Go to listing page

Earth Zhulong Group Uses ShellFang Loader to Target Vietnam

Earth Zhulong Group Uses ShellFang Loader to Target Vietnam
New research has revealed details about a sophisticated and diligent APT group, Earth Zhulong, targeting Vietnamese organizations. Active since 2020, the group is believed to be linked to the China-based hacking group 1937CN.

What has been revealed?

Trend Micro researchers have published a report on this threat, revealing details about its evolving TTPs and attack tools.
  • The group has been targeting organizations in IT, media, and telecommunications sectors in Vietnam for over two years.
  • It is continuously evolving its tactics and toolset, including enhancements to a shellcode loader ShellFang and the use of multiple obfuscation approaches to hide its tracks.
  • Several additional tools, including a Golang-based backdoor MACAMAX, network-penetration tool EarthWorm, and an information stealer used to harvest internal information, are also used by this group. 

About ShellFang loader

Researchers have observed three major variants of ShellFang, a custom shellcode loader used by Earth Zhulong between 2017 and 2022.
  • The earliest variant (V1), identified in 2020, has a compilation date of 2017. It reads and decrypts the payload and executes it in memory. 
  • The second major variant (V2), observed in 2021, uses the RC4 decryption function instead of the original XOR. However, the rest code structure remained almost unchanged.
  • The third variant (V3), observed during the latest campaign in 2022, is equipped with additional anti-analysis techniques, including execution flow obfuscation through exception mechanism and API hashing.

APT' attack tactics

For initial access, the group has been using lure documents with embedded malicious macros since 2020.
  • Upon execution, the macro injects a shell code into a running process. The shell code, identified as Cobalt Strike, establishes a connection with the hacker’s server.
  • In 2022, it started using SharpHound to perform domain exploration and abused group policy objects to submit immediate tasks to the hosts.
  • It uses DLL sideloading technique to run the malware and uses multi-layered AES encryption and base64 encoding to obfuscate its activities. 


Based on the similarities in code and targeted victims, it is suspected that Earth Zhulong is linked to the hacking group 1937CN.
  • The decryption algorithm used in ShellFang loader malware was used by 1937CN in 2017. This was around the same time when the ShellFang was compiled. Besides, there are similarities in the XOR keyset as well.
  • Earth Zhulong mostly targets the telecom and media sectors in Vietnam. 1937CN is also known for targeting Southeast Asian countries, with a major focus on Vietnam. 
  • In addition to common victimology, researchers further noticed the use of similar TTPs (such as the use of weaponized RTF documents) while targeting Vietnamese organizations.

Concluding notes

Earth Zhulong is a highly focused group targeting Vietnam and is continuously improving upon its attack tactics. Moreover, experts suspect that the group could use its evolving tactics to target other countries in Southeast Asia and beyond in near future. Thus, organizations are suggested to stay alert and leverage best practices such as the use of anti-malware and firewalls to stay protected.
Cyware Publisher