{ "id": "d3ba1aec-95d3-4ab3-b034-3556c0956ba6", "created_at": "2026-04-06T00:17:59.045051Z", "updated_at": "2026-04-10T03:36:33.610074Z", "deleted_at": null, "sha1_hash": "21ce0b996b27bd40f94971faee43958135aefcd1", "title": "Earth Preta Spear-Phishing Governments Worldwide", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2877799, "plain_text": "Earth Preta Spear-Phishing Governments Worldwide\r\nBy By: Nick Dai, Vickie Su, Sunny Lu Nov 18, 2022 Read time: 16 min (4199 words)\r\nPublished: 2022-11-18 · Archived: 2026-04-05 13:23:33 UTC\r\nWe have been monitoring a wave of spear-phishing attacks targeting the government, academic, foundations, and\r\nresearch sectors around the world. Based on the lure documents we observed in the wild, this is a large-scale\r\ncyberespionage campaign that began around March. After months of tracking, the seemingly wide outbreak of\r\ntargeted attacks includes but not limited to Myanmar, Australia, the Philippines, Japan and Taiwan. We analyzed\r\nthe malware families used in this campaign and attributed the incidents to a notorious advanced persistent threat\r\n(APT) group called Earth Preta (also known as Mustang Panda and Bronze President).\r\nIn our observation of the campaigns, we noted that, Earth Preta abused fake Google accounts to distribute the\r\nmalware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through\r\nGoogle Drive links. Users are then lured into downloading and triggering the malware to execute,  TONEINS,\r\nTONESHELL, and PUBLOAD. PUBLOAD has been previously reported, but we add new technical insights in\r\nthis entry that tie it to TONEINS and TONESHELL, newly discovered malware families used by the group for its\r\ncampaigns.\r\nIn addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and\r\ncustom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google\r\nDrive links are the same. Based on the sample documents that were used for luring the victims, we also believe\r\nthat the attackers were able to conduct research and, potentially, prior breaches on the target organizations that\r\nallowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts.\r\nIn this blog entry, we discuss Earth Preta’s new campaign and its tactics, techniques, and procedures (TTPs),\r\nincluding new installers and backdoors. Last, we share how security practitioners can track malware threats\r\nsimilar to those that we have identified.\r\nInitial compromise and targets\r\nBased on our monitoring of this threat,  the decoy documents are written in Burmese, and the contents are\r\n\"လျှို့ဝှက်ချက်\" (“Internal-only”). Most of the topics in the documents are controversial issues between countries\r\nand contain words like \"Secret\" or “Confidential.”  These could indicate that the attackers are targeting Myanmar\r\ngovernment entities as their first entry point. This could also mean that the attackers have already compromised\r\nspecific political entities prior to the attack, something that Talos Intelligence had also previously noted.  \r\nThe attackers use the stolen documents as decoys to trick the targeted organizations working with Myanmar\r\ngovernment offices into downloading and executing the malicious files. The victimology covers a broad range of\r\norganizations and verticals worldwide, with a higher concentration in the Asia Pacific region. Apart from the\r\ngovernment offices with collaborative work in Myanmar, subsequent victims included the education and research\r\nindustries, among others. In addition to decoy topics covering ongoing international events concerning specific\r\norganizations, the attackers also lure individuals with subject headings pertaining to pornographic materials.