The activity of APT41, since the prosecution by United States in 2020, is getting more complex, not only in the perspective of its TTPs but also attribution. In 2021, multiple security vendors disclosed new campaigns by several subgroups of APT41, such as Earth Baku, Sparkling Goblin, Blackfly, Amoeba and GroupCC, which is getting more confusing. Unfortunately, we will add one more subgroup into this hall of (in)fame, which we dubbed as “Earth Longzhi”. Earth Longzhi has several overlaps with existing APT41’s subgroups based on the code reuse and TTPs, but their long-running activities have not been fully revealed yet. As we observed, Earth Longzhi has been active since at least early 2020, and continues to change its targets and TTPs from time to time. Through analysis of their activities, we identified two major campaigns from 2020 to 2022. In this presentation, through the technical details of the two campaigns by Earth Longzhi, we will reveal how they has been campaign their TTPs to bypass detections. And adding to that, we will describe the detail process of "how we attribute". We believe that sharing the attribution process, not only technical details of malwares, will help other security researchers in future.