{ "id": "e336cc22-a2e1-4285-92d0-cee36fe4749b", "created_at": "2026-04-06T00:08:44.611883Z", "updated_at": "2026-04-10T03:36:48.17577Z", "deleted_at": null, "sha1_hash": "1ebd01e16b288909131a7586aba88f4f63b15680", "title": "Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 322451, "plain_text": "Earth Lusca Uses Geopolitical Lure to Target Taiwan Before\r\nElections\r\nBy Cedric Pernet, Jaromir Horejsi ( words)\r\nPublished: 2024-02-26 · Archived: 2026-04-05 22:02:36 UTC\r\nIntroduction\r\nTrend Micro previously published a number of entries discussing the operations of a China-linked threat actor we\r\ntrack as Earth Lusca. The group, which has been active since at least 2020 and has regularly changed its modus\r\noperandi, has been known to launch several different campaigns at the same time.\r\nDuring our monitoring of this threat actor, we noticed a new campaign that used Chinese-Taiwanese relations as a\r\nsocial engineering lure to infect selected targets. We attribute this campaign to Earth Lusca with high confidence\r\nbased on the tools, techniques, and procedures (TTPs) we observed in previous research.\r\nThe attack campaign discussed in this report has likely been active between December 2023 and January 2024,\r\nwith a file that contained a lure document discussing Chinese-Taiwanese geopolitical issues. This file was created\r\njust two days before the Taiwanese national elections and the document seems to be a legitimate document stolen\r\nfrom a geopolitical expert from Taiwan.\r\nNote that a recent leaknews article of private documents provides a new attribution path to a Chinese company\r\ncalled I-Soon. We discuss these connections in a separate section in this entry. There is significant overlap\r\nbetween the victims, malware used, and probable location of Earth Lusca and I-Soon. This suggests, at the very\r\nleast, a significant connection between these groups. Our research is continuing at this time.\r\nEarth Lusca attack chain\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\r\nPage 1 of 7\n\nInitial access via spear phishing\r\nAlthough we were not able to determine the initial method Earth Lusca used to deliver infection files to its targets,\r\nwe found the initial infection file, an archive (.7z) named China_s gray zone warfare against Taiwan.7z. Based on\r\nthe threat actor’s previous activities, we suspect this file was sent to the targets via email, either embedded as an\r\nattachment or as a link.\r\nThe archive consists of a folder named “China’s gray zone warfare against Taiwan” that contains two different\r\nWindows shortcut files (.LNK) and a subfolder named “__MACOS”.\r\nThe __MACOS subfolder name resembles the legitimate __MACOSX folder name created by macOS, which is\r\nhidden by default and is used to store each folder’s various settings. In the case we analyzed, the __MACOS\r\nfolder does not contain any metadata but instead hides another stage of the malicious payload.\r\nThe __MACOS subfolder contains two files named “_params.cat.js” and “_params2.cat.js”.\r\nAll the files show metadata indicating that the files were last modified on Jan. 11, 2024.\r\nFirst stage: Shortcut (LNK) file with hidden target attribute\r\nThe LNK files, once selected, executes the JavaScript code stored in the __MACOS folder.\r\nIf users attempt to right-click on the malicious LNK file and display its “target” parameter, they are presented only\r\nwith an explorer.exe file name followed by space characters, as can be seen in Figures 3 and 4.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\r\nPage 2 of 7\n\nThe threat actor inserted 255 space characters in the “arguments” attribute before including the actual path to the\r\nmalicious script to ensure that users don’t notice anything is amiss.\r\nTools such as LNK parser reveal the entire content of the “arguments” field:\r\nSecond stage: Obfuscated JavaScript file\r\nThe second stage is obfuscated with Dean Edward’s JavaScript Packer, a tool designed to obfuscate JavaScript\r\ncode to hinder analysis and detections.\r\nThird stage: Deobfuscated JavaScript file and dropper\r\nThe third stage drops a text file containing hexadecimal data to the %APPDATA%\\Roaming directory.\r\nThis text file contains a magic signature, 4d534346, which is the Microsoft Cabinet File (MSCF) signature of a\r\ncabinet archive. The JavaScript then uses a living-off-the-land technique and calls a few LOLBins to decode a\r\nhexadecimal string to the binary file (certutil.exe) and unpack the cabinet archive (expand.exe).\r\nThe extracted cabinet archive contains a decoy file, a signed legitimate executable file, and a malicious DLL\r\nlibrary.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\r\nPage 3 of 7\n\nIn the cases we observed, we found the decoy files to be either Microsoft Word documents, Microsoft PowerPoint\r\ndocuments, or PDF documents. Although these were written by professionals involved in political relations\r\nbetween China and Taiwan, we could not find any of these documents online. We suspect with moderate to high\r\nconfidence that these documents were stolen from these authors or their employers. We have reached out to these\r\nindividuals and organizations and warned themabout the possible compromise of their systems.\r\nThe signed legitimate executable file, 360se.exe from Qihoo 360, was renamed to pfexec.exe by Earth Lusca in a\r\ncase of DLL hijacking. Once executed, it launches the DLL contained in the same folder (chrome_elf.dll).\r\nFourth stage: Cobalt Strike stageless client (malicious obfuscated DLL library)\r\nThe last stage of the infection chain is a stageless Cobalt Strike payload. The noteworthy parameters extracted\r\nfrom the embedded configuration are listed here:\r\nC2Server                         - upserver.updateservice.store,/common.html\r\nHttpPostUri                      - /r-arrow\r\nWatermark                        - 100000000\r\nSimilar attacks\r\nDuring the monitoring of this campaign, we received more archives using similar structures and employing\r\ncomparable tricks but having different file names, decoy names, and command-and-control (C\u0026C) servers, among\r\nothers.\r\nOne such noteworthy file, another 7z archive file named “ppt-cih1w4.7z”, contained a folder named “Sino-Africa_relations” as seen in Figure 8:\r\nThe folder also contained an LNK file and a __MACOS folder with payload, this time timestamped Dec. 22,\r\n2023.\r\nSimilar to the previously analyzed archive, several stages lead to this last stage (namely Cobalt Strike), only with\r\ndifferent configurations. The C\u0026C server name abuses the name of the cybersecurity company Cybereason. The\r\nmalleable profile is also different this time and uses different URLs, although the watermark remains the same.\r\nC2Server                         - www.cybereason.xyz,/mobile-android\r\nHttpPostUri                      - /RELEASE_NOTES\r\nWatermark                        - 100000000\r\nAttack started shortly before 2024\r\nAs mentioned in the introduction, the campaign exposed in this report was likely active between December 2023\r\nand January 2024, with the lure document created just two days before the Taiwanese national elections.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\r\nPage 4 of 7\n\nThe C\u0026C domain used by Earth Lusca (updateservice[.]store) was registered anonymously on Dec. 12, 2023 and\r\na subdomain was used for C\u0026C communications (upserver.updateservice[.]store).\r\nMeanwhile, the other C\u0026C domain used in this attack campaign (Cybereason[.]xyz) was registered anonymously\r\non Oct. 27, 2023.\r\nBoth C\u0026C servers are unavailable as of this writing.\r\nWe also found evidence that Earth Lusca targeted a Taiwan-based private academic think tank dedicated to the\r\nstudy of international political and economic situations.\r\nWhile we could not find other campaign targets at the time of writing, we suspect Earth Lusca might be planning\r\nto attack more politically related entities.\r\nThe I-Soon lead\r\nA recent leak on GitHub exposed sizeable data on a Chinese company called I-Soon that has seemingly been\r\nactive since 2016. The company describes itself on its website as an “APT Defense and Research Laboratory” and\r\nprovides descriptions of its services: offensive and defensive security, antifraud solutions, blockchain forensics\r\nsolutions, security products, and more. The group also notes several law enforcement and government entities\r\nwith which it collaborates. As an interesting aside, I-Soon had been the recipient of a few rounds of fundings since\r\n2017. One of its investors was the antivirus company Qihoo from China —  which, as stated earlier, had an\r\nexecutable file abused for DLL hijacking.\r\nWe found a few indicators in the I-Soon leak that made us believe that some of the Earth Lusca activities are\r\nsimilar to the contents of the leak:\r\n1. There is some victim overlap between Earth Lusca and I-Soon: Some of the names on the victim lists of the\r\nI-Soon leak were also victims of Earth Lusca’s attacks.\r\n2. The malware and tools arsenal used by I-Soon and Earth Lusca has a few strong overlaps. Malware such as\r\nShadowPad, Winntinews article and a few other tools have been used extensively by Earth Lusca and are\r\nused by i-Soon as well.\r\n3. We also discovered a location overlap between the two. In a blog entry in September 2023, we mentioned\r\nthat Earth Lusca’s source IP addresses are from Chengdu, Sichuan province, where the main office of I-Soon’s penetration teams is also located.\r\nConclusion\r\n Earth Lusca remains an active threat actor that counts cyberespionage among its primary motivations.