{ "id": "b806930b-b565-4395-a857-cd97c2f2a968", "created_at": "2026-04-06T00:07:58.044244Z", "updated_at": "2026-04-10T13:11:52.69835Z", "deleted_at": null, "sha1_hash": "52cbfad8fb9bfae476b51e6a1c0a1918bf908247", "title": "Attack on Security Titans: Earth Longzhi Returns With New Tricks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2531487, "plain_text": "Attack on Security Titans: Earth Longzhi Returns With New Tricks\r\nBy By: Ted Lee, Hara Hiroaki May 02, 2023 Read time: 9 min (2391 words)\r\nPublished: 2023-05-02 · Archived: 2026-04-05 17:44:33 UTC\r\nAPT \u0026 Targeted Attacks\r\nAfter months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged\r\nusing new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi’s resilience as a\r\nnoteworthy threat.\r\nWe discovered a new campaign by Earth Longzhi (a subgroup of APT41open on a new tab) that targets organizations based\r\nin Taiwan, Thailand, the Philippines, and Fiji. This recent campaign, which follows months of dormancy, abuses a\r\nWindows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to\r\ndisable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack. We also found\r\nthat Earth Longzhi uses a new way to disable security products, a technique we’ve dubbed “stack rumbling” via Image File\r\nExecution Options (IFEO), which is a new denial-of-service (DoS) technique.\r\nIn addition, we’ve noticed that this campaign installs drivers as kernel-level services by using Microsoft Remote Procedure\r\nCallopen on a new tab (RPC) instead of using general Windows application programming interfaces (APIs). This is a\r\nstealthy way to evade typical API monitoring. We also found some interesting samples in our investigation that contained\r\ninformation not only on Earth Longzhi’s potential targets, but also techniques for possible use in future campaigns. This\r\nblog entry seeks to forewarn readers that Earth Longzhi remains active and continues to improve its tactics, techniques, and\r\nprocedures (TTPs).\r\nAttack vectors\r\nEarth Longzhi’s new campaign samples showed a tendency to exploit public-facing applications, Internet Information\r\nServices (IIS) servers, and Microsoft Exchange servers to install Behinder, a well-known web shell, rather than send pieces\r\nof document-based malware through email. As seen in this campaign, Behinder proved to be a powerful web shell variant\r\nthat can support multiple backdoor functions, including file operation, remote command execution (RCE), interactive shell,\r\nand Socks5 proxy.\r\n Malicious actors use this web shell to discover intranet information and deploy other pieces of malware and hacking tools\r\non a compromised machine.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 1 of 20\n\nFigure 1. Infection routine used by Earth Longzhi\r\nNew tricks for DLL sideloading\r\nIn the group’s new campaign, the malware was launched through legitimate Windows Defender binaries, MpDlpCmd.exe\r\nand MpCmdRun.exe, instead of using document-based samples. The malware was disguised as a legitimate DLL,\r\nMpClient.dll and was loaded by Microsoft Defender’s binaries. Our investigation showed two different types of malware\r\nthat were launched through this technique: One is a new variant of Croxloaderopen on a new tab, and the other is a tool that\r\ncan disable security products, which we dubbed “SPHijacker.”\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 2 of 20\n\nFigure 2. Legitimate files used for DLL sideloading\r\nNew Croxloader variant\r\nEarth Longzhi’s new campaign launched Windows Defender binaries as a system service. The new Croxloader variant,\r\ndisguised as MpClient.dll, was subsequently loaded. Once launched, Croxloader reads the payload named MpClient.bin and\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 3 of 20\n\ndecrypts its content. The new variant is almost identical to the older ones, except that it uses a different decryption\r\nalgorithm. The algorithm used in the original variant is (SUB 0xA) XOR 0xCC, while the algorithm for the new variant is\r\n(ADD 0x70) XOR 0xDD. The final payload is identified as a Cobalt Strike beacon, which we detected as\r\nBackdoor.Win64.COBEACON.ZYKB.\r\nFigure 3. Earth Longzhi’s malware execution chain\r\nFigure 4. Disguised as “MPClient.dll,” the loaded new Croxloader variant reads the encrypted payload,\r\n“MpClient.bin,” and decrypts the content.