analyst@nohacky:~/threat-actors$
cat/threat-actors/earth-longzhi
analyst@nohacky:~/earth-longzhi.html
active threatprofile
typeNation-State
threat_levelCritical
statusActive
originChina — APT41 subgroup
last_updated2026-03-27
EL
earth-longzhi

Earth Longzhi

parent cluster: APT41 / Winnti subgroup shares CS infra with Earth Baku and GroupCC disclosed: Trend Micro, Nov 2022

An APT41 subgroup first documented by Trend Micro in November 2022, with operations traceable to May 2020. Earth Longzhi is an Asia-Pacific-focused espionage actor targeting sectors with direct relevance to national security and regional economies — defense, aviation, government, healthcare, banking, and urban development. The group shares a Cobalt Strike team server with Earth Baku and GroupCC (watermark 426352781, public key 9ee3e0425ade426af0cb07094aa29ebc), confirming shared APT41 infrastructure. Its May 2023 return campaign introduced two techniques new to the threat landscape: "stack rumbling" — a novel security product denial-of-service technique using Image File Execution Options (IFEO) — and driver installation via Microsoft RPC rather than standard Windows APIs, bypassing API call monitoring. The group continues to evolve its evasion methods with each documented campaign cycle.

sponsorChina — APT41 / Winnti umbrella (state-sponsored)
disclosedTrend Micro, November 2022 (HITCON PEACE 2022)
first activityMay 2020 (Campaign 1, Taiwan)
cobalt strike watermark426352781 — shared with Earth Baku and GroupCC (APT41)
novel techniqueStack rumbling (IFEO-based security DoS) — first observed in wild (May 2023)
byovd driver (2023)zamguard64.sys — CVE-2018-5713 — Zemana vulnerable driver
primary sectorsDefense, aviation, government, healthcare, banking, urban development, insurance
geographic focusTaiwan, Thailand, Philippines, Malaysia, Indonesia, Pakistan, Ukraine, Fiji
campaign cadence3 documented campaigns: May–Feb 2021; Aug 2021–Jun 2022; May 2023+

Overview

Earth Longzhi operates as a specialized subgroup within the APT41 / Winnti umbrella — one of China's most expansive state-sponsored espionage platforms. Trend Micro's November 2022 disclosure established Earth Longzhi as a distinct cluster after investigators began with an early 2022 incident in Taiwan and, following Cobalt Strike loader analysis, traced similar activity back to 2020 across multiple regions. The definitive APT41 attribution rests on the shared Cobalt Strike infrastructure: the same watermark and public key combination (426352781 / 9ee3e0425ade426af0cb07094aa29ebc) appearing across Earth Longzhi, Earth Baku, and GroupCC — three distinct APT41 subgroups — confirms shared team server access and licensing.

Earth Longzhi's targeting follows the logic of national security espionage rather than financial opportunism. The sector list — defense, aviation, government, healthcare, banking, urban development, insurance — maps to a Chinese state intelligence collection mandate covering economic competitiveness, military capability, and regional political influence in the Asia-Pacific. The inclusion of Ukraine in the second campaign's target countries (defense, aviation, and urban development organizations, August 2021 to June 2022) is notable given the timeline's overlap with the buildup to Russia's February 2022 invasion — suggesting collection on Ukraine-related military and infrastructure topics concurrent with that geopolitical moment.

The group's technical sophistication is well above average for financially motivated actors and consistent with a state-resourced team with red-team expertise. Trend Micro noted the group uses an "all-in-one" post-exploitation toolkit — compressing multiple hacking tools into a single executable — and develops custom loaders from open-source projects. By the May 2023 campaign, the group had moved away from document-based phishing to IIS and Exchange server exploitation, adopted Windows Defender binaries for DLL sideloading to conceal malware as legitimate security tool components, and introduced both a BYOVD attack (zamguard64.sys, CVE-2018-5713) and the stack rumbling technique — the latter documented as a first-in-wild occurrence by Trend Micro.

