Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home APT

Earth Freybug (APT41) – Threat Actor

April 4, 2024
Reading Time: 3 mins read
in APT, Threat Actors
Earth Freybug (APT41) – Threat Actor

Earth Freybug

Other Names

Unknown

Location

China

Date of initial activity

2012

Suspected attribution

China

Associated Groups

APT41

Motivation

Cyber Espionage and financial gain

Associated tools

Earth Freybug actors use a diverse range of tools and techniques, including LOLBins and custom malware.

Active

Yes

Overview

Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities. It has been observed to target organizations from various sectors across different countries. Earth Freybug actors use a diverse range of tools and techniques, including LOLBins and custom malware. Cybersecurity firm Trend Micro believes Earth Freybug to be a subset within the well-known China-linked cyber espionage group APT41.

Common targets

It has been observed to target organizations from various sectors across different countries.

Attack Vectors

The latest tactic observed by Trend Micro involves the use of legitimate executables associated with VMware Tools to initiate the attack chain.

How they operate

Earth Freybug has been around for quite some time, and their methods have been seen to evolve through time. Earth Freybug has been using a combination of sophisticated tools and techniques, including living-off-the-land binaries (LOLBins) and custom malware. The threat actor is known for employing tactics such as DLL hijacking and API unhooking to achieve its objectives. Trend Micro has identified a new tactic where attackers exploit legitimate executables linked with VMware Tools to launch their attacks. They use “vmtoolsd.exe” to set up scheduled tasks and distribute malicious files, such as “cc.bat,” across remote machines. These files collect system data and trigger further malicious actions, culminating in the deployment of Unapimon malware. The source of the injected code into vmtoolsd.exe remains unclear but is suspected to involve the exploitation of outward-facing servers. Unapimon, a straightforward yet powerful C++-based malware, boasts sophisticated features aimed at circumventing detection methods. It employs a method to evade sandbox detection by preventing the monitoring of child processes, achieved through the Detours library. A key feature of Unapimon is its use of SessionEnv to load a malicious DLL, allowing the malware to infiltrate vital system processes undetected. Moreover, the malware establishes a backdoor by enabling the Windows command interpreter to execute commands remotely, providing attackers with remote access to compromised systems.
References:
  • Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
Tags: APTAPT41C++cc.batChinaEarth FreybugLOLBinsMalwareThreat ActorsTrend Microvmtoolsd.exeVmware
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial