{
	"id": "f4e867f9-bda6-4f3c-9e4e-4430503a9728",
	"created_at": "2026-04-06T00:21:25.887181Z",
	"updated_at": "2026-04-10T03:32:20.738224Z",
	"deleted_at": null,
	"sha1_hash": "c801695128ac2fc981656d32de5b8b0b7677da8f",
	"title": "Hack the Real Box: APT41’s New Subgroup Earth Longzhi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4944708,
	"plain_text": "Hack the Real Box: APT41’s New Subgroup Earth Longzhi\r\nBy By: Hara Hiroaki, Ted Lee Nov 09, 2022 Read time: 10 min (2749 words)\r\nPublished: 2022-11-09 · Archived: 2026-04-05 12:38:52 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41,\r\nEarth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON\r\nPEACE 2022 in August.\r\nIn early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the\r\nincident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents\r\ntargeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics,\r\ntechniques, and procedures (TTPs), we discovered that the actor behind this attack has been active since 2020.\r\nAfter clustering each intrusion, we concluded that the threat actor is a new subgroup of advanced persistent threat\r\n(APT) group APT41news- cybercrime-and-digital-threats that we call Earth Longzhi. In this entry, we reveal two\r\ncampaigns by Earth Longzhi from 2020 to 2022 and introduce some of the group’s arsenal in these campaigns.\r\nThis entry was also presented at the HITCON PEACE 2022 conference in August this year.\r\nCampaign overview\r\nSince it first started being active in 2020, Earth Longzhi’s long-running campaign can be divided into two based\r\non the range of time and toolset. During its first campaign deployed from 2020 to 2021, Earth Longzhi targeted\r\nthe government, infrastructure, and health industries in Taiwan and the banking sector in China. In its second\r\ncampaign from 2021 to 2022, the group targeted high-profile victims in the defense, aviation, insurance, and urban\r\ndevelopment industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine. \r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 1 of 15\n\nFigure 1. Earth Longzhi’s victim countries from 2020 to 2022\r\nAttack vector\r\nBoth campaigns used spear-phishing emails as the primary entry vector to deliver Earth Longhzhi’s malware.  The\r\nattacker embeds the malware in a password-protected archive or shares a link to download a malware, luring the\r\nvictim with information about a person. Upon opening the link, the victim is redirected to a Google Drive hosting\r\na password-protected archive with a Cobalt Strike loader we call CroxLoader.\r\nFigure 2. Malware delivery via spear-phishing email in traditional Chinese\r\nIn some cases, we also found that the group exploited publicly available applications to deploy and execute a\r\nsimple downloader to download a shellcode loader and the necessary hack tools for the routine.\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 2 of 15\n\nFigure 3. Deliver malware through exploiting exposed applications\r\nCampaign No. 1: May 2020 - Feb 2021\r\nWe tracked Earth Longzhi mainly targeting the government, healthcare, academic, and infrastructure industries in\r\nTaiwan with a custom Cobalt Strike loader, which we have called Symatic loader, and custom hacking tools.\r\nFigure 4. Timeline of attacks during the first campaign\r\nSymatic loader\r\nSymatic is the primary loader used to load the Cobalt Strike payload in the first campaign. To avoid being\r\ndetected, Symatic adopts the following techniques:\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 3 of 15\n\nRestoring in-memory hooks in the user-mode face of the Windows kernel utility ntdll.dll by anti-hooking\r\nMasquerading the parent process by API UpdateProcThreadAttribute\r\nInjecting a decrypted payload into the system built-in process (dllhost.exe or rundll32.exe)\r\nSecurity solutions place the in-memory API hooks in ntdll.dll to monitor suspicious behavior. Symatic removes\r\nthe API hooks first and gets the raw content of ntdll.dll from the disk. It then proceeds to replace the in-memory\r\nntdll image to make sure there are no hooks placed in ntdll.dll. \r\nFigure 5. Symatic Loader’s detection evasion techniques\r\nAfter restoring the ntdll, Symatic will spawn a new process for process injection. It is worth noting that it will\r\nmasquerade the parent process of the newly created process to obfuscate the process chain.