Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Chinese APT41 disables security software

May 3, 2023
Reading Time: 2 mins read
in Alerts

A subgroup of the Chinese state-sponsored hacking group APT41, known as Earth Longzhi, has been found to be using a new technique to disable security software, cybersecurity firm Trend Micro has reported. The group has been targeting organizations in the Philippines, Taiwan, and Thailand, and was observed using DLL sideloading via Windows Defender binaries and employing a bring-your-own-vulnerable-driver (BYOVD) attack, and a technique called ‘stack rumbling’ that involves Image File Execution Options (IFEO).

The group typically deploys the Behinder web shell, which provides backdoor capabilities, remote code execution, and a Socks5 proxy after exploiting vulnerable public-facing applications and Internet Information Services (IIS) and Microsoft Exchange servers.

Earth Longzhi was also observed abusing legitimate Windows Defender executables to sideload DLLs and execute malware such as Croxloader (a customized Cobalt Strike loader) and SPHijacker (a tool for disabling security products).

SPHijacker leverages a vulnerable Zemana driver to terminate security applications and then leverages stack rumbling to prevent the software from running by causing it to crash upon launch. This method, which causes a permanent DoS condition, targets roughly 30 antivirus-related processes.

Trend Micro discovered additional malicious tools linked to Earth Longzhi, such as the Roxwrapper loader and a new tool for privilege escalation.

The observed attacks focused on government, healthcare, manufacturing, and technology organizations in Fiji, the Philippines, Taiwan, and Thailand. This is the first time the Chinese threat actor has targeted entities in Fiji, Trend Micro says.

Trend Micro also discovered various decoy documents in Vietnamese and Indonesian, which were likely meant to be distributed via phishing emails to victims in Vietnam and Indonesia. The cybersecurity firm concludes that the group shows an inclination for using open-source projects to implement their own tools and spruces up its toolset during periods of inactivity.

Reference:
  • Attack on Security Titans: Earth Longzhi Returns With New Tricks
Tags: APT41ChinaCyber AlertCyber Alerts 2023Earth LongzhiHackersMalwareMay 2023
ADVERTISEMENT

Related Posts

PyPI Malware Steals AWS, CI/CD, macOS Data

PyPI Malware Steals AWS, CI/CD, macOS Data

June 16, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

Image Hiding in DNS TXT Records

June 16, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

June 16, 2025
VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

June 13, 2025
VexTrio TDS Uses Adtech To Spread Malware

VexTrio TDS Uses Adtech To Spread Malware

June 13, 2025
VexTrio TDS Uses Adtech To Spread Malware

Old Discord Links Now Lead To Malware

June 13, 2025

Latest Alerts

PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

Image Hiding in DNS TXT Records

Old Discord Links Now Lead To Malware

VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

Subscribe to our newsletter

    Latest Incidents

    Canada WestJet Airline Contains Cyberattack

    Hackers Leak 10K VirtualMacOSX Customer Data

    Washington Post Investigates Cyberattack on Emails

    Cyberattack On Brussels Parliament Continues

    Swedish Broadcaster SVT Hit By DDoS

    Major Google Cloud Outage Disrupts Web

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial