Earth Longzhi
Earth Longzhi is a reported Chinese subgroup of APT41. Researchers identified it as a newly named APT41 subgroup active since at least 2020, with campaigns from 2020 to 2022 targeting organizations in Taiwan and other Asia-Pacific countries, including government, infrastructure, healthcare, academia, banking, defense, aviation, insurance, and urban development sectors. Sophos also reported infrastructure overlap between Cluster Charlie in Operation Crimson Palace and Earth Longzhi, describing Earth Longzhi as an APT41 subgroup and a Chinese state-linked actor. Observed tradecraft includes spear-phishing with password-protected archives or download links, exploitation of publicly exposed applications, extensive DLL sideloading, customized Cobalt Strike loaders, process injection, anti-hooking, parent-process masquerading, named-pipe-based decryption, scheduled-task persistence, UAC bypass via the COM object IElevatedFactoryServer, and defense evasion through BYOVD techniques. Reported custom loaders and tooling associated with Earth Longzhi include Symatic loader, CroxLoader, BigpipeLoader, MultiPipeLoader, OutLoader, ProcBurner, and AVBurner. Researchers also reported use of standalone reimplementations of Mimikatz functionality for credential dumping, including logon password theft, DCSync, backup key theft, and memssp-style credential interception. Earth Longzhi has been reported using the vulnerable signed driver RTCore64.sys in BYOVD activity to terminate protected processes and unregister AV/EDR callbacks. Additional reporting cited Earth Longzhi using Fastly CDN techniques to conceal command-and-control infrastructure, speedtest-themed domain naming patterns, and scheduled tasks disguised as Google Update. Content also notes overlap between Earth Longzhi-related activity and other China-linked operations, but the directly stated attribution in the provided material is that Earth Longzhi is a subgroup of APT41.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
13 malware families attributed to this actor across reporting.
8 additional families tracked in Mallory.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
RTCore64.sys is a component of Afterburner. In 2019, this driver was assigned as CVE-2019-16098, which allows authenticated users to read/write any arbitrary address including kernel space. However, the outdated version of vulnerable driver still has a valid signature. As a result, the attacker can deliver the outdated version of the driver into the victim machine and abuse it for various purposes, such as for anti-antivirus or anti-EDR.
During the investigation of the second campaign, we collected multiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and defense evasion (disablement of security products).
Observables
7 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a previously reported subgroup whose domain naming pattern matched infrastructure seen in Cluster Charlie activity.
Chinese subgroup of APT41 referenced because Cluster Charlie infrastructure overlaps with Earth Longzhi C2 IPs and speedtest-themed domain patterns.
Referenced as a previously reported subgroup whose domain naming pattern overlaps with infrastructure used in Cluster Charlie activity.
APT41 sub-cluster referenced in connection with prior DLL sideloading activity using the Vipre AV component (vetysafe.exe) to load a malicious DLL loader.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.