\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 4 of 15\n\nFigure 6. Obfuscating the process chain\r\nAll-in-one hack tool\r\nFor the post-exploitation operations of this campaign, Earth Longzhi also prepares an all-in-one tool to combine\r\nall the necessary tools in one package. Most of the tools included in this one package are either publicly available\r\nor were used in previous attack deployments. This compressed tool allows them to complete multiple operations\r\nby using a single executable in their operation.\r\nTable 1. All the tools needed for the routine in one executable\r\nArguments Function\r\n-P HTRan\r\n-S Socks5 proxy\r\n-SQL Password scans against Microsoft SQL server (MSSQL) with a given dictionary\r\n-IPC Password scans over $IPC with a given dictionary\r\n-SFC Disables Windows File Protection via SFC_OS.dll\r\n-filetime Modifies a specific file’s timestamp\r\n-Port TCP (Transmission Control Protocol) port scanner\r\n-Runas Launches a process with higher privileges\r\n-Clone Clones specified users’ relative ID (RID) in registry for RID spoofing\r\n-driver Gets information of local or remote drives (using NetShareEnum)\r\n-sqlcmd Command will be executed with SQLExecDirect\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 5 of 15\n\nFigure 7. All-in-one tool available since 2014\r\nSecond campaign: August 2021 to June 2022\r\nEarth Longzhi initiated the second campaign five months after the last attack in its first campaign. In this\r\ncampaign, the APT group used various types of customized Cobalt Strike loaders, which we call CroxLoader,\r\nBigpipeLoader, and OutLoader. We also found other customized hacking tools.\r\nFigure 8. Timeline of attacks during the second campaign\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 6 of 15\n\nCustom loaders\r\nWe discovered several custom loaders of Cobalt Strike, including similar samples uploaded in VirusTotal. Each\r\nloader implemented a different algorithm to decrypt the payload, as follows:\r\nTable 2. Summary of customized loaders in the second campaign\r\nName Observed Algorithm Extra feature\r\nCroxLoader\r\nOct 2021\r\nonward\r\nXOR 0xCC + SUB 0xA\r\nRtlDecompressBuffer +\r\nXOR 0xCC\r\nProcess injection\r\nDecoy document\r\nBigpipeLoader\r\nAug 2021\r\nonward \r\nBase64 + RSA + AES128-\r\nCFB\r\nAES128-CFB\r\nMulti-threading\r\ndecryption over named\r\npipe\r\nDecoy document\r\nMultiPipeLoader Aug 2021 Base64 + AES128-CFB\r\nMulti-threading\r\ndecryption over named\r\npipe\r\nDecoy document\r\nOutLoader Sep 2021 AES128-CFB\r\nDownloads payload from\r\nan external server\r\nDecoy document\r\nCroxLoader\r\nDuring the deployment of the second campaign, we found two different variants of CroxLoader with respective\r\npatterns of use. The first variant is commonly used when attackers use publicly facing applications as the entry\r\npoint of attack. It decrypts the embedded payload and injects the decrypted payload into the remote process.\r\nMeanwhile, the second variant of CroxLoader is often deployed through spearphishing emails to lure victims into\r\nopening it. The variant used for each targeted victim depends on the applicable attack scenario.\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 7 of 15\n\nFigure 9. TTPs of the CroxLoader variants\r\nBigpipeLoader\r\nSince this loader will read/write encrypted payload through a named pipe, we named this shellcode loader\r\nBigpipeLoader. In one of our threat hunting sessions, we found two variants of this loader with different execution\r\nprocedures. The first variant of BigpipeLoader just drops the decoy file and loads the Cobalt Strike payload into\r\nthe memory, then proceeds to execute it. In the second variant, however, the attacker creates a dropper, which\r\ndrops the malicious WTSAPI32.dll designed to be sideloaded by a legitimate application with the file name\r\n“wusa.exe”. This launches the encrypted BigpipeLoader (chrome.inf). Both variants of BigpipeLoader use the\r\nAES-128-CFB algorithm to decrypt the payload.