Earth Longzhi

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Earth Longzhi, a suspected subgroup of the infamous APT41 threat group, has resumed its malicious activities after several months of inactivity. This reemergence has seen the group target organizations across various industries in Southeast Asia, including government, healthcare, technology, and manufacturing sectors. Notably, this recent campaign has expanded its geographical scope to include Fiji, a country previously untouched by the group's activities. Trend Micro's investigation into Earth Longzhi's operations revealed two separate campaigns that occurred between 2020 and 2022, with the most recent one starting in August 2021 and ending in June 2022. The group has evolved its techniques for this new wave of attacks, primarily targeting vulnerable, internet-exposed servers rather than relying on traditional phishing emails. Earth Longzhi uses public-facing Internet Information Services (IIS) and Microsoft Exchange servers as entry points to install the Behinder Web shell, which allows it to gather information and download further malware onto host systems. The group's primary malware tools are Croxloader, a loader for Cobalt Strike, and a new anti-detection tool called SPHijacker. APT41, under which Earth Longzhi operates, is recognized as one of China's most prominent cyber threats. Over the years, it has frequently altered its tactics, techniques, and procedures (TTPs) in espionage attacks against government agencies, enterprises, and even individuals. Its attacks on the US government have drawn significant attention, leading to indictments from US law enforcement. As of May 2, 2024, Trend Micro has unveiled details about Earth Longzhi's latest campaign, highlighting the group's ongoing evolution and persistent threat.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Longzhi
3
Earth Longzhi, a subgroup within the notorious APT41 cyber espionage group, has re-emerged after months of dormancy, according to cybersecurity researchers at Trend Micro. The threat actor has been known for its malicious activities since 2020 and has recently targeted organizations in Taiwan, Thail
APT41
2
APT41, also known as Winnti, Wicked Panda, Barium, Suckfly, Earth Freybug, and Daggerfly, is a sophisticated threat actor attributed to China that has been active since at least 2012. The group targets organizations across various sectors including public administration, professional services, scien
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Earth Longzhi Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics - GIXtools
InfoSecurity-magazine
a year ago
Earth Longzhi Uses
CERT-EU
9 months ago
Cybersecurity Threat 1H 2023 Brief with Generative AI
CERT-EU
a year ago
The Week in Security: SolarWinds hack set off alarms for months before discovery
CERT-EU
a year ago
Attack on Security Titans: Earth Longzhi Returns With New Tricks | IT Security News
DARKReading
9 months ago
APT Attacks From 'Earth Estries' Hit Gov't, Tech With Custom Malware
DARKReading
a year ago
APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics