{ "id": "64839a3b-fcfe-442d-916b-a6e5cbab9927", "created_at": "2026-04-06T00:12:41.6243Z", "updated_at": "2026-04-10T13:12:35.833187Z", "deleted_at": null, "sha1_hash": "04a38d070d8c89715e95bff87830842440922c4f", "title": "Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 615899, "plain_text": "Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan\r\nand Japan\r\nBy By: Hara Hiroaki Apr 30, 2025 Read time: 7 min (1919 words)\r\nPublished: 2025-04-30 · Archived: 2026-04-05 16:16:45 UTC\r\nAPT group Earth Kasha continues its activity with a new campaign in March 2025 that uses spear-phishing\r\nto deliver a new version of the ANEL backdoor, possibly for espionage based on the campaign’s\r\nvictimology.\r\nIn this campaign, the APT group believed to be a part of the larger APT10 group is targeting government\r\nagencies and public institutions in Taiwan and Japan. Potential impact could include information theft and\r\nsensitive data related to governance being compromised.\r\nThe ANEL file from the 2025 campaign discussed in this blog implemented a new command to support an\r\nexecution of BOF (Beacon Object File) in memory. This campaign also potentially leveraged SharpHide to\r\nlaunch the second stage backdoor NOOPDOOR.\r\nWe provide recommendations for organizations to proactively secure their systems, including\r\nimplementing a zero-trust approach to external and unrecognized One Drive links, and the continuous\r\nmonitoring for any potential abuse of DNS over HTTPS.\r\nTrend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can\r\nalso access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest\r\nupdates on Earth Kasha. \r\nIn our monitoring of advanced persistent threats, we observed a new campaign targeting Taiwan and Japan that\r\ncan be attributed to Earth Kasha. We detected campaign activity in March 2025, and found that it uses spear-phishing to deliver a new version of the ANEL backdoor.\r\nEarth Kasha, believed to be a part of the larger APT10 umbrella, has been conducting espionage campaigns since\r\nat least 2017 and are known to shift their techniques, tactics and toolsets frequently. Prior activity from the group\r\nwas recorded in 2024, where they targeted individuals affiliated with political organizations, research institutions,\r\nthinktanks, and organizations related to international relations in Japan via spear-phishing. It appears that the\r\ngroup is expanding targets in their new spear-phishing campaign this year to include government agencies and\r\npublic institutions in Taiwan and Japan.\r\nWe assume that the motivation behind this campaign is espionage and information theft based on the victimology\r\nand post-exploitation TTPs. Considering that Earth Kasha’s origin is believed to be China, a potential espionage\r\ncampaign targeting Taiwan and Japan has significant geopolitical implications.\r\nIn this blog, we will discuss the TTPs, and malware observed in Earth Kasha’s latest campaign.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 1 of 9\n\nFigure 1. The observed infection chain of Earth Kasha’s latest campaign in March 2025.\r\nInitial Access\r\nThe attack begins with a spear-phishing email: we have observed cases where the malicious emails were sent from\r\na legitimate account, suggesting that compromised accounts could have been abused to deliver the malicious\r\nemails. The email embeds a OneDrive URL link that downloads a ZIP file which contains a malicious Excel file.\r\nThe Excel filename and email subject are designed to capture the target’s interest. Some of file names and email\r\nsubjects used in this campaign are listed below:\r\n\u003cREDACTED\u003e_修正済み履歴書 (Japanese translated to English: \u003cREDACTED\u003e_Revised Resume)\r\n臺日道路交通合作與調研相關公務出國報告 (Taiwanese translated to English: Report on Official\r\nBusiness Trips Abroad Related to Taiwan-Japan Road Transportation Cooperation and Research)\r\n應徵研究助理-\u003cREDACTED\u003e (Taiwanese translated to English: Research Assistant Application-\r\n\u003cREDACTED\u003e) \r\nDropper\r\nThe malicious Excel file is a macro-enabled dropper that we call ROAMINGMOUSE. Since the Earth Kasha’s\r\n2024 campaign, ROAMINGMOUSE has been used as an initial dropper to drop the ANEL components by\r\nimplementing a simple sandbox evasion technique requiring user manipulation to trigger the malicious routine.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 2 of 9\n\nFigure 2. The malicious Excel file requires user manipulation to drop the ANEL components.\r\nThe use of a malicious Excel file is different from Earth Kasha’s 2024 campaign where they used a malicious\r\nWord file. Apart from the change in file type, the malicious routine trigger was also switched from a mousemove\r\nevent to the click event.\r\nROAMINGMOUSE then decodes the embedded ZIP file by using Base64, drops the ZIP on a disk, and expands\r\nits components. In this campaign, ROAMINGMOUSE dropped the following components:\r\nJSLNTOOL.exe, JSTIEE.exe, or JSVWMNG.exe: A legitimate application signed by 株式会社ジャスト\r\nシステム (JustSystems Inc.)\r\nJSFC.dll: A malicious loader, dubbed ANELLDR\r\n\u003cRANDOM\u003e: An encrypted ANEL payload\r\nMSVCR100.dll: A legitimate DLL, dependency of EXE\r\nThe components were dropped onto following file paths:\r\n%LOCALAPPDATA%\\Microsoft\\Windows\\\u003cRANDOM\u003e\r\n%LOCALAPPDATA%\\Microsoft\\Media Player\\Transcoded Files Cache\\\u003cRANDOM\u003e\r\nAfter dropping the components, ROAMINGMOUSE launches the legitimate EXE as an argument of explorer.exe\r\nvia WMI. The EXE then loads a malicious DLL, JSFC.dll, in the same directory via DLL sideloading. \r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 3 of 9\n\nFigure 3. ROAMINGMOUSE launches the legitimate EXE as an argument of explorer.exe via\r\nWMI.\r\nA notable observation from our investigation is that if ROAMINGMOUSE detects an installation of McAfee\r\napplication, it changes its execution method to create a batch file in the startup folder that executes a legitimate\r\nEXE as an argument of explorer.exe without WMI.\r\nFirst stage backdoor: ANEL\r\nJSFC.dll, a malicious loader dubbed ANELLDR, was observed in this campaign. It mostly has the same\r\ncapabilities as the loader used in Earth Kasha’s previous campaign. It decrypts an encrypted ANEL blob file in the\r\nsame directory by using AES-256-CBC and LZO, and executes the ANEL in memory.\r\nThe ANEL file is known to embed its version number, which can help to understand how it evolves. However,\r\nsince Earth Kasha’s previous campaign in 2024, the ANEL file has been observed to have its version number\r\nencrypted. The ANEL file we observed in this new campaign also encrypted its version number.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 4 of 9\n\nFigure 4. The ANEL blob file now has its version number encrypted.\r\nAs for capabilities, it should be noted that there are no significant changes on command and control (C\u0026C)\r\ncommunication protocols: this campaign continues to use a combination of custom ChaCha20, XOR, and LZO.\r\nHowever, we found that the ANEL file from the 2025 campaign implemented a new command to support the\r\nexecution of a BOF (Beacon Object File) in memory. Table 1 summarizes the changes of supported commands on\r\neach ANEL file version.\r\nTable 1. A summary of the changes of supported commands on each ANEL file version\r\nANEL backdoor post-exploitation\r\nAfter installing the ANEL file, actors behind Earth Kasha obtained screenshots using a backdoor command and\r\nexamined the victim’s environment. To do this, we observed that the following commands were used:\r\ntasklist /v\r\nnet localgroup administrators\r\nnet user\r\nThe adversary appears to investigate the victim by looking through screenshots, running process lists, and domain\r\ninformation. We assume this is to find out whether they have infiltrated an intended target, as there are several\r\ncases where the threat actors did not proceed with the second stage backdoor. In the cases that they did proceed\r\nwith the second stage backdoor, we observed that they downloaded NOOPDOOR components onto the\r\nC:\\ProgramData folder using a backdoor command and executed it using following commands:\r\ncmd /c C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe C:\\ProgramData\\ctac.xml\r\nWe also observed that Earth Kasha in this latest campaign potentially leveraged SharpHide for persistence: to\r\nlaunch NOOPDOOR through the Hidden Start (hstart64.exe), and to hide a UI of MSBuild on autorun. It possibly\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 5 of 9\n\ninjects SharpHide in the legitimate application process since the “msiexec.exe” was verified as legitimate, as can\r\nbe observed in the following command:\r\nC:\\WINDOWS\\system32\\msiexec.exe action=create keyvalue=\"C:\\ProgramData\\hstart64.exe\"\r\narguments=\"/NOCONSOLE \\\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe\r\nC:\\ProgramData\\ctac.xml\\\"\"\r\nEarth Kasha then removed the ANEL working directories by using following commands:\r\nrd /s /q \"C:\\Users\\\u003cREDUCTED\u003e\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\\r\n\u003cRANDOM\u003e\"\r\nrd /s /q \"C:\\Users\\\u003cREDUCTED\u003e\\AppData\\Local\\Microsoft\\Windows\\\u003cRANDOM\u003e\"\r\nSecond stage backdoor: NOOPDOOR\r\nWe also observed that the adversary installed NOOPDOOR as its second-stage backdoor; NOOPDOOR is the\r\nsophisticated backdoor exclusively used by Earth Kasha since at least 2021. NOOPDOOR has been observed to\r\ncontinuously evolve by adding or removing minor features. An interesting update observed in NOOPDOOR\r\nduring this campaign is that it supports to use DNS over HTTPS (DoH).\r\nDoH is a relatively new technology to secure the user’s privacy by resolving IP address over HTTPS, instead of\r\nDNS that doesn’t support encryption. The new version of NOOPDOOR is designed to hide its IP lookup using the\r\nDoH protocol during C\u0026C. NOOPDOOR embeds public DNS servers supporting DoH, such as Google and\r\nCloudflare.\r\nFigure 5. NOOPDOOR hides its IP lookup by using DNS over HTTPS (DoH).\r\nNOOPDOOR generates a C\u0026C domain through Domain Generation Algorithm (DGA) based on the current\r\ndatetime as we have described in our previous blog, and then tries to resolve IP over DoH to hide suspicious\r\ndomain name resolutions. Figure 6 illustrates how DoH works to get an IP. The result of DNS resolution will be\r\nreturned in the HTTPS body.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 6 of 9\n\nFigure 6. NOOPDOOR tries to resolve IP over DoH to hide suspicious domain name resolutions.\r\nConclusion and security recommendations\r\nEarth Kasha continues to be an active advanced persistent threat and is now targeting government agencies and\r\npublic institutions in Taiwan and Japan in its latest campaign which we detected in March 2025. Malicious actors\r\nbehind the group continue to use spear-phishing to target their victims but employ slightly modified TTPs from\r\ntheir previous campaigns. A malicious Excel file now carries ROAMINGMOUSE, when before they used a Word\r\nfile; additionally, the malicious routine trigger was also switched from a mousemove event to the click event.\r\nThe ANEL file we observed in this new campaign encrypts its version number like the ANEL file version from\r\nEarth Kasha’s previous campaign in 2024, but we found that the ANEL file from the 2025 campaign implemented\r\na new command to support an execution of BOF (Beacon Object File) in memory. This latest campaign also\r\npotentially leveraged SharpHide for persistence: to launch the second stage backdoor NOOPDOOR through the\r\nHidden Start (hstart64.exe), and to hide a UI of MSBuild on autorun.\r\nEnterprises and organizations, especially those with high-value assets like sensitive data relating to governance, as\r\nwell as intellectual property, infrastructure data, and access credentials should continue to be vigilant and\r\nimplement proactive security measures to prevent falling victim to cyberattacks. We recommend the following\r\nmeasures so enterprises can help secure against the TTPs discussed in this blog:\r\nEducate users on the risks of selecting and opening external or unrecognized OneDrive links and\r\nimplement a zero-trust policy when interacting with such links and files on unrecognized emails.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 7 of 9\n\nMonitor potential abuse of DNS over HTTPS.\r\nDisable macros downloaded from the internet.\r\nMaximize endpoint detection response tools to detect suspicious activity.\r\nProactive security with Trend Vision One™\r\nTrend Vision Oneone-platform™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This holistic approach helps\r\nenterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital\r\nestate. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and\r\nelevate security into a strategic partner for innovation.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and\r\nThreat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to\r\nprepare for emerging threats by offering comprehensive information on threat actors, their malicious activities,\r\nand their techniques. By leveraging this intelligence, customers can take proactive steps to protect their\r\nenvironments, mitigate risks, and effectively respond to threats.\r\nTrend Vision One Intelligence Reports App [IOC Sweeping]\r\nStill in the Game: Earth Kasha's Continued Spear-Phishing Campaign targeting Taiwan and Japan\r\nTrend Vision One Threat Insights App\r\nEmerging Threats: Still in the Game: Earth Kasha's Continued Spear-Phishing Campaign targeting Taiwan and\r\nJapan\r\nThreat Actor: Earth Kasha\r\nHunting Query\r\neventName:MALWARE_DETECTION AND (malName:*ROAMINGMOUSE*  OR malName:*ANEL* OR\r\nmalName:*NOOPLDR* OR malName:*NOOPDOOR*)\r\neventSubId: 301 AND (hostName: *.srmbr.net OR hostName: *.kyolpon.com) \r\neventSubId: 204 AND (dst: 172.233.73.249 OR dst: 172.105.62.188 OR dst: 192.46.215.56 OR dst:\r\n139.162.38.102)   \r\nIndicators of Compromise (IoC)  \r\nDownload the list of IoCs here. \r\nTags\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 8 of 9\n\nSource: https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html" ], "report_names": [ "earth-kasha-updates-ttps.html" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434361, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04a38d070d8c89715e95bff87830842440922c4f.pdf", "text": "https://archive.orkl.eu/04a38d070d8c89715e95bff87830842440922c4f.txt", "img": "https://archive.orkl.eu/04a38d070d8c89715e95bff87830842440922c4f.jpg" } }