Longzhi

Threat Actor updated 19 days ago (2024-11-29T14:07:30.180Z)
Download STIX
Preview STIX
Earth Longzhi, a subgroup within the notorious APT41 cyber espionage group, has re-emerged after months of dormancy, according to cybersecurity researchers at Trend Micro. The threat actor has been known for its malicious activities since 2020 and has recently targeted organizations in Taiwan, Thailand, the Philippines, and for the first time, Fiji. The sectors affected include government, healthcare, technology, and manufacturing. Earth Longzhi's resurgence is marked by new techniques in its infection routine, primarily targeting vulnerable internet-exposed servers. This recent activity indicates that Earth Longzhi remains a significant threat with an evolving modus operandi. The researchers discovered that Earth Longzhi has developed a novel method to disable security products, a technique they termed 'stack rumbling' via Image File Execution Options (IFEO), which is a new denial-of-service (DoS) technique. The group primarily deploys two types of malware: Croxloader, a loader for Cobalt Strike, and a new anti-detection tool called SPHijacker. Instead of relying on traditional phishing emails, Earth Longzhi tends to target public-facing Internet Information Services (IIS) and Microsoft Exchange servers to install the popular Behinder Web shell. Using Behinder, it can gather information and download further malware onto host systems. Despite Earth Longzhi's hiatus since its last campaign that ended in June 2022, the group's return signals its resilience as a noteworthy threat. The samples collected by Trend Micro not only reveal potential targets but also provide insights into the new techniques that Earth Longzhi might employ in future campaigns. Given these developments, organizations, especially those with public-facing internet services, are urged to ensure their systems are fully patched and updated to mitigate the risk of intrusion.
Description last updated: 2024-05-05T11:32:06.089Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Earth Longzhi is a possible alias for Longzhi. Earth Longzhi, a suspected subgroup of the notorious APT41, has reemerged after months of inactivity and is now attacking organizations across various industries in Southeast Asia. This group had been on hiatus since its last campaign which ran from August 2021 to June 2022. Trend Micro's investigat
3
APT41 is a possible alias for Longzhi. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Longzhi Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more