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 1 of 27\n\nFigure 2. Distribution of Earth Preta’s targeted industries\r\nFigure 3. Earth Preta attack campaign routine from March to October 2022\r\nEarth Preta uses spear-phishing emails as its first step for intrusion. As aforementioned, some of the emails’\r\nsubjects and contents discuss geopolitical topics, while others might contain sensational subjects. We observed\r\nthat all the emails we analyzed had the Google Drive links embedded in them, which points to how users might be\r\ntricked into downloading the malicious archives. The file types of the archives include compressed files such as\r\n.rar, .zip, and .jar, to name a few. Upon accessing the links, we learned that the archives contain the malware\r\nTONEINS, TONESHELL, and PUBLOAD malware families.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 2 of 27\n\nFigure 4. Email document sample of meeting minutes, likely stolen from a prior compromise\r\nSpear-phishing emails\r\nWe analyzed the contents of the emails and observed that a Google Drive link is used as a lure for victims. The\r\nemail's subject might be empty or might have the same name as the malicious archive. Rather than add the\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 3 of 27\n\nvictims’ addresses to the email’s “To” header, the threat actors used fake emails. Meanwhile, the real victims'\r\naddresses were written in the \"CC\" header, likely to evade security analysis and slow down investigations. Using\r\nopen-source intelligence (OSINT) tool GHunt to probe those Gmail addresses in the “To” section, we found these\r\nfake accounts with little information in them.\r\nMoreover, we observed that some of the senders might be compromised email accounts from a specific\r\norganization. Victims might be convinced that these mails were sent from trusted partners, increasing the chances\r\nthat recipients will select the malicious links.\r\nDecoy documents\r\nWe also found some decoy documents linked to the organizations related to or working with Myanmar\r\ngovernment entities. The first decoy's file name is Assistance and Recovery(china).exe, while another decoy .PDF\r\ndocument (“ပြည်ထောင်စုသမ္မတမြန်မာနိုင်ငံတော်သံရုံး.pdf, meaning “Embassy of the Republic of Myanmar\")\r\nwas observed in a compressed file named Assistance and Recovery(china).rar. Allegedly, this is a document\r\ncontaining the ambassador’s report in rough meeting schedules between the embassies of Myanmar and China.\r\nAnother document is related to the Japan Society for the Promotion of Science (JSPS), an initiative that provides\r\nresearchers opportunities to conduct and undergo research exchanges in Japan. Notably, the documents in the\r\ncompressed file attachment(EN).rar are mostly image files. The malicious DLL and the executable, which are used\r\nfor the next layer of sideloading, are also included among them.\r\nFigure 5. Sample decoy documents relating to government meetings (left) and overseas research\r\nexchange (right)\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 4 of 27\n\nThere are also other decoy documents with diverse content themes, including regional affairs and pornography.\r\nHowever, when the victim opens the fake document file in this folder, no corresponding content appears.\r\nArrival vectors\r\nWe observed at least three types of arrival vectors as the intrusions' entry points, including over 30 lure archives\r\naround the world distributed via Google Drive links, Dropbox links, or other IP addresses hosting the files. In\r\nmost of the archives we collected, there are legitimate executables, as well as the sideloaded DLL. The names of\r\nthe archives and the decoy documents vary in each case. In the following sections, we take some of them as\r\nexamples and share the TTPs of each.\r\nType A: DLL sideloading\r\nIn this case, there are three files in the archive: \"~,\" Increasingly confident US is baiting China.exe, and libcef.dll.\r\nNotably, the names of the lure documents and executables can be different, as detailed in the next sections.\r\nFilename Detection Description\r\n220509 - (Cabinet\r\nMeeting 2022).zip\r\n~   Lure document\r\nIncreasingly confident US\r\nis baiting China.exe\r\n \r\nLegitimate executable\r\nfor DLL sideloading\r\nlibcef.dll Trojan.Win32.PUBLOAD Malicious DLL\r\nTable 1. Files in the archive of Type A\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 5 of 27\n\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 6 of 27\n\nFigure 6. An example of a decoy document from the PUBLOAD archives\r\nInside the archive, the \"~\" file is a lure document. The executable Increasingly confident US is baiting China.exe\r\nis a legitimate executable (originally named adobe_licensing_wf_helper.exe, which is the Adobe Licensing WF\r\nHelper). This executable will sideload the malicious libcef.dll and trigger the export function cef_api_hash.\r\nWhen executed for the first time, the executable tries to install the malware by copying the .exe file and moving\r\nlibcef.dll (detected by Trend Micro as Trojan.Win32.PUBLOAD) to \u003c%PUBLIC%\u003e Both .exe and .dll files will\r\nbe renamed C:\\Users\\Public\\Pictures\\adobe_wf.exe and C:\\Users\\Public\\Pictures\\libcef.dll, respectively.\r\nAdditionally, \"~\" is renamed as 05-09-2022.docx and dropped to the Desktop.  \r\nFigure 7. Type A’s malicious routine\r\nType B: Shortcut links\r\nThe malicious archive contains three files: New Word Document.lnk, putty.exe, and CefBrowser.dll. In particular,\r\nthe DLL and executable files are placed in multiple layers of folders named “_”.\r\nFilename Detection Description\r\nDesktop.rar\r\nNew Word Document.lnk   Installer\r\n_\\_\\_\\_\\_\\_\\putty.exe  \r\nLegitimate executable for\r\nDLL sideloading\r\n_\\_\\_\\_\\_\\_\\CefBrowser.dll Backdoor.Win32.TONESHELL Malicious DLL\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 7 of 27\n\nTable 2. Files in the archive of Type B\r\nThe threat actor utilizes the .lnk file to install the malicious files by decompressing the archive file with WinRAR.\r\nThe full command line is as follows.\r\n%ComSpec% /c \"_\\_\\_\\_\\_\\_\\putty.exe||(forfiles /P %APPDATA%\\..\\..\\ /S /M Desktop.rar /C \"cmd /c\r\n(c:\\progra~1\\winrar\\winrar.exe x -inul -o+ @path||c:\\progra~2\\winrar\\winrar.exe x -inul -o+\r\n@path)\u0026\u0026_\\_\\_\\_\\_\\_\\putty.exe\")\"\r\nPutty.exe is masquerading as a normal executable; its original file name is AppXUpdate.exe. When it is executed,\r\nit sideloads CefBrowser.dll and executes the main routine in its export function, CCefInterface::SubProcessMain.\r\nIt also abuses schtasks for persistence.\r\nFigure 8. Type B's malicious routine\r\nType C: Fake file extensions\r\nIn this case, China VS Taiwan.rar contains several files, including:\r\nFilename Detection Description\r\nChina VS\r\nTaiwan.rar China VS Taiwan.exe  \r\nFirst-stage legitimate\r\nexecutable for DLL\r\nsideloading\r\nlibcef.dll Trojan.Win32.TONEINS First-stage malware\r\n~$20220817.docx  \r\nSecond-stage legitimate\r\nexecutable for DLL\r\nsideloading\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 8 of 27\n\n~$20220617(1).docx Backdoor.Win32.TONESHELL Second-stage malware\r\n15-8-2022.docx   Decoy document\r\nChina VS\r\nTaiwan(1).docx\r\n  Decoy document\r\nTable 3. Files in the archive of Type C\r\nlibcef.dll (detected by Trend Micro as Trojan.Win32.TONEINS) is an installer for the next-stage malware. It\r\ncopies two files with names starting with \"~\", in this case, ~$20220817.docx and ~$20220617(1).docx to\r\n\u003c%USERPROFILE%\\Pictures\u003e. Both files have fake file extensions and masquerade as the temporary files\r\ngenerated while opening Microsoft Office software.\r\nFigure 9. Type C’s malicious routine\r\nMalware\r\nIn this campaign, we identified the following malware used, namely PUBLOAD, TONEINS, and TONESHELL.\r\nTrojan.Win32.PUBLOAD\r\nPUBLOAD is a stager that can download the next-stage payload from its command-and-control (C\u0026C) server.\r\nThis malware was first disclosed by Cisco Talos in May 2022.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 9 of 27\n\nOnce the .dll is executed, it first checks if the same process is already running by calling OpenEventA. According\r\nto the tweet posted by Barberousse, some noteworthy event names are identified as usernames of other\r\ncybersecurity researchers on Twitter, such as \"moto_sato\", \"xaacrazyman_armyCIAx,\" and\r\n\"JohnHammondTeam.\" It is important to note that these researchers have nothing to do with PUBLOAD but were\r\nsimply and intentionally mentioned by the threat actors in the binaries.  \r\nFigure 10. An example of the special event name in PUBLOAD\r\nPersistence\r\nPUBLOAD creates a directory in \u003cC:\\Users\\Public\\Libraries\\\u003e and drops all the malware, including the\r\nmalicious DLL and the legitimate executable, into the directory. It then tries to establish persistence in one of the\r\nfollowing ways:\r\n1.     Adding a registry run key\r\ncmd.exe /C reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v Graphics /t REG_SZ /d\r\n\\\"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL\r\n\\\"C:\\\\Users\\\\Public\\\\Libraries\\\\Graphics\\\\AdobeLicensing.exe\\\"\\\" /f\r\n2.     Creating a schedule task\r\nschtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR\r\nC:\\\\Users\\\\Public\\\\Libraries\\\\Graphics\\\\AdobeLicensing.exe\r\nAnti-Antivirus: API with callback\r\nPUBLOAD malware decrypts the shellcode in AES algorithm in memory. The shellcode is invoked by creating a\r\nthread or using different APIs. The APIs can accept an argument of a callback function, working as an alternative\r\nto trigger the shellcode. We observed several leveraged APIs including GrayStringW, EnumDateFormatsA, and\r\nLineDDA, and can be considered as a technique to bypass antivirus monitoring and detection. \r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 10 of 27\n\nFigure 11. An example of shellcode callback in PUBLOAD\r\nFigure 12. APIs that accept a callback function\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 11 of 27\n\nC\u0026C protocol\r\nThe decrypted PUBLOAD shellcode collects the computer name and the username as the payload of the first\r\nbeacon. The payload will then be encrypted with the predefined RC4 (Rivest Cipher 4) key. As of this writing, all\r\nthe stagers we have seen so far share the same key.\r\nAfter the encryption, the stager uses a specific byte sequence as its packet’s header. It prepends the magic bytes\r\n\"17 03 03\" and the payload size before the encrypted data.\r\nFigure 13. The RC4 key used (top) and the packet body in PUBLOAD malware (bottom)\r\nName Offset Size Description\r\nmagic 0x0 0X3 17 03 03\r\nsize 0x3 0x2 Payload size\r\npayload 0x5 [size] Payload\r\nTable 4. Request packet format in PUBLOAD\r\nThe stager also checks if the response packet has the same magic header, “17 03 03”. If so, the downloaded\r\npayload in memory will be treated as a piece of shellcode and will be executed directly.\r\nNoteworthy debug strings\r\nIn early 2022, we found some samples of PUBLOAD embedded with debug strings. They are used to distract\r\nanalysts from the main infection routines.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 12 of 27\n\nFigure 14. The distracting debug strings in PUBLOAD\r\nAfter US House Speaker Nancy Pelosi’s visit to Taiwan in August, we found an archive file named \"裴洛西訪台\r\n後民意匯總.rar\" (translated as “The public opinion summary of Pelosi's visit to Taiwan”) in Traditional Chinese,\r\nbut we could only get one of the malicious DLLs inside the archive file. Since the topic indicated in the file name\r\nitself is considered a controversial topic, it appears potentially catchy to the targeted recipient. The DLL turned out\r\nto be a PUBLOAD stager with several output debug strings.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 13 of 27\n\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 14 of 27\n\nFigure 15. Debug strings in PUBLOAD\r\nTrojan.Win32.TONEINS\r\nTrojan.Win32.TONEINS is the installer for TONESHELL backdoors. The installer drops the TONESHELL\r\nmalware to the %PUBLIC% folder and establishes the persistence for it. TONEINS malware usually comes in the\r\nlure archives, and in most cases, the name of the TONEINS DLL is libcef.dll. The malicious routine is triggered\r\nvia calling its export function cef_api_hash.