information gathered via these commands is gathered in a text file called <i>%System%\\res.txt.<\/i><\/p>\n<p>Once this is done, another scheduled task is set up to execute <i>%Windows%\\Installer\\cc.bat<\/i> in the target machine, which launches a backdoor.<\/p>\n<p><b>Second cc.bat hijacking for DLL side-loading<\/b><\/p>\n<p>The second <i>cc.bat<\/i> is notable for leveraging a service that loads a nonexistent library to side-load a malicious DLL. In this case, the service is <i>SessionEnv<\/i>. A detailed technical description of how this technique works can be found <a href=\"https:\/\/posts.specterops.io\/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\" target=\"_blank\" rel=\"noopener\">here.<\/a> In this technique, this second <i>cc.bat<\/i> first copies a previously dropped <i>%Windows%\\Installer\\hdr.bin<\/i> to <i>%System%\\TSMSISrv.DLL<\/i>. It then stops the <i>SessionEnv<\/i> service, waits for a few seconds, then restarts the service. This will make the service load and execute the file <i>%System%\\TSMSISrv.DLL.<\/i><\/p>\n<p>Two actions of interest done by <i>TSMSISrv.DLL<\/i> are dropping and loading a file named <i>Windows%\\_{5 to 9 random alphabetic characters}.dll<\/i> and starting a <i>cmd.exe<\/i> process in which the same dropped DLL is also injected. Based on telemetry data, we noticed that this instance of cmd.exe is used to execute commands coming from another machine, thus turning it into a backdoor. We dubbed the dropped DLL loaded in both the service and <i>cmd.exe<\/i> as UNAPIMON.<\/p>\n<p><b>Introducing UNAPIMON for defense evasion<\/b><\/p>\n<p>An interesting thing that we observed in this attack is the use of a peculiar malware that we named UNAPIMON. In its essence, UNAPIMON employs defense evasion techniques to prevent child processes from being monitored, which we detail in the succeeding sections.<\/p>\n<p><b>Malware analysis<\/b><\/p>\n<p>UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string.<\/p>\n<p>At the <i>DllMain<\/i> function, it first checks whether it is being loaded or unloaded. When the DLL is being loaded, it creates an event object for synchronization, and starts the hooking thread.<\/p>\n<p>As shown in Figure 3, the hooking thread first obtains the address of the function <i>CreateProcessW <\/i>from <i>kernel32.dll<\/i>, which it saves for later use. <i>CreateProcessW<\/i> is one of the Windows API functions that can be used to create a process. It then installs a hook on it using Microsoft Detours, an open-source software package developed by Microsoft for monitoring and instrumenting API calls on Windows.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/d\/earth-freybug.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we\u2019ve discovered and dubbed UNAPIMON. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":55738,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9508,9509],"class_list":["post-55737","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Earth Freybug Uses UNAPIMON for Unhooking Critical APIs 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-02T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/earth-freybug-cover:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs\",\"datePublished\":\"2024-04-02T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/\"},\"wordCount\":513,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis.jpg\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/\",\"name\":\"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis.jpg\",\"datePublished\":\"2024-04-02T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis.jpg\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/","og_locale":"en_US","og_type":"article","og_title":"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-04-02T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/earth-freybug-cover:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs","datePublished":"2024-04-02T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/"},"wordCount":513,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/04\/earth-freybug-uses-unapimon-for-unhooking-critical-apis.jpg","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/","url":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/","name":"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/04\/earth-freybug-uses-unapimon-for-unhooking-critical-apis.jpg","datePublished":"2024-04-02T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/04\/earth-freybug-uses-unapimon-for-unhooking-critical-apis.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/04\/earth-freybug-uses-unapimon-for-unhooking-critical-apis.jpg","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/earth-freybug-uses-unapimon-for-unhooking-critical-apis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Earth Freybug Uses UNAPIMON for Unhooking Critical APIs"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55737"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55737\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55738"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}