Campaign History

Campaign 1 — East Asia Initial Operations May 2020 – Feb 2021

Earth Longzhi's first documented campaign, identified retrospectively through shared Cobalt Strike loader analysis. Primary entry vector: spear-phishing emails with password-protected archive attachments or Google Drive links pointing to password-protected archives containing CroxLoader — a custom Cobalt Strike loader. Targets included organizations across the Philippines, India, and Taiwan. Key tooling: CroxLoader (initial variant), Symatic Loader, an all-in-one post-exploitation tool combining privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and defense evasion utilities. The decryption algorithm used in this phase: (SUB 0xA) XOR 0xCC — later used to link subsequent campaigns and relate Earth Longzhi to GroupCC through code overlap.

Philippines India Taiwan government healthcare defense
Campaign 2 — Expanded Regional Targeting Aug 2021 – Jun 2022

Earth Longzhi's second campaign expanded both geographic reach and sector coverage significantly. Continuing spear-phishing as the primary entry vector alongside exploitation of public-facing applications, the group deployed multiple custom Cobalt Strike loaders — CroxLoader, BigpipeLoader, and OutLoader — against high-profile targets. Victims included organizations in defense, aviation, insurance, and urban development industries. Geographic expansion added China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine to the target set alongside Taiwan. The inclusion of Ukrainian defense and aviation targets during the period immediately preceding and following Russia's February 2022 invasion represents the highest geopolitical sensitivity of Earth Longzhi's documented operations. A BYOVD technique using RTCore64.sys was observed in this phase to restrict execution of security products — a precursor to the more sophisticated BYOVD approach in Campaign 3.

Taiwan China Thailand Malaysia Indonesia Pakistan Ukraine defense aviation insurance urban development
Campaign 3 — Security Evasion Evolution (Stack Rumbling, BYOVD) May 2023+

Disclosed by Trend Micro on May 2, 2023 after months of dormancy. This campaign introduced several new TTPs not previously observed from Earth Longzhi. Initial access shifted from spear-phishing maldocs to exploiting internet-exposed IIS and Microsoft Exchange servers to install the Behinder web shell — a significant operational evolution. Post-initial-access, the group deployed Windows Defender binaries (MpDlpCmd.exe and MpCmdRun.exe) as a DLL sideloading vehicle, loading Croxloader disguised as MpClient.dll (payload in MpClient.bin) and SPHijacker as the security evasion tool. SPHijacker terminates security products via the zamguard64.sys BYOVD driver (CVE-2018-5713) and introduces stack rumbling — a first-in-wild technique that manipulates Image File Execution Options registry keys to cause security products to crash on launch. UAC bypass was achieved via the IElevatedFactoryServer COM object. Scheduled tasks disguised as legitimate Google Update entries provided persistence. Decoy documents in Vietnamese and Indonesian found in the group's files indicate planned targeting expansion to Vietnam and Indonesia. Targeted: government, healthcare, technology, and manufacturing sectors in Philippines, Thailand, Taiwan, and Fiji (a new country target).

Philippines Thailand Taiwan Fiji (new) Vietnam (next) Indonesia (next) government healthcare technology manufacturing

Tactics, Techniques & Procedures

TTPs as documented by Trend Micro across three campaigns. Evolution across campaigns is tracked where applicable.

