{ "id": "26f2b35f-318d-4c9c-9225-e47b33ef3474", "created_at": "2026-04-06T00:17:33.170762Z", "updated_at": "2026-04-10T03:36:34.018932Z", "deleted_at": null, "sha1_hash": "4e05ba5c588a654d3049bdb58ac763ec077de1b6", "title": "Behind the Scenes Unveiling the Hidden Workings of Earth Preta", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3073619, "plain_text": "Behind the Scenes Unveiling the Hidden Workings of Earth Preta\r\nBy By: Sunny Lu, Vickie Su, Nick Dai Jun 14, 2023 Read time: 12 min (3283 words)\r\nPublished: 2023-06-14 · Archived: 2026-04-05 14:19:21 UTC\r\nIntroduction\r\nIn November 2022, we disclosed a large-scale phishing campaign initiated by the advanced persistent threat\r\n(APT) group Earth Preta, also known as Mustang Panda. The campaign targeted various countries around the\r\nAsia-Pacific (APAC) region via spear-phishing emails. Based on our previous research, government entities are\r\none of the threat actor’s primary targets.\r\nSince the start of 2023, we’ve observed new arrival vectors being used by the group, such as MIROGO and\r\nQMAGENT. Furthermore, we discovered a new dropper named TONEDROP that drops the TONEINS and\r\nTONESHELL pieces of malware, which we introduced in previous blog entries. Based on our observations, the\r\ngroup is expanding its targets to different regions, such as Eastern Europe and Western Asia, including several\r\ncountries around the APAC region like Taiwan, Myanmar, and Japan.\r\nWe analyzed the malware and the download sites we found to determine the tools and techniques the threat actors\r\nused to bypass different security solutions. For instance, we collected the scripts deployed on the malicious\r\ndownload sites, which enabled us to figure out how they work. We also observed that Earth Preta delivers different\r\npayloads to different victims.\r\nIn this entry, we’ll share more technical details on the most recent tools, techniques, and procedures (TTPs)\r\nleveraged by the group. In addition, we will share how we were able to correlate different indicators connected to\r\nthe threat actor. Part of this research was previously shared in Botconf 2023open on a new tab and first disclosed\r\nby the Camaro Dragon’s report from Check Point Researchopen on a new tab.\r\nVictimology\r\nBeginning January 2023, we observed several waves of spear-phishing emails targeting individuals across\r\ndifferent regions. Using data from Trend Micro™ Smart Protection Network™, we noticed that the regions being\r\ntargeted were expanding to include Western Asia and Eastern Europe.\r\nWe were also able to classify the victims based on the targeted industries. As Figure 2 shows, most of the targeted\r\nindividuals were working in or involved in some capacity with government-related entities. A significant number\r\nof targets also came from the telecommunications industry.\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 1 of 22\n\nFigure 2. The industry distribution for the spear-phishing email recipients\r\n2023 arrival vectors\r\nIn 2023, we observed Earth Preta using several new arrival vectors, including MIROGO, QMAGENT, and the\r\nnew TONESHELL dropper called TONEDROP. Likewise, the infection chains of these arrival vectors have also\r\nchanged. For example, in addition to deploying legitimate Google Drive download links, the actors also used other\r\ndownload sites that resembled but were not actually Google Drive pages. In the following sections, we will\r\nintroduce these new malware families and TTPs.\r\nFigure 3. Timeline of incidents in 2023\r\nBackdoor.Win32.QMAGENT\r\nAround January 2023, we found the QMAGENT malware being delivered via spear-phishing emails to target\r\nindividuals involved with government organizations and entities. Initially disclosed in a report from ESETopen on\r\na new tab, QMAGENT — also known as MQsTTang —is noteworthy because it leverages the MQTT\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 2 of 22\n\nprotocolnews article, which is commonly used in internet-of-things (IoT) devices to tunnel data and commands.\r\nSince the said report thoroughly describes the technical details of the malware, we will not expand on them here.\r\nHowever, we think that the protocol used deserves further investigation, and we will tackle it in the following\r\nsections.\r\nBackdoor.Win32.MIROGO\r\nIn February 2023, we discovered another backdoor written in Golang named MIROGO, first reported as the\r\nTinyNote malware by Check Point Researchopen on a new tab. We noted that it was delivered through a phishing\r\nemail embedded with a Google Drive link, which then downloaded an archive named Note-2.7z. The archive is\r\npassword-protected, with the password provided in the email’s body. After extraction, we found a single\r\nexecutable disguised as being addressed to an East Asian government.\r\nFigure 4. MIROGO infection flow\r\nTrojan.Win32.TONEDROP\r\nIn March 2023, we discovered a new dropper named TONEDROP that drops the TONEINS and TONESHELL\r\npieces of malware. Its infection chain is similar to the one we introduced in our previous report and involves fake\r\ndocument files hiding XOR-ed malicious binaries.\r\nIn the following months, we found the group still using this dropper. During our investigation, we uncovered a\r\nnew variant of the TONESHELL backdoor, the technical details of which we will share in the following sections.\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 3 of 22\n\nFigure 5. Infection flow of the dropper\r\nFile name Detection name Description\r\nDocument.rar   Decoy archive file\r\nN/A Trojan.Win32.TONEDROP Dropper found inside the archive\r\nWaveeditNero.exe   Legitimate executable\r\nwaveedit.dll Trojan.Win32.TONEINS  \r\nlast.pdf    \r\nupdate.pdf Backdoor.Win32.TONESHELL.ZTKD.enc  \r\nWinDbg(X64).exe   Legitimate executable\r\nlibvlc.dll Backdoor.Win32.TONESHELL  \r\nTable 1. Files in TONEDROP\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 4 of 22\n\nBefore dropping and installing the files, TONEDROP will check the existence of the folder\r\nC:\\ProgramData\\LuaJIT to determine if the environment has already been compromised. It will also check the\r\nrunning processes and windows if they are related to malware analysis tools. If so, it will not proceed with its\r\nroutine.\r\nFigure 6. Checking the running processes and windows\r\nIf all conditions are fulfilled, it will begin the installation procedure and drop several files. These files are\r\nembedded in the dropper and are decrypted with XOR keys.\r\nDropped fIle XOR key\r\nC:\\users\\public\\update.pdf update_key\r\nC:\\users\\public\\last.pdf  last_key\r\nC:\\users\\public\\waveedit.dll  waveedit_key\r\nC:\\users\\public\\WaveeditNero.exe  WaveeditNero_key\r\nTable 2. The dropped files and the XOR keys used to decrypt them\r\nAfter being dropped, WaveeditNero.exe will sideload waveedit.dll and decrypt the other two fake PDF files:\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 5 of 22\n\nIt decrypts C:\\users\\public\\last.pdf with XOR key 0x36 and writes it to\r\nC:\\users\\public\\documents\\WinDbg(X64).exe.\r\nIt decrypts C:\\users\\public\\update.pdf with XOR key 0x2D and writes it to\r\nC:\\users\\public\\documents\\libvlc.dll.\r\nTONEDROP will set up a scheduled task for the process C:\\users\\public\\documents\\WinDbg(X64).exe, which will\r\nsideload C:\\users\\public\\documents\\libvlc.dll. Next, it will construct the malicious payload and run it in memory\r\nby calling the API EnumDisplayMonitors, which has a callback function.\r\nThe C\u0026C protocol of TONESHELL variant D\r\nWe discovered a new variant of TONESHELL that has a command-and-control (C\u0026C) protocol request packet\r\nformat as follows:\r\nField name Size Data\r\nmagic 0x3 17 03 03\r\nsize 0x2 The payload size\r\npayload size Payload\r\nTable 3. Contents of the sent data after encryption\r\nThe C\u0026C protocol is similar to the ones used by PUBLOAD and other TONESHELL variants. We classified it as\r\nTONESHELL variant D because it also uses CoCreateGuid to generate a unique victim ID, which is akin to the\r\nolder variants.\r\nIn the first handshake, the payload should be a 0x221-byte-long buffer carrying the encryption key and the unique\r\nvictim ID. Table 4 shows the structure of the payload. Note that the fields type, victim_id, and xor_key_seed are\r\nencrypted with xor_key before the buffer is sent.\r\nFIeld name Size (hex) Description\r\nxor_key 0x200 Key used to encrypt the traffic; this key is generated from xor_key_seed\r\ntype 0x1 0x08, a fixed value\r\nvictim_id 0x10 A unique victim ID generated by CoCreateGuid\r\nxor_key_seed 0x10 A random seed generated by GetTickCount\r\nTable 4. Content of the sent data\r\nWe found that the malware saves the value of the victim_id to the file\r\n%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Web.Facebook.config.\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 6 of 22\n\nFigure 7. The payload in the first handshake\r\nThe C\u0026C communication protocol works as follows:\r\n1. The handshake containing the xor_key and victim_id is sent to the C\u0026C server.\r\n2.  A 5-byte-sized data packet that is composed of magic and has a size of 0x02 is received.\r\n3. A 2-byte-sized data packet decrypted with the xor_key and that must have a first byte of 0x08 is received.\r\n4. Data that is composed of magic and the next payload size is received.\r\n5. Data is received and decrypted using xor_key. The first byte is the command code, and the following data\r\nis the extra information.\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 7 of 22\n\nFigure 8. C\u0026C communication\r\nCommand code Description\r\n1 Not implemented\r\n2 Not implemented\r\n3 Write files\r\n4 Not implemented\r\n5 Execute commands\r\n6 Delete files\r\n7 Terminate conhost.exe\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 8 of 22\n\n9 Delete files\r\n10 Collect victim information\r\nTable 5. Command codes\r\nFake Google Drive sites\r\nIn April 2023, we monitored a download site that distributes malware types such as QMAGENT and\r\nTONEDROP. While we were requesting the URL https://rewards[.]roshan[.]af/aspnet_client/View.htm, it\r\ndownloaded an archive file called Documents.rar, which contained a file that turned out to be a QMAGENT\r\nsample.\r\nFigure 9. Screenshot of the download site\r\nAlthough the page looks like a Google Drive download page, it is actually a picture file (gdrive.jpg) trying to\r\nmasquerade itself as a normal website. In the source code, it runs the script file\r\nhttps://myanmarfreedomwork[.]org/Js/jQuery.min.js, which will download the file Document.rar.\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 9 of 22\n\nFigure 10. The malicious script embedded in the download site\r\nIn May 2023, Earth Preta continuously distributed the same download site with different paths to deploy\r\nTONESHELL, such as https://rewards[.]roshan[.]af/aspnet_client/acv[.]htm. In this version, the threat actor\r\nobfuscated the malicious URL script with another piece of JavaScript, as shown in Figure 11.\r\nFigure 11. Source code of the page\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 10 of 22\n\nFigure 12. The decoded URL of the malicious script\r\nFinally, the script jQuery.min.js will download the archive file from\r\nhttps://rewards.roshan[.]af/aspnet_client/Note-1[.]rar.\r\nFigure 13. The script body of “jQuery.min.js”\r\nFollowing the trails\r\nDuring the investigation, we tried several methods to trace the incidents and connect all the indicators together.\r\nOur findings can be summarized into three aspects: code similarities, C\u0026C connections, and bad operational\r\nsecurity.\r\nCode similarities\r\nWe observed some similarities between the MIROGO and QMAGENT pieces of malware. Because of the limited\r\nhit count from our telemetry data, we believe that both are privately owned tools by Earth Preta rather than shared\r\nones. It’s also interesting to note that the group implemented similar C\u0026C protocols in two different programming\r\nlanguages.\r\nFeatures QMAGENT (MQsTTang) MIROGO\r\nDelivered via Spear-phishing emails Spear-phishing emails\r\nFirst seen Jan 2023 Feb 2023\r\nC\u0026C protocol MQTT HTTP\r\nC\u0026C traffic encoding key b'nasa' b'NASA'\r\nC\u0026C traffic encryption Base64 + XOR + Base64 XOR + Base64\r\nC\u0026C response body\r\n{\r\n  \"msg\": \"\u003cpayload\u003e\"\r\n}\r\n{\r\n  \"msg\": \"\u003cpayload\u003e\"\r\n}\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 11 of 22\n\nTable 6. Similarities and differences between QMAGENT and MIROGO\r\nC\u0026C connections\r\nThe malware QMAGENT uses the MQTT protocol to transfer data. After analysis, we realized that the employed\r\nMQTT protocol was not encrypted and did not need any authorization. Because of the unique “feature” in the\r\nMQTT protocol (one publishes a message and all others receive it), we decided to monitor all the messages. We\r\ncrafted a QMAGENT client and saw how many victims were targeted. After long-term monitoring, we developed\r\nthe following statistical chart:\r\nFigure 14. QMAGENT victim connections\r\nThe topic name iot/server0 is used to detect the analysis or debugging environments, so it has the lowest victim\r\ncount. March had the highest spike because the ESET report was published on March 2, and this spike involved\r\nthe activation of automation systems (sandboxes and other analysis systems). As a result, we decided to break the\r\nspike down into smaller ranges.\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 12 of 22\n\nFigure 15. QMAGENT victim connections (March 2 to March 3, 2023)\r\nThe report was published around 12 p.m., and after three to six hours, we saw an increase in the number of\r\nconnections. We believe that this might be the common delay time for other analysis systems.\r\nThe C\u0026C request JSON body from the QMAGENT malware contains an Alive key, which is the malware’s\r\nuptime in minutes. We gathered all of them and listed the top 10 alive times.\r\nAlive (seconds) Count\r\n473.4 32\r\n200.4 28\r\n474.0 20\r\n173.4 13\r\n111.0 11\r\n170.4 11\r\n174.0 11\r\n172.8 8\r\n172.2 7\r\n50 6\r\nTable 7. Top 10 alive minutes from QMAGENT victims\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 13 of 22\n\nWe classified the top 10 alive times into three clusters: 473 seconds, 200 seconds, and 170 seconds. Since many\r\nanalysis systems are involved, we think that these times are some of the more common timeout settings for\r\ndifferent sandboxes. For example, the default timeout setting in the CAPEv2 sandbox is exactly 200 seconds.\r\nUnfortunately, we could not confirm what the other alive times are for.\r\nFigure 16. The default timeout setting in CAPEv2\r\nBad operational security\r\nDuring our investigation, we collected several download links for malicious archive files. We noticed that the\r\nthreat actors distributed not only Google Drive links but also other IP addresses hosted by different cloud\r\nproviders. Here are some download links that we recently observed:\r\nIP/Domain Path\r\nhttp://80[.]85[.]156[.]232 /fav/tw1\r\nhttp://80[.]85[.]156[.]240\r\n/fav/sWjp\r\n/fav/hKjp\r\n/fav/sNjp\r\n/fav/gTjp\r\n/fav/aMjp\r\n/fav/128tr\r\n/fav/128tw\r\n/fav/yMjp\r\nhttp://80[.]85[.]156[.]151 /fav/eeAll\r\nhttp://103[.]159[.]132[.]91\r\n/fav/trteamC\r\n/fav/trA\r\n/fav/trHatip\r\n/file/tr\r\n/file/lv\r\nhttps://sa2il[.]johnsimde[.]xyz /f/LV\r\nhttps://iot[.]johnsimde[.]xyz /f/TR\r\nhttps://em2in[.]johnsimde[.]xyz /f/LV\r\nhttps://rewards[.]roshan[.]af /aspnet_client/gdrive.htm\r\n/aspnet_client/View.htm\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 14 of 22\n\n/aspnet_client/acv.htm\r\nTable 8. Download sites\r\nIt’s obvious that the paths in the URLs follow several patterns such as /fav/xxxx or /f/xx. While checking the\r\nURLs, we also found that the xx patterns are related to the victims (these patterns being their country codes). For\r\nexample, the first path /fav/tw1 is used to target victims in Taiwan, and so on.\r\nWhile investigating the download site 80[.]85[.]156[.]151 (hosted by Python’s SimpleHTTPServer), we found\r\nthat it had an open directory on port 8000 that hosted a large number of data and scripts.\r\nFigure 17. The open directory vulnerability\r\nThe important files in the download site are listed as follows:\r\nFIle/folder Modified date Description\r\nstatic/*   Logging files\r\ntemplates/*   Front-end template files\r\napp.py 2023-01-17 The main web server script file\r\nblacklist.txt 2023-01-22 Block list for incoming IP addresses\r\nclient.py 2023-03-30 The messaging script over WebSocket\r\nfw.sh 2023-01-03 Script to block incoming connections via iptables\r\nrequirements.txt 2023-01-09 Python requirements file\r\nwhitelist.txt 2023-01-11 A list of unknown IP addresses\r\nTable 9. Files in the open directory\r\nIn the following subsections, we will introduce the script files deployed on the server.