{ "id": "b9744a65-a87d-4b84-8dd4-b547dd661ddf", "created_at": "2026-04-06T00:22:27.744364Z", "updated_at": "2026-04-10T13:11:24.095179Z", "deleted_at": null, "sha1_hash": "2403cf7eb979c0bef176247421a93d5933be3d70", "title": "Subgroup: Earth Freybug - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46410, "plain_text": "Subgroup: Earth Freybug - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-02 12:27:08 UTC\r\nHome \u003e List all groups \u003e Subgroup: Earth Freybug\r\n APT group: Subgroup: Earth Freybug\r\nNames Earth Freybug (Trend Micro)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription\r\nA subgroup of APT 41.\r\n(Trend Micro) Earth Freybug is a cyberthreat group that has been active since at least 2012\r\nthat focuses on espionage and financially motivated activities. It has been observed to target\r\norganizations from various sectors across different countries. Earth Freybug actors use a\r\ndiverse range of tools and techniques, including LOLBins and custom malware. This article\r\nprovides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link\r\nlibrary (DLL) hijacking and application programming interface (API) unhooking to prevent\r\nchild processes from being monitored via a new malware we’ve discovered and dubbed\r\nUNAPIMON.\r\nObserved\r\nTools used UNAPIMON, Living off the Land.\r\nInformation \u003chttps://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\u003e\r\nLast change to this card: 22 April 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=90c27362-1672-454d-aaba-afd974e76edc\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=90c27362-1672-454d-aaba-afd974e76edc\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=90c27362-1672-454d-aaba-afd974e76edc" ], "report_names": [ "showcard.cgi?u=90c27362-1672-454d-aaba-afd974e76edc" ], "threat_actors": [ { "id": "315bd857-79cc-46f2-896f-aeb0fc576b49", "created_at": "2024-04-28T02:00:03.693599Z", "updated_at": "2026-04-10T02:00:03.62936Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [], "source_name": "MISPGALAXY:Earth Freybug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "10e4e1de-afe4-4a62-b46d-07800c801a17", "created_at": "2024-04-24T02:02:07.562188Z", "updated_at": "2026-04-10T02:00:04.560334Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [ "Earth Freybug" ], "source_name": "ETDA:Earth Freybug", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "UNAPIMON" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434947, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2403cf7eb979c0bef176247421a93d5933be3d70.pdf", "text": "https://archive.orkl.eu/2403cf7eb979c0bef176247421a93d5933be3d70.txt", "img": "https://archive.orkl.eu/2403cf7eb979c0bef176247421a93d5933be3d70.jpg" } }