Earth Longzhi
Earth Longzhi is a China-linked cyberespionage threat actor assessed to be a subgroup of APT41. Reporting describes it as a newly named APT41 subgroup active since at least 2020, with campaigns observed from 2020 to 2022 and later infrastructure/tooling overlaps noted in 2023-2025 activity. It has primarily targeted organizations in Taiwan and across the Asia-Pacific region, including government, infrastructure, healthcare, academia, banking, defense, aviation, insurance, and urban development sectors; later reporting also links overlapping infrastructure to intrusions against Southeast Asian government entities. Researchers and vendors explicitly describe Earth Longzhi as a Chinese subgroup or sub-cluster of APT41. Observed tradecraft includes spear-phishing with password-protected archives or download links, exploitation of publicly exposed applications, extensive DLL sideloading, customized Cobalt Strike loaders, process injection, parent-process masquerading, anti-hooking via in-memory ntdll.dll restoration, named-pipe-based decryption, scheduled-task persistence, and UAC bypass using the COM object IElevatedFactoryServer. Reported custom loaders and tooling include Symatic loader, CroxLoader, BigpipeLoader, MultiPipeLoader, and OutLoader. Earth Longzhi also used an all-in-one post-exploitation tool with proxying, scanning, privilege-launching, timestamp modification, and SQL capabilities. For credential access and privilege escalation, reporting states the group reimplemented Mimikatz modules as standalone binaries, including functionality equivalent to sekurlsa::logonpasswords, lsadump::dcsync, lsadump::backupkeys with dpapi::chrome, and misc::memssp, and used PrintNightmare and PrintSpoofer. Defense evasion included Bring Your Own Vulnerable Driver techniques using RTCore64.sys (CVE-2019-16098) through tools named ProcBurner and AVBurner to terminate protected processes and unregister AV/EDR callbacks. Additional reporting links Earth Longzhi to BYOVD-based disabling of security products and creation of a high-privilege scheduled task disguised as Google Update. Attribution to APT41 is supported in the provided content by victimology, shared Cobalt Strike metadata, code similarities with GroupCC, and overlapping TTPs, including use of a Python Fastly CDN technique to conceal command-and-control infrastructure. The content also notes that some later incidents only overlap with Earth Longzhi infrastructure or techniques, and that precise attribution can be complicated by tool and infrastructure sharing among Chinese threat actors. Known related names directly mentioned in the content are APT41 and GroupCC.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
- Utilities
- Health Care Equipment & Services
- Banks
- Military
- Transportation
Where they target
Geographies tied to known operations.
- 🇹🇼 Taiwan
- 🇨🇳 China
- 🇹🇭 Thailand
- 🇲🇾 Malaysia
- 🇮🇩 Indonesia
- 🇵🇰 Pakistan
- 🇺🇦 Ukraine
Tradecraft
21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
12 malware families attributed to this actor across reporting.
7 additional families tracked in Mallory.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
RTCore64.sys is a component of Afterburner. In 2019, this driver was assigned as CVE-2019-16098, which allows authenticated users to read/write any arbitrary address including kernel space. However, the outdated version of vulnerable driver still has a valid signature. As a result, the attacker can deliver the outdated version of the driver into the victim machine and abuse it for various purposes, such as for anti-antivirus or anti-EDR.
During the investigation of the second campaign, we collected multiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and defense evasion (disablement of security products).
Observables
3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
APT41 sub-cluster referenced in connection with prior DLL sideloading activity using the Vipre AV component (vetysafe.exe) to load a malicious DLL loader.
Named APT41 sub-group referenced as having ties/overlap with the Sophos-tracked Crimson Palace clusters.
Chinese-nexus subgroup referenced for overlap with Cluster Charlie via C2 infrastructure (including speedtest-themed domains) and known C2 IP reuse.
Mentioned as an APT41-related activity cluster previously observed using Fastly CDN to obscure C2 infrastructure, similar to infrastructure-hiding observed in this report.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.