\r\nFigure 5. Modified XOR algorithm\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 4 of 20\n\nSPHijacker\r\nSPHijacker, a new tool designed to disable security products, adopts two approaches to achieve this purpose. One approach\r\nterminates the security product process by using a vulnerable driver, zamguard64.sys, published by Zemana (vulnerability\r\ndesignated as CVE-2018-5713open on a new tab). Meanwhile, another approach disables process launching by using a new\r\ntechnique that we named stack rumbling, which we will discuss in detail in succeeding paragraphs. Notably, this is the first\r\ntime we’ve seen such a technique being used in the wild.  \r\nTechnical analysis\r\nBased on our analysis, the mmmm.sys file (originally named Zamguard64.sys) is decrypted and dropped, after which it is\r\nregistered as a service. It then creates and starts the service through RPC as opposed to calling general Windows APIs to set\r\nup the service, as shown in Figure 6. We reckon that such a technique enables malicious actors to evade API call\r\nmonitoring.\r\nFigure 6. Code showing service started via RPC\r\nOnce the service successfully starts running, SPHijacker proceeds to open the handle to the device named\r\n\\\\.\\ZemanaAntiMalware to access the running driver. It then begins terminating the processes of security products based on\r\na predefined list. We detail the workflow of the operation here:\r\n1. It sends input-and-output control (IOCTL) code 0x80002010 to register the process by its process ID (PID), as\r\ntrusted by the driver, as seen in Figure 7.\r\n2. It conducts process discovery and collects the PID of targeted processes if they are running.\r\n3. It sends IOCTL code 0x80002048 to terminate targeted processes by calling ZwOpenProcess and\r\nZwTerminateProcess, as seen in Figure 8.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 5 of 20\n\nFigure 7. IOCTL codes sent to register and terminate processes\r\nFigure 8. The handler function of “0x80002048” defined in “zamguard64.sys”\r\nWe listed the targeted processes for termination here. Note that many of these processes are for various security products:\r\n360rp.exe\r\n360rps.exe\r\n360Safe.exe\r\n360sd.exe\r\n360tray.exe\r\n360Tray.exe\r\nAliyun_assist_service.exe\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 6 of 20\n\nAliYunDun.exe\r\nAliYunDunUpdate.exe\r\ncyserver.exe\r\ncytray.exe\r\nMpcmdRun.exe\r\nMsMpEng.exe\r\nNisSrv.exe\r\nSecurityHealthSystray.exe\r\ntlaworker.exe\r\nyunsuo_agent_daemon.exe\r\nYunsuo_agent_service.exeZhuDongFangYu.exe\r\nOnce the process termination is completed, SPHijacker disables process execution by forcefully causing the targeted\r\napplications to crash upon launching, a technique we referred to earlier as stack rumbling. This technique is a type of DoS\r\nattack that abuses undocumented MinimumStackCommitInBytes values in the IFEO registry key via the following steps:\r\n1. Modifying the registry HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\r\n{target process name}.\r\n2. Creating a new value, MinimumStackCommitInBytes, with 0x88888888 as its data. Any value deemed large enough\r\nis acceptable.\r\n3. Waiting for the next process launch to take place. It’s important to note that this depends on whether the targeted\r\nprocess is antivirus-related. There is usually a need to wait for the operating system to reboot.\r\n4. Once the targeted process is launched, it will soon crash due to stack overflow.\r\nFigure 9. An example of how disabling “360Tray.exe” is done by modifying the IFEO registry\r\nHere’s the full list of targeted processes:\r\n360rps.exe\r\n360Safe.exe\r\n360sd.exe\r\n360sdrun.exe\r\n360tray.exe\r\n360Tray.exe\r\naliyun_assist_service.exe\r\nAliYunDun.exe\r\nAliYunDunUpdate.exe\r\nCNTAoSMgr.exe\r\ncyserver.exe\r\ncytray.exe\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 7 of 20\n\nmcafee-security.exe\r\nmcafee-security-ft.exe\r\nMpCmdRun.exe\r\nMsMpEng.exe\r\nNisSrv.exe\r\nNTRTScan.exe\r\nqmbsrv.exe\r\nQQPCRTP.exe\r\nQQPCTray.exe\r\nSecurityHealthSystray.exe\r\ntlaworker.exe\r\nTmCCSF.exe\r\ntmlisten.exe\r\nTmListen.exe\r\nyunsuo_agent_daemon.exe\r\nyunsuo_agent_service.exe\r\nZhuDongFangYu.exe\r\nAs a result of stack rumbling via IFEO, the targeted process failed to start with the exit code 0xC0000017, despite the\r\nprocess requiring high privilege. The exit code means “Status No Memory.”\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 8 of 20\n\nFigure 10. An example of a “notepad.exe” file that failed upon execution\r\nIFEO registry has been known to contain various options for process creation. While it can be used to attach a debugger to\r\nan executable file, it can also be used to interrupt the process execution flow, a method known as IFEO injection. We\r\ncouldn't find a complete documentation of MinimumStackCommitInBytes in any online resource. The IFEO values will be\r\nloaded upon process initialization by ntdll!LdrpInitializeExecutionOptions. Now, let us reverse ntdll.dll.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 9 of 20\n\nFigure 11. Pseudocode of “ntdll!LdrpInitializeExecutionOptions”\r\nThe pseudocode ntdll!LdrpInitializeExecutionOptions updates PEB-\u003eMinimumStackCommit with the value of\r\nMinimumStackCommitInBytes in the IFEO registry. It should be noted that Microsoft also doesn't provide documentation\r\non PEB-\u003eMinimumStackCommit. Let's debug the target process to identify how this value will be used.\r\nUpon execution of the stack rumbling-affected process, a debugger catches a stack overflow exception in\r\nntdll!LdrpTouchThreadStack.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 10 of 20\n\nFigure 12. Image shows WinDbg catching a stack overflow exception in a running process\r\nUpon reversing ntdll!LdrpTouchThreadStack, we found that it receives PEB-\u003eMinimumStackCommit as an argument,\r\nwhich was updated in ntdll!LdrpInitializeExecutionOptions.\r\nFigure 13. Image shows “ntdll!LdrpTouchThreadStack” receiving “PEB-\u003eMinimumStackCommit”\r\nThe given value will be used to define the size of stack to commit upon initializing the stack of the main thread. Therefore,\r\nif the value in PEB-\u003eMinimumStackCommit is large enough to touch beyond a stack region, the Windows operating system\r\ntriggers stack overflow. But the exception handler catches the exception overflow, which returns STATUS_NO_MEMORY\r\n(=0xC0000017) as a result of ntdll!LdrpTouchThreadStack.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 11 of 20\n\nFigure 14. Disassemble result of “ntdll!LdrpTouchThreadStack”\r\nIf ntdll!LdrpTouchThreadStack returns any error, ntdll.dll will invoke ZwTerminateProcess with the given error code,\r\nwhich would be STATUS_NO_MEMORY (=0xC0000017) in this case.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 12 of 20\n\nFigure 15. Snippet of pseudocode in “ntdll.dll”\r\nAs a result, we found that the value of MinimumStackCommitInBytes associated with a specific process in the IFEO\r\nregistry key will be used to define the minimum size of stack to commit in initializing the main thread. If the stack size is\r\ntoo large, it will trigger a stack overflow exception and terminate the current process. This is how stack rumbling via IFEO\r\nworks.\r\nOther notable threat-hunting findings\r\nDuring threat hunting, we found related samples on a third-party malware scanning service provider and started tracking\r\nthe samples as Roxwrapper. Roxwrapper is disguised as a normal DLL file, srpapi.dll, and works as a dropper. We checked\r\nRoxwrapper’s embedded content and found Bigpipeloader as one of the embedded components used in its previous\r\ncampaign. Bigpipeloader was previously used in past Earth Longzhi-related samples. Roxwrapper’s more complicated\r\nencryption suggests that the attackers might still be testing it to see if it can better evade security products.\r\nTable 1 shows all the components dropped by Roxwrapper and their corresponding descriptions:\r\nDropped file names  Description\r\nTambahan TP MENLU-DUBES AS revDIR.docx (Tong\r\nhop bao cao giao ban Khoi.docx)\r\nEmbedded decoy documents\r\nap.dll\r\nThe SSP module loader through RPC, which is implemented\r\nbased on the proof of concept\r\napssp.dll\r\nA security service provider (SSP) module for credential\r\ndumping\r\ndwm.exe A privilege escalation tool based on a proof of concept \r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 13 of 20\n\ndllhost.exe\r\nA type of malware used to collect and upload user data. It is\r\nalso used to download more payloads from remote servers.\r\nStartMenuExperienceHost.exe\r\nBigpipeloaderopen on a new tab, which we introduced in our\r\nprevious Earth Longzhi reportopen on a new tab\r\nTable 1. List of components dropped by Roxwrapper\r\nAlthough Roxwrapper is not in the DLL file samples used in the actual incidents, this information is nonetheless\r\nnoteworthy because it can be indicative of Earth Longzhi’s potential targets. Also, the information points to a new\r\ncomponent, dwm.exe, which is a new privilege escalation tool that abuses Task Scheduler.\r\nEmbedded documents\r\nWe found some decoy documents written in Vietnamese and Indonesian, as seen in Figures 16 and 17. Based on these\r\ndecoy documents, it can be inferred that the threat actors were keen on targeting users in Vietnam and Indonesia for its next\r\nwave of attacks. \r\nFigure 16. Snippet of a decoy document written in Vietnamese\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 14 of 20\n\nFigure 17. Snippet of a decoy document written in Indonesian\r\nPrivilege escalation by abusing task scheduler\r\nAnother notable component that we found in our threat hunting is dwm.exe, a new tool used for privilege escalation. It is\r\nimplemented based on an open-source proof of concept on GitHub. First, dwm.exe replaces the image path name and the\r\ncommand-line information with C:\\Windows\\explorer.exe for defense evasion. Then, the Component Object Model (COM)\r\nobject, IElevatedFactoryServer, is used to bypass the Windows User Account Control (UAC) mechanism and register the\r\ngiven payload as a scheduled task with the highest privilege. This approach enables the specified binary to be launched\r\nwith system privileges. This is the first time that we’ve seen Earth Longzhi actors use this relatively new technique in its\r\noperations. \r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 15 of 20\n\nFigure 18. Code for changing image path and command-line information\r\nFigure 19. Command to bypass UAC through COM object, “IElevatedFactoryServer”\r\nAs shown in Figure 20, the created scheduled task was set up with system privileges and disguised as a legitimate Google\r\nUpdate scheduled task. The specified payload, dllhost.exe, is a downloader used to retrieve more payload from the remote\r\nserver.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 16 of 20\n\nFigure 20. XML file for scheduled task created by “dwm.exe”\r\nProfile of Earth Longzhi’s recent targets\r\nA closer look at the samples we’ve gathered reveals that the group’s new campaign is aimed at the Philippines, Thailand,\r\nTaiwan, and Fiji. Government, healthcare, technology, and manufacturing comprise the affected industries. Organizations\r\nin the Philippines, Thailand, and Taiwan had already been among Earth Longzhi’s previous targets, while the attacks on\r\nFiji-based firms were the first we’ve seen in our monitoring of the group. Based on the document embedded in the samples\r\nthat we saw, Vietnam and Indonesia are possibly the group’s next targeted countries.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 17 of 20\n\nFigure 21. Geographic distribution of Earth Longzhi’s targets in its latest campaign and potential targets for\r\nfuture campaigns\r\nConclusion\r\nIn the fourth quarter of 2022, we discovered a new subgroup of APT41 that we tracked as Earth Longzhi. In the process, we\r\nrevealed two different campaigns that took place from 2020 to 2022. This follow-up article to our previous reportopen on a\r\nnew tab aims to flag readers that Earth Longzhi remains in circulation and is expected to improve its TTPs. Here, we\r\nrevealed that the campaign deployed a fake mpclient.dll, launched through signed Windows Defender binaries, to decrease\r\nits risk of exposure. To evade and disable security products, Earth Longzhi adopted the following approaches:\r\n1. It used Microsoft Windows RPC to create a system service instead of standard Windows APIs.\r\n2. It terminated running security products via a vulnerable driver, zamguard64.sys, which is essentially a BYOVD\r\nattack.\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 18 of 20\n\n3. It modified IFEO registries to restrict the execution of security products.