Since it first started being active in 2020, Earth Longzhi’s long-running campaign can be divided into two based on the range of time and toolset. During its first campaign deployed from 2020 to 2021, Earth Longzhi targeted the government, infrastructure, and health industries in Taiwan and the banking sector in China. In its second campaign from 2021 to 2022, the group targeted high-profile victims in the defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.
Both campaigns used spear-phishing emails as the primary entry vector to deliver Earth Longhzhi’s malware. The attacker embeds the malware in a password-protected archive or shares a link to download a malware, luring the victim with information about a person. Upon opening the link, the victim is redirected to a Google Drive hosting a password-protected archive with a Cobalt Strike loader we call CroxLoader.
APT41 groups are seemingly using less custom malware but are getting more accustomed to using more commodity malware such as Cobalt Strike. They are also now more focused on developing new loaders and hacking tools to bypass security products. AVBurner is a formidable example of this, as it disables solutions that still use the dated and vulnerable driver, while both ProcBurner and AVBurner focus on kernel-level security — a noticeable emerging pattern among APT groups and cybercrime. In addition, Earth Longzhi, as a subgroup of APT41, appears familiar with offensive security teams such as red teams.