\r\nThe TONEINS malware is obfuscated, likely to slow down malware analysis. It contains a lot of junk codes in its\r\ncontrol flow and has plenty of useless XOR instructions as though to imply that these are used to decode strings.\r\nUpon checking, we found that these obfuscated codes were reused from an open-source repository.\r\nFigure 16. Code obfuscation in TONEINS\r\nThe installer establishes the persistence for TONESHELL backdoors by using the following schtasks command:\r\nschtasks /create /sc minute /mo 2 /tn \"ServiceHub.TestWindowStoreHost\" /tr\r\n\"C:\\Users\\Public\\Pictures\\ServiceHub.TestWindowStoreHost.exe\" /f\r\nBased on our observations, the file names for the dropped TONESHELL malware differ in case, and so do the\r\nnames of the scheduled tasks. After persistence is established, TONESHELL then copies the legitimate executable\r\nand the malicious DLL to the %PUBLIC% folder, wherein both files have names that start with “~” in the lure\r\narchive. In this sample, ~$20220817.docx is a legitimate executable used for DLL sideloading, and\r\n~$20220617(1).docx is the TONESHELL backdoor DLL to be installed.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 15 of 27\n\nFigure 17. Files with fake file extensions\r\nBackdoor.Win32.TONESHELL\r\nThe TONESHELL malware is the main backdoor used in this campaign. It is a shellcode loader that loads and\r\ndecodes the backdoor shellcode with a 32-byte key in memory. In the earlier version of TONESHELL, it has the\r\ncapabilities from TONEINS malware, including establishing persistence and installing backdoors. However, the\r\nmore recent version of TONESHELL is a standalone backdoor without any installer capabilities (such as the file\r\n~$Talk points.docx). It is also obfuscated in a similar fashion to TONEINS malware, indicating that the actors\r\ncontinue to update the arsenal and separate the tools in order to bypass detection.\r\nAnti-Analysis: Process name check\r\nIn order to make sure that the TONESHELL is installed correctly, Backdoor.Win32.TONESHELL first checks if\r\nthe process path matches the expected one. If so, the malicious code could be triggered by the custom exception\r\nhandler.\r\nFigure 18. Process name check in TONESHELL\r\nAnti-Analysis: Custom exception handler in C++\r\nInterestingly, the adversary hides the actual code flow with the implementation of custom exception handlers.\r\nDifferent exception handlers will be invoked based on the result of the process name check, continuing the\r\nmalicious routine by triggering the exception with the call _CxxThrowException. After it is invoked, the C++\r\nruntime will find the corresponding exception handler from the ThrowInfo structure all the way down to the\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 16 of 27\n\nCatchProc member in the _msRttiDscr structure, which contains the real malicious codes. In this sample, the\r\nexception handler is located at the offset 0x10005300. This technique not only hides the execution flow but also\r\nstops the execution of the analyst's debugger.\r\nFigure 19. Data workflow of exception handling in C++; the CatchProc member in the yellow circle\r\nis the malicious exception handler to be invoked\r\nFigure 20. The main malicious routine in the exception handler\r\nAnti-Analysis: ForegroundWindow check\r\nLooking at more recent TONESHELL samples, we noticed that a new anti-sandbox technique is added compared\r\nto the earlier versions. The newer versions invoke the GetForegroundWindow API twice and check if there is any\r\nwindow switch. If the environment is a sandbox, both calls will get the same window handle because there is no\r\nhuman interaction involved in most sandboxes, resulting in the foreground window not changing. In addition, as\r\nan anti-sandbox and delayed execution technique, the malicious routine can only be triggered if the foreground\r\nwindow has already been switched for the fifth time.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 17 of 27\n\nFigure 21. GetForegroundWindow check in newer TONESHELL samples\r\nFigure 22. Malicious routine triggered on the fifth window switch\r\nShellcode decoding\r\nAfter the malicious exception handler is triggered, it starts to decode the next-stage TONESHELL shellcode. To\r\ndecode the shellcode, it first decodes a 32-byte key in XOR operations with 0x7D, and the key will then be used to\r\ndecode the shellcode body.\r\nFigure 23. An example of the 32-byte key (top) and the TONESHELL shellcode before decoding\r\n(middle) and after decoding (bottom)\r\nEvolving variants\r\nAfter our analysis and further threat hunting, we found several variants of TONESHELL shellcode:\r\nFirst observed Variant Protocol C\u0026C encryption Supported functions\r\nMay 2022 A  Raw TCP RC4\r\nFile upload\r\nFile download\r\nFile execution\r\nLateral movement\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 18 of 27\n\nJul 2022 B Raw TCP 32-byte XOR\r\nFile upload\r\nLateral movement\r\nSep 2021 C HTTP RC4\r\nFile upload\r\nFile execution\r\nTable 5. Differences between TONESHELL variants\r\nVariant A\r\nTONESHELL supports up to 10 C\u0026C servers by design, but in all the samples we encountered only one C\u0026C\r\nserver was used. Before connecting to the C\u0026C server, it generates a victim ID (the variable unique_id) with the\r\nvictim's volume serial and the computer name, or with a randomly generated GUID.\r\nFigure 24. Finding 10 C\u0026C servers supported in TONESHELL\r\nFigure 25. The algorithm used to generate the victim’s ID in TONESHELL variant A\r\nIn the first beacon, it collects the following data from the victim's machine and sends them to the C\u0026C server:\r\n1. Current process ID\r\n2. Volume serial\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 19 of 27\n\n3. Username\r\n4. Computer name\r\n5. Product name\r\n6. Operating system bit\r\n7. Processes list\r\nTONESHELL communicates over raw TCP, with the request header and the response header starting with the\r\nspecific magic byte sequence \"17 03 03\". Based on our research, this magic header is used in all TONESHELL\r\nTCP variants and the identified PUBLOAD malware. The payload in the packet will be encrypted in RC4\r\nalgorithm. In this variant, its request packet format is as follows:\r\nName Offset Size  Description \r\nmagic 0x0 0x3 17 03 03\r\nsize 0x3 0x2 Payload size\r\ntype 0x5 0x1 Connection type, 0x0 or 0x1\r\nunique_id 0x6 0x4 Victim ID\r\npayload 0x10 [size] Payload\r\nTable 6. Request packet format in TONESHELL variant A\r\nFigure 26. Packet header check in TONESHELL (all TCP variants and stagers)\r\nThe backdoor supports various functions, including file upload, file download, file execution, and lateral\r\nmovement. We also noticed that its internal strings are self-explanatory. In fact, this malware is named\r\nTONESHELL after the typo found in its command \"TOnePipeShell\". The following table shows all of its\r\ncommands:\r\nCode Internal string Additional description\r\n0x1 - Reset OnePipeShell \u0026 TwoPipeShell\r\n0x7 - Reset OnePipeShell \u0026 TwoPipeShell\r\n0x3 - Unknown\r\n0x4 -  Change sleep seconds\r\n0x1A Upload file begin  \r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 20 of 27\n\n0x1B Upload file begin  \r\n0x1D Upload file cancel  \r\n0x1C Upload file Endup  \r\n0x10 Exec file  \r\n0x21 Create TOnePipeShell\r\nOnePipeShell: one-way shell over one named pipe (meant for data\r\nexchange on intranet)\r\n0x22 OnePipeShell Close  \r\n0x1E TwoPipeShell Create\r\nTwoPipeShell: two-way shell over two named pipes (meant for data\r\nexchange on intranet)\r\n0x1F\r\nTwoPipeShell Write\r\nFile\r\n \r\n0x20 TwoPipeShell Close  \r\n0x18 Download  \r\n0x19 CDownUpLoad  \r\n0x21 - Exit\r\nTable 7. Command codes in TONESHELL variant A\r\nVariant B\r\nTONESHELL variant B is slightly different from variant A wherein the victim ID is generated from the tick count,\r\nusername, and computer name instead.\r\nFigure 27. Different algorithm for the victim ID generation in TONESHELL variant B\r\nThe backdoor's protocol is also different. The payload in the packet is encoded with a random 32-byte key, and the\r\nkey differs from packet to packet. The new key is generated whenever a new request is made.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 21 of 27\n\nName Offset Size Description\r\nmagic 0x0 0x3 17 03 03\r\nsize 0x3 0x2 Payload size\r\nkey 0x5 0x20 32-byte XOR key\r\npayload 0x25 [size] Payload\r\nTable 8. Request packet format in TONESHELL variant B\r\nFigure 28. In TONESHELL variant B, the payload will be encoded in XOR operations before a\r\nrequest is made.\r\nThe command codes in this variant are as follows:\r\nCode Internal string Description\r\n0x9 - Reset OnePipeShell\r\n0xA - Reset OnePipeShell\r\n0x3 - Unknown\r\n0x4 -  Change sleep seconds\r\n0x4 Upload file begin  \r\n0x5 Upload file write  \r\n0x7 Upload file cancel  \r\n0x6 Upload file Endup  \r\n0x3 Create TOnePipeShell  \r\nTable 9. Command codes in TONESHELL Variant B\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 22 of 27\n\nVariant C\r\nDuring our research, we hunted a dumped TONESHELL shellcode from VirusTotal (SHA256:\r\n521662079c1473adb59f2d7134c8c1d76841f2a0f9b9e6e181aa54df25715a09). Our analysis showed it works\r\nsimilar to the two different variants, but the C\u0026C protocol used is HTTP. It seems to be the earlier version of\r\nTONESHELL because the sample was uploaded in September 2021, and uses the POST method for the first\r\nbeacon. The following data is collected from the victim's machine:\r\n1. Memory size\r\n2. Username\r\n3. Computer name\r\n4. Disk size\r\n5. Operating system bit\r\n6. Product name\r\nFigure 29. The first HTTP beacon request in TONESHELL Variant C\r\nThe victim's ID (specified by the \"Guid\" header in the first beacon and later used in the \"Cookie\" header) is also\r\ngenerated from a random GUID. The body is also encrypted in RC4, and the command codes are much like\r\nVariant B as follows:\r\nCode Internal string Additional description\r\n0x2 - Reset OnePipeShell\r\n0x7 - Reset OnePipeShell\r\n0x3 - Unknown\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 23 of 27\n\n0x4 - Change sleep seconds\r\n0x1A Upload file begin  \r\n0x1B Upload file write  \r\n0x1D Upload file cancel  \r\n0x1C Upload file Endup  \r\n0x10 Exec file  \r\nTable 10. Command codes in TONESHELL variant C\r\nThreat hunting\r\nWe observed that several TONESHELL and TONEINS malware samples were uploaded to VirusTotal in recent\r\nmonths. With the help of these, we collected several Google Drive links, such\r\nas 770d5b60d8dc0f32941a6b530c9598df92a7ec76b60309aa8648f9b3a3f3cca5.\r\nFigure 30. Example of a Google Drive link, found in the wild, containing both TONESHELL and\r\nTONEINS\r\nUsually, we see such download links as the first arrival vectors. The Google Drive direct download link is\r\nrepresented in the format https[:]//drive.google.com/uc?id=gdrive_file_id\u0026export=download. The gdrive_file_id\r\nis a unique identifier for this specific file. We can switch to web viewer to check its file contents and its owner by\r\nmodifying the URL: https[:]//drive.google.com/file/d/gdrive_file_id/view.\r\nIn the details panel, we can find the owner of this file, and by hovering on the icon we can get the email address.\r\nFigure 31. The web viewer of Google Drive\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 24 of 27\n\nFigure 32. The file owner's name and email address\r\nWe can conduct further research with this specific email account. For example, after our investigation, we know\r\nthat the actors abused the same email address to store the lure archives in Google Drive, as well as deliver the\r\nphishing email. If we hunt for this specific email address in the monitoring logs, we might find more distributed\r\nmalware.