\r\nOrganizations must remain vigilant against APT groups employing sophisticated TTPs. In particular, government\r\norganizations face potential harm that could affect not only national and economic security but also international\r\nrelations if malicious actors were to succeed in stealing classified information. Meanwhile, businesses that fall\r\nprey to cyberespionage attacks might face a decline in customer trust and operational disruptions that in turn lead\r\nto financial repercussions.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\r\nPage 5 of 7\n\nGiven Earth Lusca's penchant for using email, resorting to social engineering as one of its main avenues of\r\ninfection, and capitalizing on relevant social and political issues as seen in this campaign, we advise individuals\r\nand organizations to adhere to security best practices, such as avoiding clicking on suspicious email and website\r\nlinks and updating software in a timely manner to minimize the chances of falling victim to an Earth Lusca attack\r\nMITRE ATT\u0026CK techniques\r\nBelow listed techniques are subset of MITRE ATT\u0026CK list..\r\nTactic Technique ID Description\r\nInitial Access\r\nPhishing: Spear-phishing\r\nLink\r\nT1566.002\r\nUsed to send spear-phishing emails with a\r\nmalicious attachment in an attempt to gain\r\naccess to victim systems\r\nExecution\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nT1059.003\r\nUsed to leverage cmd to execute various\r\ncommands and payloads.\r\nExecution\r\nCommand and Scripting\r\nInterpreter: JavaScript\r\nT1059.007\r\nUsed to execute various commands and\r\npayloads.\r\nExecution\r\nUser Execution: Malicious\r\nLink\r\nT1204.001\r\nAn adversary may rely upon a user clicking\r\na malicious link in order to gain execution.\r\nExecution\r\nUser Execution: Malicious\r\nFile\r\nT1204.002\r\nAn adversary may rely upon a user opening\r\na malicious file in order to gain execution.\r\nDefense\r\nEvasion\r\nDeobfuscate/Decode Files or\r\nInformation\r\nT1140\r\nUsed Obfuscated Files or Information to\r\nhide artifacts of an intrusion from analysis\r\nDefense\r\nEvasion\r\nHide Artifacts: Hidden Files\r\nand Directories\r\nT1564.001\r\nSet files and directories to be hidden to\r\nevade detection mechanisms.\r\nDefense\r\nEvasion\r\nHijack Execution Flow: DLL\r\nSearch Order Hijacking\r\nT1574.001\r\nAdversaries may execute their own\r\nmalicious payloads by hijacking the search\r\norder used to load DLLs.\r\nDefense\r\nEvasion\r\nIndirect Command Execution T1202\r\nUsed to abuse utilities that allow for\r\ncommand execution to bypass security\r\nrestrictions that limit the use of command-line interpreters.\r\nDefense\r\nEvasion\r\nMasquerading: Double File\r\nExtension\r\nT1036.007\r\nUsed to abuse a double extension in the\r\nfilename as a means of masquerading the\r\ntrue file type.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\r\nPage 6 of 7\n\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nT1027.002\r\nAdversaries may perform software packing\r\nor virtual machine software protection to\r\nconceal their code.\r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nT1027.009\r\nAdversaries may embed payloads within\r\nother files to conceal malicious content from\r\ndefenses.\r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation: LNK Icon\r\nSmuggling\r\nT1027.012\r\nAdversaries may smuggle commands to\r\ndownload malicious payloads past content\r\nfilters by hiding them within otherwise\r\nseemingly benign windows shortcut files.\r\nDiscovery File and Directory Discovery T1083\r\nAdversaries may enumerate files and\r\ndirectories.\r\nCommand\r\nand Control\r\nData Encoding T1132\r\nAdversaries may encode data to make the\r\ncontent of command and control traffic more\r\ndifficult to detect.\r\nCommand\r\nand Control\r\nData Obfuscation T1001\r\nAdversaries may obfuscate command and\r\ncontrol traffic to make it more difficult to\r\ndetect.\r\nCommand\r\nand Control\r\nEncrypted Channel T1573\r\nAdversaries may employ a known\r\nencryption algorithm to conceal command\r\nand control traffic.\r\nExfiltration\r\nExfiltration Over C2\r\nChannel\r\nT1041\r\nAdversaries may steal data by exfiltrating it\r\nover an existing command and control\r\nchannel.\r\nThe final payload, Cobalt Stike, might use additional techniques listed on the MITRE website.\r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found here.\r\nWe’d like to thank Trend's Ian Kenefick and Cyris Tseng for additional intelligence.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html" ], "report_names": [ "earth-lusca-uses-geopolitical-lure-to-target-taiwan.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434124, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1ebd01e16b288909131a7586aba88f4f63b15680.pdf", "text": "https://archive.orkl.eu/1ebd01e16b288909131a7586aba88f4f63b15680.txt", "img": "https://archive.orkl.eu/1ebd01e16b288909131a7586aba88f4f63b15680.jpg" } }