mitre id technique description
T1190 / T1566.001 Initial Access — Spear-Phishing and Web Shell Deployment Campaigns 1 and 2 used spear-phishing emails with password-protected archive attachments or Google Drive links hosting malicious archives containing CroxLoader. Emails were written in traditional Chinese and crafted around personal information lures. Campaign 3 abandoned maldocs in favor of exploiting internet-exposed IIS and Microsoft Exchange servers — consistent with the broader APT41 group's preference for server-side exploitation — to deploy the Behinder web shell, which provided an initial foothold from which further payloads were downloaded.
T1574.002 DLL Sideloading via Windows Defender Binaries Campaign 3's defining initial post-access technique: legitimate Windows Defender binaries MpDlpCmd.exe and MpCmdRun.exe are run as system services. A malicious DLL named MpClient.dll is placed in their load path — a classic DLL sideloading setup where the legitimate Microsoft-signed binary loads the attacker's DLL instead of the intended legitimate library. The malicious MpClient.dll is the new CroxLoader variant, which reads and decrypts MpClient.bin containing the final Cobalt Strike Beacon payload. The decryption algorithm changed from (SUB 0xA) XOR 0xCC in earlier variants to (ADD 0x70) XOR 0xDD in Campaign 3.
T1562.001 Stack Rumbling — IFEO-Based Security Product Denial of Service Documented as a first-in-wild technique by Trend Micro in the May 2023 report. SPHijacker's stack rumbling approach manipulates the Image File Execution Options (IFEO) registry key for security product executables. By setting a specific IFEO entry, the attacker causes the target executable (security product) to fail at launch with a stack overflow or similar fatal error — a denial-of-service condition that prevents the security product from running without leaving obvious evidence of process termination. This is distinct from the BYOVD approach and does not require a vulnerable driver — it abuses a legitimate Windows debugging infrastructure feature. The technique can disable endpoint security products that would otherwise detect and block subsequent malicious activity.
T1068 / T1562.001 BYOVD — Bring Your Own Vulnerable Driver (zamguard64.sys) SPHijacker's second security evasion approach uses a Bring Your Own Vulnerable Driver (BYOVD) attack. zamguard64.sys (originally named Zamguard64.sys, renamed to mmmm.sys during deployment) is a legitimately signed but vulnerable driver published by Zemana — CVE-2018-5713. The driver is decrypted and dropped, then registered as a service. Once loaded, it provides kernel-level access that SPHijacker uses to terminate security product processes from kernel context, bypassing user-mode process protection mechanisms that prevent termination of security software. Earlier Campaign 2 BYOVD used RTCore64.sys for the same purpose.
T1548.002 UAC Bypass — IElevatedFactoryServer COM Object Campaign 3 introduced a UAC bypass technique using the Component Object Model (COM) object IElevatedFactoryServer. The COM interface allows the attacker to bypass Windows User Account Control (UAC) and register a payload as a scheduled task with the highest privilege level — SYSTEM. This bypasses the UAC prompt that would otherwise appear when attempting elevated operations, enabling the payload (dllhost.exe, a downloader for further C2 payloads) to be registered and executed with system-level privileges without triggering a user-visible UAC prompt. Trend Micro noted this was the first time they observed Earth Longzhi using this specific UAC bypass in its operations.
T1543.003 / T1021.006 Driver Installation via RPC — API Call Monitoring Evasion Campaign 3 installs kernel-level drivers using Microsoft Remote Procedure Call (RPC) rather than standard Windows APIs. The conventional approach to kernel driver registration uses Windows API calls (e.g., CreateService, StartService) that can be monitored by security products and EDR solutions. Using RPC to achieve the same result bypasses API call monitoring hooks that would detect and alert on these operations, providing an evasion path for the BYOVD driver registration that would otherwise be a high-confidence detection signal.
T1059.001 / T1071 Cobalt Strike C2 — Shared APT41 Infrastructure Earth Longzhi uses CroxLoader (and its variants BigpipeLoader, OutLoader) as custom loaders to deploy and execute Cobalt Strike Beacons for C2. The decryption algorithms in the loaders — (SUB 0xA) XOR 0xCC in Campaign 1 variants, (ADD 0x70) XOR 0xDD in Campaign 3 — are similar to those used by GroupCC, establishing the technical link between these APT41 subgroups. The shared Cobalt Strike watermark (426352781) and public key across Earth Longzhi, Earth Baku, and GroupCC confirm shared team server access within the APT41 ecosystem.
T1053.005 Scheduled Task Persistence — Google Update Disguise Campaign 3 creates a scheduled task disguised as a legitimate Google Update entry for persistence. The task is registered at system privileges via the IElevatedFactoryServer UAC bypass, pointing to dllhost.exe as the scheduled payload — a downloader that retrieves additional C2 payloads from the remote server. By naming the task and configuring it to resemble the ubiquitous Google Update task, the group reduces the likelihood of the persistence mechanism being identified as malicious during routine administrative review.

