{ "id": "0a55d169-7534-47e6-8402-a93ae8d63a68", "created_at": "2026-04-06T00:12:51.169509Z", "updated_at": "2026-04-10T13:13:08.832091Z", "deleted_at": null, "sha1_hash": "35fb137004267556c5204aecf9368b0b8c1fd84b", "title": "Earth Kurma - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51361, "plain_text": "Earth Kurma - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 12:15:24 UTC\r\n APT group: Earth Kurma\r\nNames Earth Kurma (Trend Micro)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2020\r\nDescription\r\n(Trend Micro) Trend Research uncovered a sophisticated APT campaign targeting government\r\nand telecommunications sectors in Southeast Asia. Named Earth Kurma, the attackers use\r\nadvanced custom malware, rootkits, and cloud storage services for data exfiltration. Earth\r\nKurma demonstrates adaptive malware toolsets, strategic infrastructure abuse, and complex\r\nevasion techniques.\r\nThis campaign poses a high business risk due to targeted espionage, credential theft, persistent\r\nfoothold established through kernel-level rootkits, and data exfiltration via trusted cloud\r\nplatforms.\r\nOrganizations primarily in government and telecommunications sectors in Southeast Asia\r\n(particularly the Philippines, Vietnam, Thailand, Malaysia) are affected. Organizations face\r\npotential compromise of sensitive government and telecommunications data, with attackers\r\nmaintaining prolonged, undetected access to their networks.\r\nMay be related to Operation TunnelSnake or ToddyCat.\r\nObserved\r\nSectors: Government, Telecommunications.\r\nCountries: Malaysia, Philippines, Thailand, Vietnam.\r\nTools used\r\nCobalt Strike, DMLOADER, DUNLOADER, KRNRAT, Moriya, ODRIZ, SIMPOBOXSPY,\r\nTESDAT.\r\nInformation \u003chttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\u003e\r\nLast change to this card: 27 June 2025\r\nDownload this actor card in PDF or JSON format\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a7be61b-1aab-49b6-a853-40174fa5838f\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a7be61b-1aab-49b6-a853-40174fa5838f\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a7be61b-1aab-49b6-a853-40174fa5838f\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2a7be61b-1aab-49b6-a853-40174fa5838f" ], "report_names": [ "showcard.cgi?u=2a7be61b-1aab-49b6-a853-40174fa5838f" ], "threat_actors": [ { "id": "7c390b96-8206-4194-81d8-ebbabb9910ff", "created_at": "2023-12-03T02:00:05.147496Z", "updated_at": "2026-04-10T02:00:03.486417Z", "deleted_at": null, "main_name": "TunnelSnake", "aliases": [], "source_name": "MISPGALAXY:TunnelSnake", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b48e4b6-09b0-4f4d-a78c-6b455d122e67", "created_at": "2022-10-25T16:07:24.020115Z", "updated_at": "2026-04-10T02:00:04.84333Z", "deleted_at": null, "main_name": "Operation TunnelSnake", "aliases": [], "source_name": "ETDA:Operation TunnelSnake", "tools": [ "Moriya" ], "source_id": "ETDA", "reports": null }, { "id": "222835b0-22fb-406e-8fd5-f36dae694212", "created_at": "2025-06-29T02:01:56.985922Z", "updated_at": "2026-04-10T02:00:04.666399Z", "deleted_at": null, "main_name": "Earth Kurma", "aliases": [], "source_name": "ETDA:Earth Kurma", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DMLOADER", "DUNLOADER", "KRNRAT", "Moriya", "ODRIZ", "SIMPOBOXSPY", "TESDAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "f161dc2b-a18e-43b9-9786-2285bc745a10", "created_at": "2025-05-29T02:00:03.214326Z", "updated_at": "2026-04-10T02:00:03.867482Z", "deleted_at": null, "main_name": "Earth Kurma", "aliases": [], "source_name": "MISPGALAXY:Earth Kurma", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434371, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35fb137004267556c5204aecf9368b0b8c1fd84b.pdf", "text": "https://archive.orkl.eu/35fb137004267556c5204aecf9368b0b8c1fd84b.txt", "img": "https://archive.orkl.eu/35fb137004267556c5204aecf9368b0b8c1fd84b.jpg" } }