{ "id": "c0daaf89-b5b1-4585-b605-e63559719f8c", "created_at": "2026-04-06T00:11:57.971706Z", "updated_at": "2026-04-10T03:32:21.690629Z", "deleted_at": null, "sha1_hash": "f6c432570d678127748ed2c50289b043337cfb97", "title": "Earth Freybug Uses UNAPIMON for Unhooking Critical APIs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1026182, "plain_text": "Earth Freybug Uses UNAPIMON for Unhooking Critical APIs\r\nBy By: Christopher So Apr 02, 2024 Read time: 6 min (1633 words)\r\nPublished: 2024-04-02 · Archived: 2026-04-05 14:04:15 UTC\r\nIn the past month, we investigated a cyberespionage attack that we have attributed to Earth Freybug (also known as\r\na subset of APT41). Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on\r\nespionage and financially motivated activities. It has been observed to target organizations from various sectors\r\nacross different countries. Earth Freybug actors use a diverse range of tools and techniques, including LOLBins and\r\ncustom malware. This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes\r\nfrom being monitored via a new malware we’ve discovered and dubbed UNAPIMON.\r\nBackground of the attack flow\r\nThe tactics, techniques, and procedures (TTPs) used in this campaign are similar to the ones from a campaign\r\ndescribed in an article published by Cybereasonopen on a new tab. In this incident, we observed a vmtoolsd.exe\r\nprocess that creates a remote scheduled task using schtasks.exe. Once executed, this launches a pre-deployed cc.bat\r\nin the remote machine.\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\r\nPage 1 of 7\n\nFigure 1. Earth Freybug attack chain\r\nvmtoolsd.exe is a component of VMware Tools called VMware user process, which is installed and run inside a\r\nguest virtual machine to facilitate communication with the host machine. Meanwhile, schtasks.exe is a component\r\nof Windows called Task Scheduler Configuration Tool, which is used to manage tasks in a local or remote machine.\r\nBased on the behavior we observed from our telemetry, a code of unknown origin was injected in vmtoolsd.exe that\r\nstarted schtasks.exe. It’s important to note that both vmtoolsd.exe and schtasks.exe are legitimate files. Although the\r\norigin of the malicious code in vmtoolsd.exe in this incident is unknown, there have been documented infections\r\nwherein vulnerabilities in legitimate applications were exploited via vulnerable external-facing servers.\r\nFigure 2. Command line for executing the Task Scheduler Configuration Tool.\r\nFirst cc.bat for reconnaissance\r\nOnce the scheduled task is triggered, a previously deployed batch file, %System%\\cc.bat, is executed in the remote\r\nmachine. Based on our telemetry, this batch file launches commands to gather system information. Among the\r\ncommands executed are:\r\npowershell.exe  -command \"Get-NetAdapter |select InterfaceGuid\"\r\narp  -a\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\r\nPage 2 of 7\n\nipconfig  /all\r\nfsutil  fsinfo drives\r\nquery  user\r\nnet  localgroup administrators\r\nsysteminfo\r\nwhoami\r\nnetstat  -anb -p tcp\r\nnet  start\r\ntasklist  /v\r\nnet  session\r\nnet  share\r\nnet  accounts\r\nnet  use\r\nnet  user\r\nnet  view\r\nnet  view /domain\r\nnet  time \\\\127.0.0.1\r\nnet  localgroup administrators /domain\r\nwmic  nic get \"guid\"\r\nThe system information gathered via these commands is gathered in a text file called %System%\\res.txt.\r\nOnce this is done, another scheduled task is set up to execute %Windows%\\Installer\\cc.bat in the target machine,\r\nwhich launches a backdoor.\r\nSecond cc.bat hijacking for DLL side-loading\r\nThe second cc.bat is notable for leveraging a service that loads a nonexistent library to side-load a malicious DLL.\r\nIn this case, the service is SessionEnv. A detailed technical description of how this technique works can be found\r\nhere.open on a new tab In this technique, this second cc.bat first copies a previously dropped\r\n%Windows%\\Installer\\hdr.bin to %System%\\TSMSISrv.DLL. It then stops the SessionEnv service, waits for a few\r\nseconds, then restarts the service. This will make the service load and execute the file %System%\\TSMSISrv.DLL.\r\nTwo actions of interest done by TSMSISrv.DLL are dropping and loading a file named Windows%\\_{5 to 9 random\r\nalphabetic characters}.dll and starting a cmd.exe process in which the same dropped DLL is also injected. Based on\r\ntelemetry data, we noticed that this instance of cmd.exe is used to execute commands coming from another\r\nmachine, thus turning it into a backdoor. We dubbed the dropped DLL loaded in both the service and cmd.exe as\r\nUNAPIMON.\r\nIntroducing UNAPIMON for defense evasion\r\nAn interesting thing that we observed in this attack is the use of a peculiar malware that we named UNAPIMON. In\r\nits essence, UNAPIMON employs defense evasion techniques to prevent child processes from being monitored,\r\nwhich we detail in the succeeding sections.\r\nMalware analysis\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\r\nPage 3 of 7\n\nUNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it\r\nis not encrypted save for a single string.\r\nAt the DllMain function, it first checks whether it is being loaded or unloaded. When the DLL is being loaded, it\r\ncreates an event object for synchronization, and starts the hooking thread.\r\nAs shown in Figure 3, the hooking thread first obtains the address of the function CreateProcessW from\r\nkernel32.dll, which it saves for later use. CreateProcessW is one of the Windows API functions that can be used to\r\ncreate a process. It then installs a hook on it using Microsoft Detours, an open-source software package developed\r\nby Microsoft for monitoring and instrumenting API calls on Windows.\r\nFigure 3. Hooking thread disassembly\r\nThis mechanism redirects any calls made to CreateProcessW from a process where this DLL is loaded to the hook.\r\nThe hook function calls the original CreateProcessW using the previously saved address to create the actual process\r\nbut with the value CREATE_SUSPENDED (4) in the creation flags parameter. This effectively creates the process,\r\nbut whose main thread is suspended.\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\r\nPage 4 of 7\n\nFigure 4. Calling “CreateProcessW” with “CREATE_SUSPENDED”\r\nIt then walks through a list of hardcoded DLL names as shown in Figure 5.\r\nFigure 5. List of DLL names\r\nFor each DLL in the list that is loaded in the child process, it creates a copy of the DLL file to %User Temp%\\_{5 to\r\n9 random alphabetic characters}.dll (hereafter to be referred to as the local copy), which it then loads using the API\r\nfunction LoadLibraryEx with the parameter DONT_RESOLVE_DLL_REFERENCES (1). It does this to prevent a\r\nloading error as described in this articleopen on a new tab.\r\nFigure 6. Copy and load DLL\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\r\nPage 5 of 7\n\nAfter the local copy of the DLL has been loaded, it then proceeds to create a local memory copy of the loaded DLL\r\nimage with the same name in the child process. To ensure that the two DLLs are the same, it compares both the\r\nvalues of the checksum field in the headers and the values of the number of name pointers in the export table.\r\nOnce verified to be identical, it walks through all exported addresses in the export table. For each exported address,\r\nit checks to ensure that the address points to a code in an executable memory page, and that the starting code has\r\nbeen modified. Specifically, it checks if the memory page protection has the values PAGE_EXECUTE (0x10),\r\nPAGE_EXECUTE_READ (0x20), or PAGE_EXECUTE_READWRITE (0x40). Modifications are detected if the first\r\nbyte in the exported address is either 0xE8 (CALL), 0xE9 (JMP), or if its first two bytes are not equal to the\r\ncorresponding first two bytes in the loaded local copy. Additionally, it also verifies that the name of the exported\r\naddress is not RtlNtdllName, which contains data instead of executable code.\r\nFigure 7. Exported address checking\r\nIf an exported address passes these tests, it is added to a list for unpatching.\r\nOnce all the DLL names in the list have been processed, it walks through each of the addresses in the unpatching\r\nlist. For each address, it copies 8 bytes from the loaded local copy (the original) to the remote address, which has\r\nbeen previously modified. This effectively removes any code patches applied to an exported address.\r\nFigure 8. Unpatching loop\r\nFinally, it unloads and deletes the randomly named local copy of the DLL and resumes the main thread. When the\r\nmalware is unloaded, it removes the hook from CreateProcessW.\r\nImpact\r\nLooking at the behavior of UNAPIMON and how it was used in the attack, we can infer that its primary purpose is\r\nto unhook critical API functions in any child process. For environments that implement API monitoring through\r\nhooking such as sandboxing systems, UNAPIMON will prevent child processes from being monitored. Thus, this\r\nmalware can allow any malicious child process to be executed with its behavior undetected.\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\r\nPage 6 of 7\n\nA unique and notable feature of this malware is its simplicity and originality. Its use of existing technologies, such\r\nas Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively.\r\nThis also displayed the coding prowess and creativity of the malware writer. In typical scenarios, it is the malware\r\nthat does the hooking. However, it is the opposite in this case.\r\nSecurity recommendations\r\nIn this specific Earth Freybug attack, the threat actor used administrator accounts, which means that the threat\r\nactors knew the admin credentials, rendering group policies useless. The only way to prevent this from happening\r\nin an environment is good housekeeping, which involves frequent password rotation, limiting access to admin\r\naccounts to actual admins, and activity logging.\r\nIn this incident, data exfiltration was done using a third-party collaborative software platform over which we do not\r\nhave control. Even if the write permissions were revoked for affected folders that could be accessed through the\r\ncollaborative software, the threat actor could just simply override it, since the threat actor is the admin from the\r\nsystem’s point of view.\r\nUsers should restrict admin privileges and follow the principle of least privilege. The fewer people with admin\r\nprivileges, the fewer loopholes in the system malicious actors can take advantage of.\r\nConclusion\r\nEarth Freybug has been around for quite some time, and their methods have been seen to evolve through time. This\r\nwas evident from what we observed from this attack: We concluded that they are still actively finding ways to\r\nimprove their techniques to successfully achieve their goals.\r\nThis attack also demonstrates that even simple techniques can be used effectively when applied correctly.\r\nImplementing these techniques to an existing attack pattern makes the attack more difficult to discover. Security\r\nresearchers and SOCs must keep a watchful eye not only on malicious actors’ advanced techniques, but also the\r\nsimple ones that are easily overlooked.\r\nIndicator of compromise\r\nHash Detection name\r\n62ad0407a9cce34afb428dee972292d2aa23c78cbc1a44627cb2e8b945195bc2 Trojan.Win64.UNAPIMON.ZTLB\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\r\nhttps://www.trendmicro.com/en_us/research/24/d/earth-freybug.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html" ], "report_names": [ "earth-freybug.html" ], "threat_actors": [ { "id": "315bd857-79cc-46f2-896f-aeb0fc576b49", "created_at": "2024-04-28T02:00:03.693599Z", "updated_at": "2026-04-10T02:00:03.62936Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [], "source_name": "MISPGALAXY:Earth Freybug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "10e4e1de-afe4-4a62-b46d-07800c801a17", "created_at": "2024-04-24T02:02:07.562188Z", "updated_at": "2026-04-10T02:00:04.560334Z", "deleted_at": null, "main_name": "Earth Freybug", "aliases": [ "Earth Freybug" ], "source_name": "ETDA:Earth Freybug", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "UNAPIMON" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434317, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6c432570d678127748ed2c50289b043337cfb97.pdf", "text": "https://archive.orkl.eu/f6c432570d678127748ed2c50289b043337cfb97.txt", "img": "https://archive.orkl.eu/f6c432570d678127748ed2c50289b043337cfb97.jpg" } }