A previously undocumented threat actor believed to be a subgroup of the well-known China-based APT41 cyber espionage group is using a custom Cobalt Strike loader in attacks targeting high-profile victims in Ukraine and Asian countries.

Dubbed “Earth Longzhi” by Trend Micro researchers, the group was first observed earlier this year when the cybersecurity firm investigated a breach at a company in Taiwan. The attackers employed a custom Cobalt Strike loader during the intrusion, and further analysis revealed that the same same threat actor used similar loaders in multiple attacks carried out since 2020.

The researchers analyzed two campaigns linked to Earth Longzhi. In the the first campaign conducted between 2020 to 2021 the group targeted the government, infrastructure, and health industries in Taiwan and the banking sector in China. The second campaign, which lasted from 2021 to 2022, targeted high-profile victims in the defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

Both campaigns used spear-phishing emails as the main entry vector to deliver Earth Longhzhi’s malware. The malware was delivered either through a password-protected archive, or via a download link. Upon opening the link, the victim was redirected to a Google Drive hosting a password-protected archive with a Cobalt Strike loader called CroxLoader

In another attack scenario, the threat actor exploited publicly available applications to deploy and execute a downloader, which downloads a shellcode loader and the necessary hack tools for the routine.

“For the post-exploitation operations of this campaign, Earth Longzhi also prepares an all-in-one tool to combine all the necessary tools in one package. Most of the tools included in this one package are either publicly available or were used in previous attack deployments. This compressed tool allows them to complete multiple operations by using a single executable in their operation,” Trend Micro said.

In the second campaign the APT group used various types of customized Cobalt Strike loaders (CroxLoader, BigpipeLoader, and OutLoader), as well as other customized hacking tools. Each loader implemented a different algorithm to decrypt the payload.

The researchers found two different variants of CroxLoader - the first variant is used when attackers use publicly facing applications as the entry point of attack. It decrypts the embedded payload and injects the decrypted payload into the remote process. Meanwhile, the second variant of CroxLoader is often deployed through spear phishing emails to lure victims into opening it.

The analysis of the campaign also revealed that the threat actor used multiple custom versions of known hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and disabling security products.

“We profile Earth Longzhi as an APT group that mainly targets the Asia-Pacific region. After investigating two different campaigns, we verified that its target sectors are in industries pertinent to Asia-Pacific countries’ national security and economies. The activities in these campaigns show that the group is knowledgeable on red-team operations. The group uses social engineering techniques to spread its malware and deploy customized hack tools to bypass the protection of security products and steal sensitive data from compromised machines,” the researchers said.