\r\nWe also shared some interesting threat-hunting findings. Although the samples that we’ve collected resemble testing files,\r\nthey can still be useful because they contain information on Earth Longzhi’s potential targets and new techniques that it\r\nmight employ in the future. From the embedded documents that we’ve collected, we can infer that Vietnam and Indonesia\r\nare the countries that they will likely aim at next. Notably, the group’s possible abuse of Task Scheduler to escalate\r\nprivileges for persistence is a new technique that it might use in future campaigns.\r\nAnother noteworthy insight is that the threat actors showed an inclination for using open-source projects to implement their\r\nown tools. There is evidence to suggest that the group spruces up its toolset during periods of inactivity. With this\r\nknowledge in mind, organizations should stay vigilant against the continuous development of new stealthy schemes by\r\ncybercriminals.\r\nMITRE\r\nTactics Techniques\r\nCredential Access T1003.001 - OS Credential Dumping: LSASS Memory\r\nExecution T1569.002 - System Services: Service Execution\r\nDefense Evasion\r\nT1574.002 - Hijack Execution Flow: DLL Side-Loading\r\nT1140 - Deobfuscate/Decode Files or Information\r\nT1070.004 - Indicator Removal: File Deletion\r\nT1036.005 - Match Legitimate Name or Location\r\nPersistence T1053.005 - Scheduled Task\r\nPrivelege Escalation\r\nT1548.002 - Bypass User Account Control\r\nT1068 - Exploitation for Privilege Escalation\r\nT1546.012 - Event Triggered Execution: Image File Execution Options Injection\r\nIndicators of compromise (IOCs)\r\nSHA256 Detections\r\n7910478d53ab5721208647709ef81f503ce123375914cd504b9524577057f0ec Rootkit.Win64.SPHIJACKER.ZYKB\r\nebf461be88903ffc19363434944ad31e36ef900b644efa31cde84ff99f3d6aed Trojan.Win64.CROXLOADER.ZYJL\r\n21ffa168a60f0edcbc5190d46a096f0d9708512848b88a50449b7a8eb19a91ed Trojan.Win64.CROXLOADER.ZTKC\r\n942b93529c45f27cdbd9bbcc884a362438624b8ca6b721d51036ddaebc750d8e Trojan.Win64.CROXLOADER.ZTKC\r\n75a51d1f1dd26501e02907117f0f4dd91469c7dd30d73a715f52785ea3ae93c8 Backdoor.Win64.COBEACON.ZYKB\r\n4399c5d9745fa2f83bd1223237bdabbfc84c9c77bacc500beb25f8ba9df30379 Backdoor.Win64.COBEACON.ZYJL.enc\r\n8327cd200cf963ada4d2cde942a82bbed158c008e689857853262fcda91d14a4 Backdoor.Win64.COBEACON.SMTHA\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 19 of 20\n\n9eceba551baafe79b45d412c5347a3d2a07de00cc23923b7dee1616dee087905 Trojan.Win32.ROXWRAPPER.ZYJL\r\n630bb985d2df8e539e35f2da696096e431b3274428f80bb6601bbf4b1d45f71e Trojan.Win32.ROXWRAPPER.ZYJL\r\nef8e658cd71c3af7c77ab21d2347c7d41764a68141551938b885da41971dd733 HackTool.Win64.TaskSchUAC.ZYJL\r\ne654ecc10ce3df9f33d1e7c86c704cfdc9cf6c6f49aa11af2826cbc4b659e97c Trojan.MSIL.DULLDOWN.ZTKA\r\n16887b36f87a08a12fe3b72d0bf6594c3ad5e6914d26bff5e32c9b44acfec040 HackTool.Win64.MIMIKATZ.ZYKA\r\n39de0389d3186234e544b449e20e48bd9043995ebf54f8c6b33ef3a4791b6537 HackTool.Win64.MIMIKATZ.ZYKA\r\nDomain/IP Description\r\n194.31.53[.]128 C\u0026C\r\n198.13.47[.]158 C\u0026C\r\n207.148.115[.]125 C\u0026C\r\n64.227.164[.]34 C\u0026C\r\nevnpowerspeedtest[.]com C\u0026C\r\nwww.updateforhours[.]com C\u0026C\r\ndns.eudnslog[.]com C\u0026C\r\nasis.downloadwindowsupdate[.]co C\u0026C\r\n194.31.53[.]128 Download site\r\n198.13.47[.]158 Download site\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nhttps://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html" ], "report_names": [ "attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html" ], "threat_actors": [ { "id": "5b317799-01c0-48fa-aee2-31a738116771", "created_at": "2022-11-20T02:02:37.746719Z", "updated_at": "2026-04-10T02:00:04.561617Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "Earth Longzhi" ], "source_name": "ETDA:Earth Longzhi", "tools": [ "Agentemis", "BigpipeLoader", "Cobalt Strike", "CobaltStrike", "CroxLoader", "MultiPipeLoader", "OutLoader", "Symatic Loader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d196cb29-a861-4838-b157-a31ac92c6fb1", "created_at": "2023-11-04T02:00:07.66699Z", "updated_at": "2026-04-10T02:00:03.386945Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "SnakeCharmer" ], "source_name": "MISPGALAXY:Earth Longzhi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434078, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/52cbfad8fb9bfae476b51e6a1c0a1918bf908247.pdf", "text": "https://archive.orkl.eu/52cbfad8fb9bfae476b51e6a1c0a1918bf908247.txt", "img": "https://archive.orkl.eu/52cbfad8fb9bfae476b51e6a1c0a1918bf908247.jpg" } }