The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Winnti Subgroup Earth Longzhi Uses New TTPs

May 19, 2023 2:28:29 PM / by The Hivemind

WINNTIRelated Families: Croxloader, SPHijacker, Behinder
Verticals Targeted: Government, Healthcare, Technology, Manufacturing

Executive Summary

Earth Longzhi, a Winnti subgroup, was recently observed using new TTPs, including a novel technique dubbed stack rumbling.

Key Takeaways

  • Earth Longzhi, a subgroup of Winnti, was recently observed using new TTPs.
  • The group has transitioned from using maldocs to exploiting public-facing applications for initial infection.
  • The group is using legitimate Windows Defender executables for DLL sideloading, using BYOVD to disable security products, and using RPC to install drivers as kernel-level services. 
  • Earth Lonhzhi’s most interesting new TTP is stack rumbling, which uses IFEO to disable security products. 

Recent Activity 

Earth Longzhi, a Winnti subgroup, was recently observed using new TTPs. Trend Micro reported on this activity. Targets included entities in Taiwan, Thailand, the Philippines, and Fiji.

In the recently observed campaigns, Earth Longzhi decided to forgo phishing emails with maldocs and instead exploited public-facing applications such as IIS and Exchange servers to install the Behinder webshell. Behinder offers multiple backdoor functions, including RCE, file operation, interactive shell, and Socks5 proxy. The threat actors can use this tool to deploy other payloads.

The threat actors used MpDlpCmd.exe and MpCmdRun.exe, legitimate Windows Defender executables, to perform DLL sideloading. Malware families launched using this technique include Croxloader and SPHijacker.

They also exploited zamguard64.sys, a vulnerable driver. By exploiting this driver, Earth Longzhi was able to use a bring-your-own-vulnerable-driver (BYOVD) attack to disable security products on the victim machine.

Earth Longzhi also installed drivers as kernel-level services by using RPC instead of general Windows APIs, a method that can be used to evade API call monitoring.

The most interesting new TTP used by Earth Longzhi is what Trend Micro calls “stack rumbling.” The group uses stack rumbling to disable security products using Image File Execution Options (IFEO), a new denial of service technique.

Trend Micro warned the group appears to be expanding its repertoire and will likely become more active in the near future.

Who is Earth Longzhi?

Earth Longzhi is a China nexus threat actor group operating under the Winnti umbrella. The group has been active since at least 2020 and is known to target government, infrastructure, defense, aviation, insurance, health, and financial entities in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.


PolySwarm has multiple samples associated with this activity.









You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f EarthLongzhi


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, China, Winnti, TTPs, Stack Rumbling, Earth Longzhi

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts