Earth Longzhi

Threat Actor Profile Updated 2 months ago

Download STIX

Preview STIX

Earth Longzhi, a suspected subgroup of the notorious APT41, has reemerged after months of inactivity and is now attacking organizations across various industries in Southeast Asia. This group had been on hiatus since its last campaign which ran from August 2021 to June 2022. Trend Micro's investigation revealed two distinct campaigns carried out by Earth Longzhi between 2020 and 2022. The group's current campaign targets organizations in government, healthcare, technology, and manufacturing sectors in the Philippines, Thailand, Taiwan, and Fiji - a country they've never targeted before. The group's modus operandi involves the use of DLL sideloading and Fastly CDN - tools popular with APT41 subgroups, to reduce the risk of exposure and detection. There are overlaps found between Earth Estries' backdoor loader and FamousSparrow's, indicating similar tactics or shared resources. Earth Longzhi also primarily delivers two types of malware according to Trend Micro: Croxloader, a loader for Cobalt Strike, and a new anti-detection tool called SPHijacker. Operation Crimson Palace involved tools and infrastructure that overlap with several known Chinese threat actors, including Worok and the APT41 subgroup Earth Longzhi. The group's evolving Tactics, Techniques, and Procedures (TTPs) show a preference for targeting public-facing Internet Information Services (IIS) and Microsoft Exchange servers as entry points to install the popular Behinder Web shell. This allows them to gather information and download further malware onto host systems. As Earth Longzhi continues to refine its stealth tactics in espionage campaigns, potential targets are advised to ensure their environment, especially those exposed to the internet, are fully patched and updated to mitigate the risk of attacks.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT41	3	APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
Longzhi	3	Earth Longzhi, a subgroup within the notorious APT41 cyber espionage group, has re-emerged after months of dormancy, according to cybersecurity researchers at Trend Micro. The threat actor has been known for its malicious activities since 2020 and has recently targeted organizations in Taiwan, Thail
Hoodoo	1	Hoodoo, also known as APT41, Winnti, Bronze Atlas, and several other aliases, is a threat actor believed to be backed by the Chinese government. This group is renowned for its complex campaigns that target a variety of sectors, with motivations ranging from exfiltrating sensitive data to financial g

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Espionage

Apt

Denial of Se...

Cobalt Strike

Chinese

Loader

Iis

Web Shell

Phishing

China

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Crimson	Unspecified	1	Crimson is a type of malware that has been used in various cyber-espionage campaigns, notably by ProjectM. The malware was first observed in 2013 and has been continuously employed in attacks alongside other payloads like Capra RAT and Oblique RAT. ProjectM used multiple domains to control the Crims

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Earth Estries	Unspecified	1	Earth Estries is a cyberespionage group, or threat actor, that has targeted government entities and tech firms across the globe, including in the US, Germany, South Africa, Asia, Malaysia, the Philippines, and Taiwan. While the exact origin of Earth Estries remains unclear, there are indications sug

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Earth Longzhi Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	2 months ago	Chinese South China Sea Cyberespionage Campaign Unearthed
DARKReading	2 months ago	Chinese Threat Clusters Triple-Team High-Profile Asian Government Org
DARKReading	a year ago	APT Attacks From 'Earth Estries' Hit Gov't, Tech With Custom Malware
CERT-EU	a year ago	Cybersecurity Threat 1H 2023 Brief with Generative AI
CERT-EU	a year ago	Attack on Security Titans: Earth Longzhi Returns With New Tricks \| IT Security News
DARKReading	a year ago	APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics
InfoSecurity-magazine	a year ago	Earth Longzhi Uses
CERT-EU	a year ago	Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics - GIXtools
CERT-EU	a year ago	The Week in Security: SolarWinds hack set off alarms for months before discovery