{
	"id": "ef65db28-e97c-40c2-9fd6-d036b902f4fd",
	"created_at": "2026-04-06T00:08:31.659134Z",
	"updated_at": "2026-04-10T03:30:16.058071Z",
	"deleted_at": null,
	"sha1_hash": "0e3607b07bb2810588082a1e0437deec0b9d0b79",
	"title": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42101,
	"plain_text": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/ea\r\nbaxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt\r\nArchived: 2026-04-05 16:54:45 UTC\r\nEarth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC\r\nSHA256 Hashes Detection\r\n916f3f4b895c8948b504cbf1beccb601ff7cc6e982d2ed375447bce6ecb41534 Trojan.VBS.RIPCOY.ZTLI\r\n4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54 Trojan.VBS.RIPCOY.ZTLI\r\n6be4dd9af27712f5ef6dc7d684e5ea07fa675b8cbed3094612a6696a40c664ce Trojan.VBS.RIPCOY.ZBLI\r\n1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448 Trojan.VBS.RIPCOY.ZCLI\r\n4ad078a52abeced860ceb28ae99dda47424d362a90e1101d45c43e8e35dfd325 Trojan.VBS.RIPCOY.ZTLI\r\n04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e Trojan.VBS.RIPCOY.ZTLI\r\nc78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc Trojan.Win64.DULLDOWN.ZTLH.component\r\n1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee TrojanSpy.SH.DULL.ZTLH\r\n9b50e888aaec0e4d105a6f06db168a8a2dcf9ab1f9deeff4b7862463299ab1ca Trojan.Win64.SWORDLDR.ZTLH\r\nd23dd576f7a44df0d44fca6652897e4de751fdb0becc6b14b754ac9aafc9081c Trojan.Win64.SWORDLDR.ZTLH\r\nd3c1ada67f9fe46dfb11f72c1754667d2ccd0026d48d37b61192e3d0ef369b84 Trojan.Win64.SWORDLDR.ZYLH\r\ne9854ab68dad0a744925118bfae4ec6ce9c4b7727e2ad6763aa50b923991de95 Backdoor.Win64.COBEACON.ZTLH.enc\r\nb3b8efcaf6b9491c00049292cdff8f53772438fde968073e73d767d51218d189 Backdoor.Win64.EAGLEDOOR.ZTLH\r\ncef0d2834613a3da4befa2f56ef91afc9ab82b1e6c510d2a619ed0c1364032b8 Backdoor.Win64.EAGLEDOOR.ZTLH\r\n061bcd5b34c7412c46a3acd100167336685a467d2cbcd1c67d183b90d0bf8de7 Backdoor.Win64.EAGLEDOOR.ZTLH\r\n1c26d79a841fdca70e50af712f4072fea2de7faf5875390a2ad6d29a43480458 Backdoor.Win64.COBEACON.ZTLH.enc\r\nDomains Description\r\nrecordar-simmco.s3.sa-east-1.amazonaws[.]com Decoy download site\r\nwordpresss-data.s3.me-south-1.amazonaws[.]com Decoy download site\r\necgglass-arq.s3.sa-east-1.amazonaws[.]com Decoy download site\r\nsouzacambos.s3.sa-east-1.amazonaws[.]com Decoy download site\r\ncooltours.s3.sa-east-1.amazonaws[.]com Decoy download site\r\nxiiltrionsoledadprod.s3.sa-east-1.amazonaws[.]com Decoy download site\r\napp-dimensiona.s3.sa-east-1.amazonaws[.]com Decoy download site\r\nbjj-files-production.s3.sa-east-1.amazonaws[.]com Decoy download site\r\nfootracker-statics.s3.sa-east-1.amazonaws[.]com Decoy download site\r\nproradead.s3.sa-east-1.amazonaws[.]com Decoy download site\r\ns3-contemp.s3.sa-east-1.amazonaws[.]com Decoy download site\r\nhomologacao-sisp.s3.sa-east-1.amazonaws[.]com Decoy download site\r\ndoare-assets.s3.sa-east-1.amazonaws[.]com Decoy download site\r\nkcalmoments.s3.me-south-1.amazonaws[.]com Decoy download site\r\nspeedshare.oss-cn-hongkong.aliyuncs[.]com The next decoy download site\r\n360photo.oss-cn-hongkong.aliyuncs[.]com The next decoy download site\r\nbobs8.oss-cn-hongkong.aliyuncs[.]com The next decoy download site\r\nstatus.s3cloud-azure[.]com The final decoy download site\r\napi.s2cloud-amazon[.]com The final decoy download site\r\nvisualstudio-microsoft[.]com COBEACON C\u0026C\r\nus2.s3bucket-azure[.]online COBEACON C\u0026C\r\nstatic.trendmicrotech[.]com COBEACON C\u0026C\r\nrocean.oca[.]pics COBEACON C\u0026C\r\nhttps://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-\r\n%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt\r\nPage 1 of 2\n\nstatic.krislab[.]site COBEACON C\u0026C\r\nms1.hinet[.]lat COBEACON C\u0026C\r\nmsa.hinet[.]ink EAGLEDOOR C\u0026C\r\nIPs Description\r\n167.172.89[.]142 EAGLEDOOR C\u0026C\r\n167.172.84[.]142 EAGLEDOOR C\u0026C\r\n152.42.243[.]170 Download site\r\n188.166.252[.]85 Download site\r\nSource: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/\r\nIOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt\r\nhttps://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-\r\n%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt"
	],
	"report_names": [
		"IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt"
	],
	"threat_actors": [
		{
			"id": "f45af9e4-5037-4a5a-82c1-4627845eea49",
			"created_at": "2024-09-26T02:00:04.286721Z",
			"updated_at": "2026-04-10T02:00:03.707415Z",
			"deleted_at": null,
			"main_name": "Earth Baxia",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Baxia",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4b7f4f69-7c56-4691-9071-9365884a7f30",
			"created_at": "2024-10-25T02:02:07.672671Z",
			"updated_at": "2026-04-10T02:00:04.660715Z",
			"deleted_at": null,
			"main_name": "Earth Baxia",
			"aliases": [],
			"source_name": "ETDA:Earth Baxia",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"EAGLEDOOR",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434111,
	"ts_updated_at": 1775791816,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e3607b07bb2810588082a1e0437deec0b9d0b79.pdf",
		"text": "https://archive.orkl.eu/0e3607b07bb2810588082a1e0437deec0b9d0b79.txt",
		"img": "https://archive.orkl.eu/0e3607b07bb2810588082a1e0437deec0b9d0b79.jpg"
	}
}