{
	"id": "120c7c55-d091-4ecc-a782-3b10bf9abd14",
	"created_at": "2026-04-06T03:36:37.184275Z",
	"updated_at": "2026-04-10T03:36:33.839764Z",
	"deleted_at": null,
	"sha1_hash": "3147b2bafa116a04f17fc5819854a115fed4a96d",
	"title": "Earth Preta’s Cyberespionage Campaign Hits Over 200",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59029,
	"plain_text": "Earth Preta’s Cyberespionage Campaign Hits Over 200\r\nBy Trend Micro ( words)\r\nPublished: 2023-03-27 · Archived: 2026-04-06 03:09:20 UTC\r\nWe used a qualitative approach to identify the collection requirements, methods, and objectives of the operational\r\ngroups and their respective places in the organization. We established links between the operational threat groups\r\nby grouping overlaps in victimology and identifying core indicators, such as implants or payloads.\r\nCase studies\r\nOverlaps\r\nThroughout our investigation, we observed several instances where victims were compromised by two groups\r\nsimultaneously, indicating possible overlaps in collection requirements between these groups. While there are no\r\nindications of overlaps in individual devices, there are strong indications of targets intersecting, suggesting these\r\ngroups are pursuing similar objectives. Additionally, the overlaps among victims indicate a lack in targeting\r\ncoordination and/or planning within the overall groups' leadership or management.\r\nThese targeting overlaps have been observed in multiple groups, such as Groups 724, 1358, and 5171. Since these\r\ngroups operate across a variety of sectors, it is likely that the overlap in collection requirements is the result of\r\nsimilar objectives rather than coordination between the toolset and collected materials. However, we have not\r\nbeen able to identify any evidence of coordination between these groups or a shared toolset.\r\nInfection and exfiltration vectors\r\nGroup 5171's exfiltration methods are sophisticated and designed to avoid detection. Several victims in key\r\ncountries, such as Singapore, Vietnam, Netherlands, Ghana, and Myanmar, have indications of files exfiltrated via\r\na dedicated USB mass storage device. For instance, in January 2023, a device from Vietnam loaded the Adobe\r\nCEF Helper under the path \u003cC:\\Users\\XXX\\AAM UpdatesXXX\\AAM Updates.exe\u003e and exfiltrated documents to\r\ndrive F:. The same device also carried out another collection in December 2022, where data was copied from\r\nfolder \u003cC\\:$RECYCLE.BIN\\S-XXXXX$XXXH.pdf\u003e, indicating that the user deleted the collected data.\r\nRoaming endpoint attacks\r\nIn contrast to Group 5171, Group 1358’s uses malicious USB mass storage devices as its primary method of\r\ncompromise. Our analysis indicated that toward the end of 2022 and early 2023, all documented intrusions from\r\nGroup 1358 used USB mass storage devices. In addition, there were multiple instances where initial compromise\r\noccurred while the assets of the target were roaming abroad through a technique known as the “traveling laptop\r\nattack.” \r\nThis mix of traditional intelligence trade craft and cyber techniques could mean that these groups have access to\r\nadvanced resources and support from nation states, since such techniques are not typically available to\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html\r\nPage 1 of 4\n\nindependent hackers. Moreover, this approach could signify the growing convergence of cyber- and physical\r\nsecurity as cyberattacks continue to move beyond digital systems and into the physical world.\r\nOperation groups\r\nWhile this is not a comprehensive list, we summarize and attribute the operational functions to specific groups as\r\ncontributing units to Earth Preta’s cyberespionage activities and deployments. As we continue following this\r\ncampaign and track its activities, these group names will be updated accordingly once analyses and attribution are\r\nconfirmed.\r\nGroup 724\r\nGroup 724 is possibly related to Earth Preta. The group utilizes sideloading with Adobe CEF Helper to establish a\r\npersistent foothold in the user's home directory, employing a naming convention with one of the following\r\npatterns:\r\nAcroRD32XXX\r\nAAM UpdatesXXX\r\nAcrobatXXX\r\nEset Malware ProtectionXXX\r\n\"XXX\" denotes three random letters. The group uses a USB drive as an entry point into a target's system,\r\nindicating its preference for leveraging physical vectors for intrusion. This group is considered one of the most\r\ndangerous in the Southeast Asian region and has been known to target a myriad of organizations.