\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 8 of 15\n\nFigure 10. TTPs of the BigpipeLoader variants\r\nMeanwhile, MultipipeLoader and OutLoader are similar to CroxLoader and BigpipeLoader but have slightly\r\ndifferent features. MultipipeLoader uses multiple threads to read/write the encrypted payload like BigpipeLoader,\r\nbut it implements a similar decryption routine as CroxLoader. Meanwhile, OutLoader tries to download the\r\npayload from a remote server, while its other function is the same as BigpipeLoader. From these minimal\r\nvariations, we believe the attacker is trying to develop new loaders by combining existing features of other,\r\npreviously used loaders. \r\nPost-exploitation\r\nDuring the investigation of the second campaign, we collected multiple hacking tools used for privilege escalation\r\n(PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatznews- cybercrime-and-digital-threats), and defense evasion (disablement of security products). Instead of using public tools as they are,\r\nthe threat actors are able to reimplement or develop their own tools based on some open-source projects. In the\r\nfollowing subsections, we introduce these hack tools.\r\nCustom standalone Mimikatz\r\nEarth Longzhi reimplemented some modules of Mimikatz (shown in Table 3) as standalone binaries. Upon\r\ncomparing the binary and source code, the attacker just removed the necessary code snippet from the public code\r\nand compiled it as standalone binary. We call this technique \"Bring-Your-Own Mimikatz.\"  The reimplementation\r\nof open-source hacking tools such as Mimikatz is common among red-team community groups for reducing\r\nchances of detection.\r\nWe also observed the standalone version of the sekurlsa::logonpasswords module, which abuses the vulnerable\r\ndriver RTCore64.sys to disable the Protected Process Light (PPL) mechanism to dump credentials from lsass.exe.\r\nWe will introduce how this vulnerable driver helps to bypass the PPL.\r\nTable 3. Reimplemented Mimikatz modules and their functions\r\nReimplemented Mimikatz\r\nmodules\r\nDescription of reimplemented function\r\nsekurlsa::logonpasswords\r\nTo dump credentials from lsass.exe; some variants support disabling PPL by\r\nusing the vulnerable driver. \r\nlsadump::dcsync To perform a DCSync attack\r\nlsadump::backupkeys +\r\ndpapi::chrome\r\nTo combine two different modules to retrieve a backup key from domain\r\ncontroller (DC) and use the key to decrypt chrome’s credential data\r\nprotected by Data Protection API (DPAPI) \r\nmisc::memssp\r\nTo dump credentials through Security Support Provider (SSP); implemented\r\nbased on @XPN\r\nSecurity product disablement\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 9 of 15\n\nFor disabling security products, we found two different tools, which we named ProcBurner and AVBurner. Both\r\ntools abuse the vulnerable driver (RTCore64.sys) to modify the specified value in the kernel object. RTCore64.sys\r\nis a component of Afterburner. In 2019, this driver was assigned as CVE-2019-16098, which allows authenticated\r\nusers to read/write any arbitrary address including kernel space. However, the outdated version of vulnerable\r\ndriver still has a valid signature. As a result, the attacker can deliver the outdated version of the driver into the\r\nvictim machine and abuse it for various purposes, such as for anti-antivirus or anti-EDR. This technique is known\r\nas \"Bring-Your-Own Vulnerable Driver.\"\r\nFigure 11. CVE-2019-16098 in RTCore64.sys\r\nProcBurner is designed to terminate specific running processes. Simply put, it tries to change the protection of the\r\ntarget process by forcibly patching the access permission in the kernel space using the vulnerable RTCore64.sys.\r\nWe show the workflow of ProcBurner  here (note that the environment used is Windows 10 20H2 x64):\r\n1. OpenProcess with PROCESS_QUERY_LIMITED_INFORMATION (=0x1000).\r\n2. Return HANDLE of target process ( 0x1d8).\r\n3. Get the address of HANDLE_TABLE_ENTRY object of target handle by tracking back from EPROCESS\r\nobject.\r\n4. Send IOCTL request to mask HANDLE_TABLE_ENTRY. GrantedAccessBits of target process with\r\nPROCESS_ALL_ACCESS (=0x1fffff). \r\n5. Vulnerable RTCore64.sys writes the requested bitmask value.\r\n6. Terminate process.\r\nFigure 12. The workflow of ProcBurner\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 10 of 15\n\nSpecific to ProcBurner, it can check the currently running operating system version before patching. ProcBurner\r\nhard-codes the offset of kernel objects’ field, which can be different for each build version. If ProcBurner supports\r\nthe offset correctly, it should work on any of the versions listed. The following versions are supported:\r\nWindows 7 SP1\r\nWindows Server 2008 R2 SP1\r\nWindows 8.1\r\nWindows Server 2012 R2\r\nWindows 10 1607\r\nWindows 10 1809\r\nWindows Server 2018 1809\r\nWindows 10 20H2\r\nWindows 10 21H1\r\nWindows 11 21H2\r\nWindows 11 22449\r\nWindows 11 22523\r\nWindows 11 22557\r\nFor AVBurner, this tool is designed for removing the kernel callback routine to unregister the AV/EDR product. To\r\nunderstand how AVBurner works, we will briefly introduce kernel callback.\r\nKernel callback is a Windows OS mechanism to allow drivers, including antivirus drivers, to register callback\r\nroutines to receive notifications on certain events such as process, thread, or registry creation. Ntoskrnl.exe\r\nprovides several APIs for drivers to register callbacks for each event. For example, for monitoring process\r\ncreation, PsSetCreateProcessNotifyRoutine is exported. This API receives the function pointer to invoke when any\r\nprocess is created. When PsSetCreateProcessNotifyRoutine is called, it invokes\r\nPspSetCreateProcessNotifyRoutine. In this function, Windows kernel registers the given callback function at the\r\nend of a callback array named PspCreateProcessNotifyRoutine. After this, when any process is created, Windows\r\nkernel enumerates this table to find the callback function.\r\nFigure 13. AV.sys registers callback for process creation event by calling the\r\nPsSetCreateProcessNotifyRoutine API\r\nAVBurner abuses RTCore64.sys to enumerate the PspCreateProcessNotifyRoutine array to find the target driver.\r\nThe workflow of AVBurner is as follows:\r\n1. Get addresses of PsSetCreateProcessNotifyRoutine and IoCreateDriver.\r\n2. Search for a specific sequence of bytes to find the address of PspCreateProcessNotifyRoutine between the\r\nabove addresses (PsSetCreateProcessNotifyRoutine and IoCreateDriver).\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 11 of 15\n\n3. PspCreateProcessNotifyRoutine is a table of callback functions that contains the custom pointer to object\r\nEX_CALLBACK_ROUTINE_BLOCK. The address of the said object can be calculated by removing the\r\nlast four bits of the pointer.\r\n4. EX_CALLBACK_ROUTINE_BLOCK.Function (offset=0x08) contains a pointer to the callback function\r\n(Driver.sys in this case). Get the driver’s file path that the callback function belongs to, and if the driver’s\r\nfile property has target string (such as Trend), AVBURNER overwrites the pointer with NULL, resulting in\r\nthe removal of the callback registration.\r\nFigure 14. The workflow of AVBurner\r\nAttribution\r\nWe attributed these threat actors to APT41’s subgroup Earth Longzhi based on the following factors.\r\nFigure 15. Finding Earth Longzhi’s position in the APT41 organizational structure\r\nVictimology\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 12 of 15\n\nThe affected regions and targeted sectors are countries of interest located in the East and Southeast Asia, which is\r\nclose to the victimology identified in our research on another APT41 subgroup, Earth Baku.\r\nShared Cobalt Strike metadata with other APT41 subgroups\r\nAfter checking all the metadata of the Cobalt Strike payloads, we found that most of payloads shared the same\r\nwatermark, 426352781, and public key 9ee3e0425ade426af0cb07094aa29ebc. This watermark and public key\r\ncombination is also used by Earth Baku and GroupCC, which are also believed to be subgroups of APT41. The\r\nidentified watermark has not yet been attributed to other threat actors. The use of the same watermark and public\r\nkey indicates Earth Longzhi sharesing the Cobalt Strike team server, as well as Cobalt Strike package and license\r\nwith the other APT41 subgroups.