Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actors

Croxloader

CroxLoader is a custom Cobalt Strike loader used by Earth Longzhi, a subgroup of APT41, in campaigns observed from 2021 to 2022. It was delivered primarily via spear-phishing, including links that redirected victims to Google Drive hosting a password-protected archive containing the loader. The phishing lures were themed around information about a person. Researchers also noted Earth Longzhi exploited publicly exposed applications in related operations to deploy downloaders, shellcode loaders, and additional tooling.

CroxLoader is described as a simple but custom loader that accesses an encrypted payload such as "MpClient.bin" and decrypts hidden content. Its decryption routine includes the pattern '(sub 0xA) XOR 0xCC', a code similarity also noted with GroupCC tooling. Reported capabilities include decryption of embedded payloads, process injection, and use of decoy documents. Within the broader Earth Longzhi intrusion set, CroxLoader was one of several customized loaders alongside BigpipeLoader, MultiPipeLoader, and OutLoader, all used to stage Cobalt Strike.

The malware was observed in campaigns targeting organizations in Taiwan and other Asia-Pacific countries. Victim sectors attributed to Earth Longzhi included government, healthcare, infrastructure, banking, defense, aviation, insurance, and urban development. Attribution of the activity to APT41/Earth Longzhi was based on victimology, shared Cobalt Strike metadata, code similarities, and overlapping TTPs. Researchers specifically noted that Symatic loader and CroxLoader shared the same '(sub 0xA) XOR 0xCC' decryption algorithm pattern with GroupCC. No standalone network indicators for CroxLoader were provided in the source content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Earth Longzhi

Upon opening the link, the victim is redirected to a Google Drive hosting a password-protected archive with a Cobalt Strike loader we call CroxLoader.

via trend micro researchtrendmicro.com
earth_longzhi_apt

...the newly introduced Croxloader variant accesses the encrypted payload "MpClient.bin," and proceeds to decrypt its hidden content

via picus security blogpicussecurity.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

In some cases, we also found that the group exploited publicly available applications to deploy and execute a simple downloader to download a shellcode loader and the necessary hack tools for the routine.

T1566.001Spearphishing AttachmentEvidence1
TacticInitial Access

Both campaigns used spear-phishing emails as the primary entry vector to deliver Earth Longhzhi’s malware. The attacker embeds the malware in a password-protected archive or shares a link to download a malware, luring the victim with information about a person.

T1566.002Spearphishing LinkEvidence1
TacticInitial Access

Upon opening the link, the victim is redirected to a Google Drive hosting a password-protected archive with a Cobalt Strike loader we call CroxLoader.

Privilege Escalation

1 technique
T1055Process InjectionEvidence1
TacticsPrivilege EscalationStealth

Injecting a decrypted payload into the system built-in process (dllhost.exe or rundll32.exe) ... After restoring the ntdll, Symatic will spawn a new process for process injection.

Stealth

1 technique
T1055Process InjectionEvidence1
TacticsPrivilege EscalationStealth

Injecting a decrypted payload into the system built-in process (dllhost.exe or rundll32.exe) ... After restoring the ntdll, Symatic will spawn a new process for process injection.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1
TacticCommand and Control

OutLoader tries to download the payload from a remote server ... exploited publicly available applications to deploy and execute a simple downloader to download a shellcode loader and the necessary hack tools

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app4 years ago
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.