chg: [threat-actor] `Earth Freybug` added

Tracking it seperately for now though TM identified it as subset of APT41

clusters/threat-actor.json

@@ -8723,8 +8723,7 @@
           "Earth Baku",
           "Amoeba",
           "HOODOO",
-          "Brass Typhoon",
-          "Earth Freybug"
+          "Brass Typhoon"
         ]
       },
       "related": [
@@ -15853,6 +15852,17 @@
       },
       "uuid": "dd0063e0-2d44-4798-9e6d-ef0eaa2c2508",
       "value": "UNC3569"
+    },
+    {
+      "description": "Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and financially motivated activities across various sectors worldwide. The tactics, techniques, and procedures (TTPs) used in this campaign are similar to the ones from a campaign (Operation CuckooBees) described in an article published by Cybereason. They employ a diverse toolkit, including LOLBins and custom malware, to execute sophisticated cyberespionage attacks. The group's recent tactics involve DLL hijacking and API unhooking through a newly discovered malware named UNAPIMON, which prevents child processes from being monitored. This technique was observed in a vmtoolsd.exe process creating remote tasks to deploy malicious batch files for reconnaissance and backdoor access. UNAPIMON's simplicity and use of Microsoft Detours for defense evasion highlight the group's evolving methods and the need for vigilant security measures, such as restricting admin privileges and adhering to the principle of least privilege. Earth Freybug's persistence and creativity in refining their techniques underscore the ongoing threat they pose and the importance of proactive cybersecurity practices.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html"
+        ]
+      },
+      "uuid": "c6e2e5ba-ffad-4258-8b6e-775b3fa230c3",
+      "value": "Earth Freybug"
     }
   ],
   "version": 307