APT41 Subgroup Context

Understanding Earth Longzhi requires placing it within the broader APT41 umbrella. APT41 is not a single cohesive team but an umbrella label for multiple related Chinese state cyber operations groups that share infrastructure, tasking authorities, and tooling. Known distinct subgroups within the APT41 ecosystem tracked by various researchers include Earth Baku, GroupCC, Earth Freybug, Earth Krahang, and Earth Longzhi itself. The shared Cobalt Strike team server infrastructure across Earth Longzhi, Earth Baku, and GroupCC is the strongest documented evidence of this coordination.

  • Earth Baku: Another APT41 subgroup sharing the same Cobalt Strike watermark (426352781). Trend Micro has tracked Earth Baku as targeting European and Middle Eastern organizations, providing a geographic division of labor within the APT41 ecosystem.
  • GroupCC: Shares the same Cobalt Strike watermark and uses the same (SUB 0xA) XOR 0xCC decryption algorithm as Earth Longzhi's early loader variants. GroupCC has been documented in campaigns targeting entities across Southeast Asia.
  • Shared infrastructure implications: The shared team server means that Earth Longzhi C2 sessions, beacon configurations, and operator activity are potentially colocated with Earth Baku and GroupCC operations. Disruption of shared infrastructure by law enforcement or threat intelligence actions affects all three subgroups simultaneously. From a defender perspective, Cobalt Strike beacon artifacts with watermark 426352781 should be treated as an indicator of APT41 umbrella activity regardless of which specific subgroup is operating.

Indicators of Compromise

detection guidance

Stack rumbling leaves no easily detectable on-disk or network artifact — it is a registry-based evasion technique targeting IFEO keys. Hunt for unexpected IFEO registry entries targeting security product executables. For BYOVD, monitor for the creation of zamguard64.sys (or mmmm.sys as the renamed deployment) as a kernel service. The Trend Micro research papers include full YARA rules and SHA-256 hashes for CroxLoader variants, SPHijacker components, and BigpipeLoader/OutLoader. Cobalt Strike watermark 426352781 is the highest-confidence persistent indicator across all Earth Longzhi campaigns.

indicators of compromise — key technical identifiers
cobalt strike watermark 426352781 — shared with Earth Baku and GroupCC; confirms APT41 subgroup infrastructure
cobalt strike public key 9ee3e0425ade426af0cb07094aa29ebc — identifies shared team server across Earth Longzhi, Earth Baku, GroupCC
croxloader decryption v1 (SUB 0xA) XOR 0xCC — algorithm used in Campaign 1 and 2 CroxLoader variants; shared with GroupCC
croxloader decryption v2 (ADD 0x70) XOR 0xDD — modified algorithm in Campaign 3 CroxLoader variant (MpClient.dll)
sideloading dll name MpClient.dll — malicious CroxLoader disguised as legitimate Windows Defender library; payload in MpClient.bin
sideloading host binaries MpDlpCmd.exe; MpCmdRun.exe — legitimate Windows Defender executables abused as DLL sideloading hosts
BYOVD driver zamguard64.sys (CVE-2018-5713) — deployed as mmmm.sys; Zemana signed driver; registered as kernel service via RPC
stack rumbling target HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[security product].exe — unexpected Debugger or GlobalFlag registry values
UAC bypass COM IElevatedFactoryServer — COM object used to register payload as scheduled task with SYSTEM privilege
persistence scheduled task Disguised as Google Update scheduled task; payload: dllhost.exe (downloader); SYSTEM privilege; created via IElevatedFactoryServer
web shell (initial access) Behinder web shell — deployed on IIS or Exchange servers exploited as initial access (Campaign 3)
full ioc reference Trend Micro — "Hack the Real Box: APT41's New Subgroup Earth Longzhi" (Nov 2022); "Attack on Security Titans: Earth Longzhi Returns With New Tricks" (May 2023)