\r\nAttribution\r\nThe observed TTPs in this campaign are similar to the campaign mentioned by Secureworks. Both campaigns\r\nabused the .lnk files to trigger the malware. Compared to the said report’s observations, the archive we found in\r\nthis campaign share similar folder structures.\r\nFigure 33. Similar folder structure of BRONZE PRESIDENT (left) and Earth Preta (right)\r\nBased on the same report, Bronze President was known to be leveraging APIs with a callback function argument\r\nto invoke the shellcode like EnumThreadWindows. Similar techniques are also used in PUBLOAD malware.\r\nIn addition, we also spotted a link between the two campaigns: One of the C\u0026C servers (98[.]142[.]251[.]29) can\r\nbe correlated to a shortcut file. This shortcut file appears in one lure archive “EU 31st\r\n session of the Commission\r\non Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar” (SHA256:\r\n09fc8bf9e2980ebec1977a8023e8a2940e6adb5004f48d07ad34b71ebf35b877), which the Secureworks report also\r\nmentioned. We used the tool LECmd to parse the shortcut files wherein we found the specific C\u0026C string inside\r\nthe metadata of the .lnk file. It seems that the actor used the C\u0026C string as the folder name.\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 25 of 27\n\nFigure 34. Metadata of the .lnk file (SHA256:\r\na693b9f9ffc5f4900e094b1d1360f7e7b907c9c8680abfeace34e1a8e380f405)\r\nThird, the infection chains mentioned by Cisco Talos also resemble what we have observed recently:\r\n1. Both use schtasks and registry run key for persistence.\r\n2. Both use benign executables for DLL sideloading.\r\n3. Both use malicious archives for arrival vectors.\r\nMost importantly, the stager mentioned in the report uses the same magic header (17 03 03) as TONESHELL does\r\nin the C\u0026C communication protocol, thereby solidifying these malware families’ link to Earth Preta.\r\nConclusion\r\nEarth Preta is a cyberespionage group known to develop their own loaders in combination with existing tools like\r\nPlugX and Cobalt Strike for compromise. Recent research papers show that it is constantly updating its toolsets\r\nand indicate that it is further expanding its capabilities.\r\nBased on our analysis, once the group has infiltrated a targeted victim’s systems, the sensitive documents stolen\r\ncan be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected\r\nscope in the region involved. For the group’s objectives, the targeted area appears to be the countries in Asia.\r\nAs part of organizational mitigation plans, we recommend implementing continuous phishing awareness trainings\r\nfor partners and employees. We advise always checking the sender and the subject twice before opening an email,\r\nespecially with an unidentifiable sender or an unknown subject. We also recommend a multi-layered protection\r\nsolution is recommended to detect and block threats as far left to the malware infection chain as possible.\r\nMITRE ATT\u0026CK\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 26 of 27\n\nMITRE ATT\u0026CK table\r\nSource: https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nhttps://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html\r\nPage 27 of 27\n\n https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html \nFigure 11. An example of shellcode callback in PUBLOAD\nFigure 12. APIs that accept a callback function \n Page 11 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html" ], "report_names": [ "earth-preta-spear-phishing-governments-worldwide.html" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434679, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21ce0b996b27bd40f94971faee43958135aefcd1.pdf", "text": "https://archive.orkl.eu/21ce0b996b27bd40f94971faee43958135aefcd1.txt", "img": "https://archive.orkl.eu/21ce0b996b27bd40f94971faee43958135aefcd1.jpg" } }