\r\nFigure 16. Timeline of attacks with shared Cobalt Strike metadata\r\nCode similarities of shellcode loaders and overlapping TTPs\r\nWe also found that the decryption algorithms in Symatic Loader and CroxLoader are quite similar to the one\r\nidentified with GroupCC.  All of the said loaders use \u003c(sub 0xA) XOR 0xCC\u003e as their decryption algorithm. As\r\nfor the similar TTPs, Earth Longzhi also adopted the Python Fastly CDN used by GroupCC to hide the actual\r\ncommand-and-control (C\u0026C) server address. At the time we were analyzing Earth Longzhi, we did not find\r\nreports documenting the abuse of Python CDN, other than the GroupCC report by Team T5. Hence, we consider it\r\nas evidence of the relationship between Earth Longzhi and GroupCC.\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 13 of 15\n\nFigure 17. Decryption algorithm used by GroupCC (top), CroxLoader (left), and Symatic loader\r\n(bottom)\r\nConclusion\r\nWe profile Earth Longzhi as an APT group that mainly targets the Asia-Pacific region. After investigating two\r\ndifferent campaigns, we verified that its target sectors are in industries pertinent to Asia-Pacific countries’ national\r\nsecurity and economies. The activities in these campaigns show that the group   is knowledgeable on red-team\r\noperations. The group uses social engineering techniques to spread its malware and deploy customized hack tools\r\nto bypass the protection of security products and steal sensitive data from compromised machines. From an\r\noverall security perspective, it seems that Earth Longzhi is playing Hack The Box, an online platform for\r\npenetration testing, but in the real world.\r\nAPT41 groups are seemingly using less custom malware but are getting more accustomed to using more\r\ncommodity malware such as Cobalt Strike. They are also now more focused on developing new loaders and\r\nhacking tools to bypass security products. AVBurner is a formidable example of this, as it disables solutions that\r\nstill use the dated and vulnerable driver, while both ProcBurner and AVBurner focus on kernel-level security — a\r\nnoticeable emerging pattern among APT groups and cybercrime. In addition, Earth Longzhi, as a subgroup of\r\nAPT41, appears familiar with offensive security teams such as red teams.\r\nIn the process of attribution, we also discovered that the group uses shared Cobalt Strike licenses and imitates the\r\nTTPs used with other APT41 subgroups. The behavior of sharing tools between different groups could point to the\r\nfollowing circumstances:\r\n1. These threat actors are no longer static groups. Although the organizational structure will keep changing\r\nfrom time to time, the tools will be inherited by the subsequent newly organized groups.\r\n2. The tool developers and campaign operators share the tools with their collaborator groups.\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 14 of 15\n\nFollowing these indications, tool-based attribution and analysis will likely become more complicated and will be a\r\nchallenge to threat researchers in figuring links among different groups. Researchers of APT groups and other\r\ncybercriminals will also have to consider other aspects and integrate collected information such as code\r\nsimilarities and victim profiles, among other technical characteristics for consideration. Security providers and\r\nsolutions will also have to reassess and, if possible, avoid or disable the use of vulnerable drivers. At the very\r\nleast, organizations’ security teams should be allowed to enable features such as monitoring of vulnerable driver\r\ninstallation, if available. Fortunately for researchers and operational security teams, these groups’ use of publicly\r\navailable tools and previously deployed routines can be detected faster and can be tested using their TTPs.\r\nIndicators of Compromise (IOCs)\r\nFind the full list of IOCs hereopen on a new tab.\r\nMITRE ATT\u0026CK\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MISPGALAXY"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html"
