Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Chinese APT Uses New ‘Stack Rumbling’ Technique to Disable Security Software

A subgroup of China-linked hacker group APT41 is using a new ‘stack rumbling’ DoS technique to disable security software.

A subgroup of the Chinese state-sponsored threat actor known as APT41 has been observed using a new denial-of-service (DoS) technique to disable security software, cybersecurity firm Trend Micro reports.

Tracked as Earth Longzhi, the APT41 subgroup is known for the targeting of organizations in the Philippines, Taiwan, and Thailand.

As part of the newly observed campaign, the threat actor was seen performing DLL sideloading via Windows Defender binaries and employing two methods of disabling security products: a bring-your-own-vulnerable-driver (BYOVD) attack, and a technique called ‘stack rumbling’ that involves Image File Execution Options (IFEO).

The attacks typically start with the exploitation of vulnerable public-facing applications and Internet Information Services (IIS) and Microsoft Exchange servers to deploy the Behinder web shell, which provides backdoor capabilities, remote code execution, and a Socks5 proxy.

Earth Longzhi was also observed abusing legitimate Windows Defender executables to sideload DLLs and execute malware such as Croxloader (a customized Cobalt Strike loader) and SPHijacker (a tool for disabling security products).

SPHijacker leverages a vulnerable Zemana driver to terminate security applications, then leverages stack rumbling to prevent the software from running by causing it to crash upon launch.

For that, it modifies the IFEO registry key with a new value large enough to crash the target application due to a stack overflow. The method, which causes a permanent DoS condition, targets roughly 30 antivirus-related processes.

Advertisement. Scroll to continue reading.

“IFEO registry has been known to contain various options for process creation. While it can be used to attach a debugger to an executable file, it can also be used to interrupt the process execution flow, a method known as IFEO injection,” Trend Micro explains.

While investigating the campaign, Trend Micro discovered additional malicious tools linked to Earth Longzhi, such as the Roxwrapper loader and a new tool for privilege escalation.

The cybersecurity firm also discovered various decoy documents in Vietnamese and Indonesian, which were likely meant to be distributed via phishing emails to victims in Vietnam and Indonesia.

The observed attacks focused on government, healthcare, manufacturing, and technology organizations in Fiji, the Philippines, Taiwan, and Thailand. This is the first time the Chinese threat actor has targeted entities in Fiji, Trend Micro says.

“Another noteworthy insight is that the threat actors showed an inclination for using open-source projects to implement their own tools. There is evidence to suggest that the group spruces up its toolset during periods of inactivity,” the cybersecurity firm concludes.

Related: Report: Chinese State-Sponsored Hacking Group Highly Active

Related: China’s Winnti Group Seen Targeting Governments in Sri Lanka, Hong Kong

Related: More Details Emerge on Operations, Members of Chinese Group APT41

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.