{
	"id": "65444da8-e208-408f-a70b-232cf4d3df88",
	"created_at": "2026-04-06T00:15:31.494476Z",
	"updated_at": "2026-04-10T03:30:42.657195Z",
	"deleted_at": null,
	"sha1_hash": "4a9e38702e7d19a626509b99eb087dbf92dc8a65",
	"title": "Tracking Earth Aughisky’s Malware and Changes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 457564,
	"plain_text": "Tracking Earth Aughisky’s Malware and Changes\r\nBy By: CH Lei Oct 04, 2022 Read time: 3 min (872 words)\r\nPublished: 2022-10-04 · Archived: 2026-04-05 12:41:06 UTC\r\nAPT \u0026 Targeted Attacks\r\nFor over 10 years, security researchers have been observing and keeping tabs of APT group Earth Aughisky’s\r\nmalware families and the connections, including previously documented malware that have yet to be attributed.\r\n \r\nFor security researchers and analysts monitoring advanced persistent threat (APT) groups’ attacks and tools, Earth\r\nAughisky (also known as Taidoor) is among the more active units that consistently make security teams vigilant.\r\nOver the last decade, the group has continued to make adjustments in the tools and malware deployments on\r\nspecific targets located in Taiwan and, more recently, Japan.\r\nOur research paper, “The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started,” lists all the malware\r\nattributed to the group, the connections of these malware families and tools with other APT groups, and the latest\r\nupdates in illicit activities potentially connected to real-world changes. Our research also covers recommendations\r\nand potential opportunities from the changes this APT group appears to be undergoing.\r\nMalware families attributed\r\nThis blog post summarizes and highlights some of the malware families and tools with components that have yet\r\nto be identified, reported, or attributed to the group. For a full list of all the malware families and tools we\r\nattribute to Earth Aughisky, download our research here.\r\nRoudan (also known as Taidoor)\r\nWhile the name Taidoor has been interchangeably used to refer to the group and the malware, we analyzed that the\r\nthreat actors named this malware family Roudan while looking at both the backdoor and backdoor builder. This\r\nclassic Earth Aughisky malware, which was first disclosed over 10 years ago, has been observed for the different\r\nformats the group employed for callback traffic as it contains an encoded MAC address and data.\r\nhttps://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html\r\nPage 1 of 6\n\nFigure 1. Some of the builders taken from different samples of Roudan\r\nFigure 2. Roudan network traffic with encoded MAC addresses\r\nLuckDLL\r\nStill unreported, LuckDLL is a relatively new backdoor observed to be active after 2020. The public key is\r\nembedded inside the malware configuration and subsequently communicates with the C\u0026C server. LuckDLL then\r\nproceeds to generate a random session key and initialization vector (IV) to encrypt the traffic.\r\nThe public key encrypts the session key and IV during initial communication, and shared with the C\u0026C. \r\nhttps://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html\r\nPage 2 of 6\n\nFigure 3. Public key (top) and session key (bottom)\r\nGrubbyRAT\r\nFollowing our sensors’ observations, GrubbyRAT is deployed only when Earth Aughisky is interested in important\r\ntargets that follow certain criteria. Still unreported, the configuration file is sometimes installed under an existing\r\napplication or general system folder and uses the same file name as the component. This suggests that this RAT is\r\ninstalled manually and after the threat actor has gained administrative privileges and control in the infected\r\nsystem.\r\nFigure 4. Decrypted GrubbyRAT configuration\r\nTaikite (also known as SVCMONDR)\r\nWhile previously reported as SVCMONDR, this malware has yet to be attributed to Earth Aughisky. Previously\r\nidentified with a 2015 report identifying a vulnerability, some samples of this dropped file observed in Taiwan had\r\na .pdb similar to the APT group’s other malware families and tools. The C\u0026C callback traffic is encoded in\r\nBase64 and showed a detailed feedback data structure and behavior analysis.\r\nhttps://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html\r\nPage 3 of 6\n\nFigure 5. The Taikite .pdb string\r\nFigure 6. Taikite traffic\r\nSiyBot\r\nThis backdoor has yet to be reported, likely because we observed this tool as being deployed less and only in few\r\nattack incidences. SiyBot abuses earlier versions of public services such as Gubb and 30 Boxes to perform C\u0026C\r\ncommunication, wherein the necessary credential or token can be found in the malware configuration. We\r\nobserved this backdoor to support only a few functions based on the commands we found.\r\nFigure 7. Embedded 30 Boxes credential in the malware\r\nConnections\r\nWe feature some of the overlaps and connections we found with Earth Aughisky’s malware and tools.\r\nRoudan and SiyBot\r\nhttps://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html\r\nPage 4 of 6\n\nWe found the same website being used to host Roudan and SiyBot, as well as ASRWEC downloader (a tool we\r\nalso attribute to Earth Aughisky) payload in the same repository.\r\nFigure 8. Roudan (left) and SiyBot (right) payload in the same repository\r\nRoudan, Taleret, and Taikite\r\nTaleret is another malware family that has been identified or suspected with Earth Aughisky for years. We found\r\noverlaps in the C\u0026C servers being used by these malware families, as well as the same hashes, logging\r\nmechanisms, and blog hosts between Taleret and earlier versions of Roudan payload.\r\nFigure 9. Taleret’s special log file (left) compared with Roudan’s earlier version (right)\r\nhttps://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html\r\nPage 5 of 6\n\nFigure 10. Taleret configuration (left) and Comeon downloader payload (Roudan, right) on the same\r\nblog\r\nInsights\r\nAs Earth Aughisky is one of the few APT groups that has exercised longevity in cyberespionage, security analysts\r\nand teams have collected and continue to gather data to evaluate the group’s skills, developments, relations with\r\nother APT groups, and their activities. Samples of their malware families and tools allow security teams to gain an\r\nunderstanding of the level of sophistication – or lack of it – of the group’s operations, connection, and even\r\nchanges possibly affecting them from the real-world complexities such as politics and geographic objectives.\r\nTo find the complete details of our malware analyses, insights, and attribution connections, download our research\r\npaper, “The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started.”\r\nIndicators of Compromise (IOCs)\r\nFor a full list of the IOCs, find them here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html\r\nhttps://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html"
	],
	"report_names": [
		"tracking-earth-aughiskys-malware-and-changes.html"
	],
	"threat_actors": [
		{
			"id": "71b19e59-b5f7-4bc6-816d-194be0f02af0",
			"created_at": "2022-10-25T16:07:24.301036Z",
			"updated_at": "2026-04-10T02:00:04.928222Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Budminer",
				"Earth Aughisky",
				"G0015"
			],
			"source_name": "ETDA:Taidoor",
			"tools": [
				"Dripion",
				"Masson",
				"Taidoor",
				"simbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2608db3e-7f7a-42c0-922b-4c9cb22c7ce9",
			"created_at": "2023-01-06T13:46:38.278691Z",
			"updated_at": "2026-04-10T02:00:02.90849Z",
			"deleted_at": null,
			"main_name": "APT16",
			"aliases": [
				"SVCMONDR",
				"G0023"
			],
			"source_name": "MISPGALAXY:APT16",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef",
			"created_at": "2023-01-06T13:46:38.998658Z",
			"updated_at": "2026-04-10T02:00:03.176186Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"G0015",
				"Earth Aughisky"
			],
			"source_name": "MISPGALAXY:Taidoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "478e9b27-39b9-49e4-a3c5-81569a767275",
			"created_at": "2022-10-25T15:50:23.417339Z",
			"updated_at": "2026-04-10T02:00:05.41593Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Taidoor"
			],
			"source_name": "MITRE:Taidoor",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6301aade-ca8b-431c-b5e4-1b6ddd497ffc",
			"created_at": "2022-10-25T16:07:23.328033Z",
			"updated_at": "2026-04-10T02:00:04.544144Z",
			"deleted_at": null,
			"main_name": "APT 16",
			"aliases": [
				"APT 16",
				"G0023",
				"SVCMONDR"
			],
			"source_name": "ETDA:APT 16",
			"tools": [
				"ELMER",
				"Elmost",
				"IRONHALO",
				"SVCMONDR"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775791842,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a9e38702e7d19a626509b99eb087dbf92dc8a65.pdf",
		"text": "https://archive.orkl.eu/4a9e38702e7d19a626509b99eb087dbf92dc8a65.txt",
		"img": "https://archive.orkl.eu/4a9e38702e7d19a626509b99eb087dbf92dc8a65.jpg"
	}
}