	],
	"report_names": [
		"hack-the-real-box-apt41-new-subgroup-earth-longzhi.html"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5b317799-01c0-48fa-aee2-31a738116771",
			"created_at": "2022-11-20T02:02:37.746719Z",
			"updated_at": "2026-04-10T02:00:04.561617Z",
			"deleted_at": null,
			"main_name": "Earth Longzhi",
			"aliases": [
				"Earth Longzhi"
			],
			"source_name": "ETDA:Earth Longzhi",
			"tools": [
				"Agentemis",
				"BigpipeLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"CroxLoader",
				"MultiPipeLoader",
				"OutLoader",
				"Symatic Loader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c7d9878a-e691-4c6f-81ae-84fb115a1345",
			"created_at": "2022-10-25T16:07:23.359506Z",
			"updated_at": "2026-04-10T02:00:04.556639Z",
			"deleted_at": null,
			"main_name": "APT 41",
			"aliases": [
				"BrazenBamboo",
				"Bronze Atlas",
				"Double Dragon",
				"Earth Baku",
				"G0096",
				"Grayfly",
				"Operation ColunmTK",
				"Operation CuckooBees",
				"Operation ShadowHammer",
				"Red Kelpie",
				"SparklingGoblin",
				"TA415",
				"TG-2633"
			],
			"source_name": "ETDA:APT 41",
			"tools": [
				"9002 RAT",
				"ADORE.XSEC",
				"ASPXSpy",
				"ASPXTool",
				"AceHash",
				"Agent.dhwf",
				"Agentemis",
				"AndroidControl",
				"AngryRebel",
				"AntSword",
				"BLUEBEAM",
				"Barlaiy",
				"BlackCoffee",
				"Bladabindi",
				"BleDoor",
				"CCleaner Backdoor",
				"CHINACHOPPER",
				"COLDJAVA",
				"China Chopper",
				"ChyNode",
				"Cobalt Strike",
				"CobaltStrike",
				"Crackshot",
				"CrossWalk",
				"CurveLast",
				"CurveLoad",
				"DAYJOB",
				"DBoxAgent",
				"DEADEYE",
				"DEADEYE.APPEND",
				"DEADEYE.EMBED",
				"DEPLOYLOG",
				"DIRTCLEANER",
				"DUSTTRAP",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"DodgeBox",
				"DragonEgg",
				"ELFSHELF",
				"EasyNight",
				"Farfli",
				"FunnySwitch",
				"Gh0st RAT",
				"Ghost RAT",
				"HDD Rootkit",
				"HDRoot",
				"HKDOOR",
				"HOMEUNIX",
				"HUI Loader",
				"HidraQ",
				"HighNoon",
				"HighNote",
				"Homux",
				"Hydraq",
				"Jorik",
				"Jumpall",
				"KEYPLUG",
				"Kaba",
				"Korplug",
				"LATELUNCH",
				"LOLBAS",
				"LOLBins",
				"LightSpy",
				"Living off the Land",
				"Lowkey",
				"McRAT",
				"MdmBot",
				"MessageTap",
				"Meterpreter",
				"Mimikatz",
				"MoonBounce",
				"MoonWalk",
				"Motnug",
				"Moudour",
				"Mydoor",
				"NTDSDump",
				"PACMAN",
				"PCRat",
				"PINEGROVE",
				"PNGRAT",
				"POISONPLUG",
				"POISONPLUG.SHADOW",
				"POTROAST",
				"PRIVATELOG",
				"PipeMon",
				"PlugX",
				"PortReuse",
				"ProxIP",
				"ROCKBOOT",
				"RbDoor",
				"RedDelta",
				"RedXOR",
				"RibDoor",
				"Roarur",
				"RouterGod",
				"SAGEHIRE",
				"SPARKLOG",
				"SQLULDR2",
				"STASHLOG",
				"SWEETCANDLE",
				"ScrambleCross",
				"Sensocode",
				"SerialVlogger",
				"ShadowHammer",
				"ShadowPad Winnti",
				"SinoChopper",
				"Skip-2.0",
				"SneakCross",
				"Sogu",
				"Speculoos",
				"Spyder",
				"StealthReacher",
				"StealthVector",
				"TERA",
				"TIDYELF",
				"TIGERPLUG",
				"TOMMYGUN",
				"TVT",
				"Thoper",
				"Voldemort",
				"WIDETONE",
				"WINNKIT",
				"WINTERLOVE",
				"Winnti",
				"WyrmSpy",
				"X-Door",
				"XDOOR",
				"XMRig",
				"XShellGhost",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"gresim",
				"njRAT",
				"pwdump",
				"xDll"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d196cb29-a861-4838-b157-a31ac92c6fb1",
			"created_at": "2023-11-04T02:00:07.66699Z",
			"updated_at": "2026-04-10T02:00:03.386945Z",
			"deleted_at": null,
			"main_name": "Earth Longzhi",
			"aliases": [
				"SnakeCharmer"
			],
			"source_name": "MISPGALAXY:Earth Longzhi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434885,
	"ts_updated_at": 1775791940,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c801695128ac2fc981656d32de5b8b0b7677da8f.pdf",
		"text": "https://archive.orkl.eu/c801695128ac2fc981656d32de5b8b0b7677da8f.txt",
		"img": "https://archive.orkl.eu/c801695128ac2fc981656d32de5b8b0b7677da8f.jpg"
	}
}