MalwareUsed by 1 actor

BigpipeLoader

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Earth Longzhi

Since this loader will read/write encrypted payload through a named pipe, we named this shellcode loader BigpipeLoader.

via trend micro researchtrendmicro.com

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

TacticInitial Access

In some cases, we also found that the group exploited publicly available applications to deploy and execute a simple downloader to download a shellcode loader and the necessary hack tools for the routine.

Execution

2 techniques

T1559.001Component Object ModelEvidence1

TacticExecution

Since this loader will read/write encrypted payload through a named pipe, we named this shellcode loader BigpipeLoader ... Multi-threading decryption over named pipe

T1574Hijack Execution FlowEvidence1

TacticsExecution Stealth

drops the malicious WTSAPI32.dll designed to be sideloaded by a legitimate application

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

TacticsPrivilege Escalation Stealth

Injecting a decrypted payload into the system built-in process (dllhost.exe or rundll32.exe) ... After restoring the ntdll, Symatic will spawn a new process for process injection.

Stealth

2 techniques

T1055Process InjectionEvidence1

TacticsPrivilege Escalation Stealth

Injecting a decrypted payload into the system built-in process (dllhost.exe or rundll32.exe) ... After restoring the ntdll, Symatic will spawn a new process for process injection.

T1574Hijack Execution FlowEvidence1

TacticsExecution Stealth

drops the malicious WTSAPI32.dll designed to be sideloaded by a legitimate application

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app4 years ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

trend micro researchNews

Nov 9, 2022

Hack the Real Box: APT41’s New Subgroup Earth Longzhi

Custom shellcode loader for Cobalt Strike that decrypts payloads with AES-128-CFB and uses named pipes with multi-threaded read/write operations. Variants either directly load payloads or rely on DLL sideloading via a malicious WTSAPI32.dll and legitimate wusa.exe.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.