\r\nGroup 724 also appears to be focused on compromising targets in specific industries and countries. The group has\r\nbeen observed targeting sectors such as finance, government, manufacturing, fabrication, construction, energy,\r\ntransportation, air traffic, and food production. This targeted approach indicates that the group has developed a\r\nclear understanding of the vulnerabilities and high-value assets present in these industries. The significant level of\r\nproliferation suggests that it is well-funded and includes a large team of skilled individuals, likely enabling it to\r\ncarry out attacks on multiple targets simultaneously.\r\nThe group uses customized USB storage devices tailored to individual targets as part of their intrusion tactics.\r\nThese customized devices appear to be carefully crafted to bypass security measures and appear legitimate to the\r\ntarget. With this preference for a physical entry vector, the group can increase the chances of a successful intrusion\r\nand maintain its covert operations. This technique highlights the level of sophistication and planning that goes into\r\nGroup 724's attacks.\r\nGroup 1358\r\nGroup 1358 is a highly sophisticated threat actor that employs advanced tactics and techniques to infiltrate and\r\ncompromise a wide range of targets worldwide. The group has been observed utilizing Avast’s WSC DLL for\r\nsideloading, a technique leveraging the Windows Management Instrumentation (WMI) service to execute\r\nmalicious code. This group is potentially composed of several operating groups utilizing the same tools and\r\ntechniques. Persistence is established at ProgramData\\AvastSvcXXX, where \"XXX\" represents three random\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html\r\nPage 2 of 4\n\nletters. The group uses generic USB mass storage devices as an entry point, suggesting that they prioritize ease of\r\naccess over customization.\r\nThis group’s choice of malware is PlugX, an older and well-known remote access tool. Despite its age, PlugX\r\nremains an effective tool for threat actors due to its flexibility and evasion capabilities. The group's victimology is\r\nextensive, targeting organizations across various sectors globally. However, recent observations suggest that the\r\ngroup has shifted its collection efforts towards maritime-related information since December 2022. Targets have\r\nincluded shipping information, sea vessel movements, border and immigration control, export-related government\r\nagencies, food production, and humanitarian groups. While some of the targets are related to maritime research\r\nand development, most of the information we found as targeted pertain to operational maritime information, even\r\nto the extent of compromising specific vessels or tugboat companies.\r\nExfiltration methods utilized involve the use of USB sticks that are plugged in, enabling the PlugX tool to copy all\r\ncollected data into a previously known and expected USB stick. This technique allows the group to remain\r\nundetected and avoid detection by traditional security measures.\r\nGroup 5171\r\nGroup 5171 is a threat actor that utilizes advanced techniques to infiltrate and compromise targets across the\r\nMiddle East and Europe. The group uses DLL sideloading with Adobe CEF Helper and establishes persistence in\r\nthe RECYCLERS.BIN folder. In addition, the group also employs USB-based data exfiltration as part of their\r\ntactics.\r\nGroup 5171 differentiates itself from other threat actors with their use of the travelling laptop attack. This\r\ntechnique involves infecting a laptop with malicious code in transit. Usually, the device will be travelling as part\r\nof a routine work travel and upon return to the origin country, a more elaborate exploitation and lateral movement\r\ncan be initiated. This method allows the group to bypass traditional security measures and gain access to their\r\ntargets undetected.\r\nSectoral targets of Group 5171 are spread out, indicating that the group does not focus on specific sectors but\r\nrather adopts a more opportunistic approach. However, observing victims’ business verticals and sectors indicate\r\nthat Group 5171’s collection efforts show a high level of interest in research and development related to IT\r\nsolutions, materials manufacturing and fabrication, energy production and synthetization, air travel, and space.\r\nConclusion\r\nWe deem the findings of this research on Earth Preta’s cyberespionage operations have significant implications for\r\ninternational security and intellectual property. There are strong indications of intertwined traditional intelligence\r\ntradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyberespionage\r\noperation. We identified several distinct operational groups, each with unique TTPs and objectives, which reveals\r\na highly specialized and organized cyberespionage operation.\r\nThis study also suggests that Earth Preta’s cyberespionage operations have a broad reach and have the capacity to\r\ntarget high value targets. The shift in collection priorities toward intelligence regarding specific areas also\r\nindicates that Earth Preta is targeting critical infrastructure and key institutions that can affect national and\r\ninternational relations, economies, and securities.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html\r\nPage 3 of 4\n\nGiven the scale and sophistication of Earth Preta’s cyberespionage operations, the international community needs\r\nto take proactive measures to defend against this significant threat. This includes robust cybersecurity measures,\r\neffective countermeasures against cyberespionage, and increased international cooperation in combating this\r\nthreat. The international community must raise awareness on the threats posed by Earth Preta’s cyberespionage\r\noperations, promote information sharing, and develop effective countermeasures. It is essential to have a\r\ncoordinated response to this threat, with the support of the private sector, academia, and civil society, to ensure the\r\nsafety and security of critical infrastructure and intellectual property.\r\nIndicators of Compromise (IOCs)\r\nFor a list of the IOCs, download the appendix hereopen on a new tab.\r\nSource: https://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html"
	],
	"report_names": [
		"earth-preta-cyberespionage-campaign-hits-over-200.html"
	],
	"threat_actors": [
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6daadf00-952c-408a-89be-aa490d891743",
			"created_at": "2025-08-07T02:03:24.654882Z",
			"updated_at": "2026-04-10T02:00:03.645565Z",
			"deleted_at": null,
			"main_name": "BRONZE PRESIDENT",
			"aliases": [
				"Earth Preta ",
				"HoneyMyte ",
				"Mustang Panda ",
				"Red Delta ",
				"Red Lich ",
				"Stately Taurus ",
				"TA416 ",
				"Temp.Hex ",
				"Twill Typhoon "
			],
			"source_name": "Secureworks:BRONZE PRESIDENT",
			"tools": [
				"BlueShell",
				"China Chopper",
				"Claimloader",
				"Cobalt Strike",
				"HIUPAN",
				"ORat",
				"PTSOCKET",
				"PUBLOAD",
				"PlugX",
				"RCSession",
				"TONESHELL",
				"TinyNote"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9baa7519-772a-4862-b412-6f0463691b89",
			"created_at": "2022-10-25T15:50:23.354429Z",
			"updated_at": "2026-04-10T02:00:05.310361Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Mustang Panda",
				"TA416",
				"RedDelta",
				"BRONZE PRESIDENT",
				"STATELY TAURUS",
				"FIREANT",
				"CAMARO DRAGON",
				"EARTH PRETA",
				"HIVE0154",
				"TWILL TYPHOON",
				"TANTALUM",
				"LUMINOUS MOTH",
				"UNC6384",
				"TEMP.Hex",
				"Red Lich"
			],
			"source_name": "MITRE:Mustang Panda",
			"tools": [
				"CANONSTAGER",
				"STATICPLUGIN",
				"ShadowPad",
				"TONESHELL",
				"Cobalt Strike",
				"HIUPAN",
				"Impacket",
				"SplatCloak",
				"PAKLOG",
				"Wevtutil",
				"AdFind",
				"CLAIMLOADER",
				"Mimikatz",
				"PUBLOAD",
				"StarProxy",
				"CorKLOG",
				"RCSession",
				"NBTscan",
				"PoisonIvy",
				"SplatDropper",
				"China Chopper",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2ee03999-5432-4a65-a850-c543b4fefc3d",
			"created_at": "2022-10-25T16:07:23.882813Z",
			"updated_at": "2026-04-10T02:00:04.776949Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Bronze President",
				"Camaro Dragon",
				"Earth Preta",
				"G0129",
				"Hive0154",
				"HoneyMyte",
				"Mustang Panda",
				"Operation SMUGX",
				"Operation SmugX",
				"PKPLUG",
				"Red Lich",
				"Stately Taurus",
				"TEMP.Hex",
				"Twill Typhoon"
			],
			"source_name": "ETDA:Mustang Panda",
			"tools": [
				"9002 RAT",
				"AdFind",
				"Agent.dhwf",
				"Agentemis",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"ClaimLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DCSync",
				"DOPLUGS",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Farseer",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"Hdump",
				"HenBox",
				"HidraQ",
				"Hodur",
				"Homux",
				"HopperTick",
				"Hydraq",
				"Impacket",
				"Kaba",
				"Korplug",
				"LadonGo",
				"MQsTTang",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"NBTscan",
				"NetSess",
				"Netview",
				"Orat",
				"POISONPLUG.SHADOW",
				"PUBLOAD",
				"PVE Find AD Users",
				"PlugX",
				"Poison Ivy",
				"PowerView",
				"QMAGENT",
				"RCSession",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TONEINS",
				"TONESHELL",
				"TVT",
				"TeamViewer",
				"Thoper",
				"TinyNote",
				"WispRider",
				"WmiExec",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"cobeacon",
				"nbtscan",
				"nmap",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446597,
	"ts_updated_at": 1775792193,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3147b2bafa116a04f17fc5819854a115fed4a96d.pdf",
		"text": "https://archive.orkl.eu/3147b2bafa116a04f17fc5819854a115fed4a96d.txt",
		"img": "https://archive.orkl.eu/3147b2bafa116a04f17fc5819854a115fed4a96d.jpg"
	}
}