Earth Freybug Threat Actor Deploys New Unapimon Malware

The malware leverages DLL hijacking and API unhooking to target multiple industries globally.


On April 2, 2024, Trend Micro researchers reported new technical details of a “Unapimon” malware campaign attributed to Earth Freybug, which leverages “dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored.”

According to Trend Micro, “UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string.”

Community Impact Assessment

Trend Micro assesses that Earth Freybug is a subset of the threat group known as APT41, a prominent Chinese cyber espionage group. APT41 is known to target healthcare, telecom, technology, and video game organizations in multiple companies. However, Trend Micro did not identify specific industry targets of this campaign.

Based on the potential connection to APT41 and the sophistication and adaptability of Earth Freybug tactics, techniques, and procedures (TTPs), the RH-ISAC intelligence team assesses with moderate confidence that Earth Freybug presents a medium level threat to Core Member organizations. All members are advised to maintain situational awareness around the group and to review the mitigations, indicators of compromise (IOCs), and TTPs included here.

Mitigation Recommendations

Trend Micro provided the following security recommendations:

  • Frequent password rotation.
  • Limiting access to admin accounts to actual admins.
  • Implementing robust activity logging.
  • Restricting admin privileges.
  • Following the principle of least privilege.


Trend Micro provided the following IOCs:


Detection name




Trend Micro noted that the TTPs in the current campaign matched those used in the Operation CuckooBees campaign widely attributed to Winnti (an alias for APT41):


Initial Access



Privilege Escalation

Defense Evasion

Gather Victim Identity Information: Credentials

Exploit Public-Facing Application

Scheduled Task/Job

Server Software Component: Web Shell

Create or Modify System Process: Windows Service

Hijack Execution Flow: DLL Side-Loading

Gather Victim Network Information

Supply Chain Compromise

Inter-process communication


Hijack Execution Flow: DLL Side-Loading




Exploitation for Client Execution


Process Injection: Dynamic-link Library Injection

Masquerading: Match Legitimate Name or Location



Command and Scripting Interpreter: Windows Command Shell

Scheduled Task/Job: Scheduled Task

Scheduled Task/Job: Scheduled Task

Process Injection: Dynamic-link Library Injection



Command and Scripting Interpreter: Visual Basic

Valid Accounts: Domain Accounts

Valid Accounts: Domain Accounts

Reflective Code Loading



Native API

Valid Accounts: Local Accounts

Valid Accounts: Local Accounts

Signed Binary Proxy Execution: Rundll32






Valid Accounts: Domain Accounts






Valid Accounts: Local Accounts

Credential Access


Lateral movement



Command and Control

OS Credential Dumping

System Network Configuration Discovery

Exploitation of Remote Services

Archive Collected Data: Archive via Utility

Automated Exfiltration

Application Layer Protocol: Web Protocols


Remote System Discovery

Remote Services: Remote Desktop Protocol

Automated Collection




Password Policy Discovery






Permission Groups Discovery






Network Share Discovery






System Service Discovery






System Time Discovery






System Network Connections Discovery






Account Discovery






System Owner/User Discovery






System Information Discovery






Process Discovery





More Recent Blog Posts