Mitigation & Defense

  • Patch Internet-Exposed IIS and Exchange Servers Immediately: Campaign 3 exploited public-facing IIS and Microsoft Exchange servers as the initial access vector, moving away from the phishing delivery of Campaigns 1 and 2. Any internet-exposed IIS or Exchange instance should be treated as Earth Longzhi attack surface. Apply all current patches, implement web application firewall rules, and monitor these servers for Behinder web shell artifacts (distinctive URL patterns, unexpected file creation events, outbound connections from IIS worker processes).
  • Monitor for Unexpected DLL Loads by Windows Defender Binaries: The DLL sideloading technique used in Campaign 3 loads malicious code through legitimate Windows Defender executables. MpDlpCmd.exe and MpCmdRun.exe should load only Microsoft-signed DLLs from expected system paths. Any detection of these processes loading an unsigned DLL from a non-standard location — particularly MpClient.dll from a user-writable path — should trigger an immediate high-priority alert. EDR behavioral rules detecting unsigned DLL loads from Microsoft security tool processes are a high-fidelity signal for this technique.
  • Hunt for IFEO Registry Modifications Targeting Security Products: Stack rumbling uses Image File Execution Options registry keys to cause security product crashes. Continuously monitor HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options for new or modified entries targeting security product executable names. Any Debugger or GlobalFlag modification targeting a security product process name (antivirus, EDR, firewall manager executables) should be treated as a high-confidence indicator of stack rumbling preparation. IFEO monitoring should be part of baseline threat hunting procedures for organizations in Earth Longzhi's target sectors (defense, government, aviation, healthcare in Asia-Pacific).
  • Detect Kernel Driver Registration via RPC: Earth Longzhi installs BYOVD drivers using RPC rather than standard Windows API calls (CreateService/StartService) to evade API hooking by security tools. Kernel driver registration via RPC produces distinct system audit events that differ from standard service creation patterns. Microsoft Defender for Endpoint and comparable EDR platforms with kernel telemetry can detect driver load events regardless of the registration method — configure alerts for unknown or unsigned drivers loading at kernel level, particularly those matching the zamguard64.sys/mmmm.sys file characteristics.
  • Cobalt Strike Watermark Blocking — APT41 Beacon Fingerprinting: The Cobalt Strike watermark 426352781 is documented as exclusive to APT41 subgroups Earth Longzhi, Earth Baku, and GroupCC. Network security tools capable of decrypting or fingerprinting Cobalt Strike beacon configurations should be configured to alert on this watermark value. The watermark appears in the Cobalt Strike configuration negotiation and can be detected at the network layer with appropriate deep packet inspection capability. A detection of this watermark in network traffic is a high-confidence APT41 umbrella indicator regardless of the specific subgroup operating.
  • Credential Hygiene for IIS and Exchange Service Accounts: Earth Longzhi uses a post-exploitation all-in-one tool with custom Mimikatz for credential dumping. Service accounts associated with IIS and Exchange that have elevated Active Directory privileges amplify the blast radius of initial access through these servers. Apply least-privilege principles to IIS application pool identities and Exchange service accounts, enabling only the specific permissions required for operation. Credential theft from a least-privileged service account significantly limits the attacker's ability to perform lateral movement after initial web server compromise.
analyst note

Earth Longzhi's trajectory across three documented campaigns illustrates a group that is actively investing in evasion capability development between operational periods — each campaign return introduces techniques either new to Earth Longzhi specifically or, in the case of stack rumbling, new to the entire threat landscape. The evolution from document-based phishing to server-side exploitation, and from basic BYOVD to the novel IFEO-based stack rumbling, reflects a research and development cycle operating between campaigns. For defenders in Earth Longzhi's target geography and sector profile — defense, government, aviation, and healthcare organizations in Southeast Asia, Taiwan, and the Pacific — the group's pattern of emerging dormancy followed by capability-enhanced return means that absence of active indicators is not a reliable signal of reduced threat. The shared Cobalt Strike infrastructure with Earth Baku and GroupCC also means that disruptions or intelligence on any one APT41 subgroup may yield visibility into the broader ecosystem. The decoy documents in Vietnamese and Indonesian found in the Campaign 3 files are an unusual intelligence artifact: Earth Longzhi appears to have been actively preparing targeting material for upcoming victims before the May 2023 campaign was detected, providing rare advance warning of intended geographic expansion.

Sources & Further Reading

— end of profile