\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 15 of 22\n\nThe Firewall: fw.sh\r\nEarth Preta uses the script file fw.sh to block incoming connections from specific IP addresses. The disallowed IP\r\naddresses are listed in the file blacklist.txt. It seems that the group intentionally blocks incoming requests from\r\nsome known crawlers and some known security providers using python-requests, curl, and wget. We believe that\r\nthe group is trying to prevent the site from being scanned and analyzed.\r\nFigure 18. The script body of “fw.sh”\r\nFigure 19. Some of the IP addresses listed in “blacklist.txt”\r\nThe main server: app.py\r\nThe main script file app.py is used to host a web server and wait for connections from the victims. It handles the\r\nfollowing URL paths:\r\nURL Path Behavior\r\n/ Shows a fake message masquerading as a Google testing site\r\n/admin/\u003cusername\u003e Prints out the content of the logging file\r\n/webchat\r\nA chatting system over WebSocket; it allows two users to communicate with each\r\nother on the same page\r\n/\u003cname\u003e/fav.icon\r\n/\u003cname\u003e/logo.png\r\n/\u003cname\u003e/tz.jpg\r\nRedirect to the victim’s organization logo picture; these URLs are usually\r\nembedded in phishing emails as signatures\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 16 of 22\n\n/fav/\u003cname\u003e\r\n/f/\u003cname\u003e\r\n/file/\u003cname\u003e\r\n/\u003cname\u003e/jquery.min.js\r\nServe different malicious archives based on the request header\r\nTable 10. URL paths of the download site\r\nThe root path / of the download site can be seen in Figure 20. It shows a fake message and pretends to be from\r\nGoogle.\r\nFigure 20. The root page of the site\r\nMeanwhile, the webchat function /webchat allows two users to communicate with each other on the same page.\r\nThe login usernames and passwords are hard-coded in the source codes, which are john:john and tom:tom.\r\nFigure 21. The login screen of webchat\r\nOnce logged in, users can submit their text messages via WebSocket, with all the messages they receive being\r\ndisplayed here. Based on the hard-coded usernames, we suppose that “tom” and “john”  are accomplices\r\ncooperating with one another. After checking the webchat template file, we found some simplified Chinese\r\ncharacters written inside, so it’s possible that the threat actors might be Chinese-speaking.\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 17 of 22\n\nFigure 22. The webchat source code\r\nAs mentioned in the previous section, most of the malicious download URLs we collected follow specific patterns\r\nlike /fav/xxxx or /file/xxxx. Based on the source codes, the path /fav/\u003cname\u003e (and so on) will download the\r\npayload Documents.rar if the request’s User-Agent header contains any of the following strings:\r\nWindows NT 10\r\nWindows NT 6\r\nThis archive is hosted on the IP address 80[.]85[.]157[.]3. Users will be redirected to another Google Drive link if\r\nthe specified User-Agent conditions are not satisfied. At the time of writing, we were not able to retrieve the\r\npayloads, so we are unable to definitively determine if they are indeed malicious. We believe that this is a\r\nmechanism to deliver different payloads to different victims.\r\nFigure 23. The source code in ”app.py”\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 18 of 22\n\nIt’s worth noting that every source IP address, request header, and request URL, is logged upon each connection.\r\nAll the logging files are then stored in the /static folder.\r\nThe logging files: /static\r\nThe “/static” folder contains a large number of logging files that are seemingly manually rotated by the threat\r\nactors. At the time of writing, the logging files recorded the logs from January 3, 2023, to March 29, 2023. There\r\nwere 40 logging files in the folder at the time we found them.\r\nFigure 24. The list of logging files\r\nFigure 25. An example of the logged requests\r\nWe also tried to parse and analyze the logging files. Since the files contain the access logs from the victims, we\r\nthink that they could be counted for further analysis. The format of a logging record is as follows:\r\n[Source IP] ---- [Connection Date and Time]\r\n[ Headers\r\n// Host:\r\n// User-Agent:\r\n...\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 19 of 22\n\n]\r\n[Connected URL]\r\nWe also wanted to know which countries the victims were from. Based on app.py, the access logs record two\r\nkinds of URLs:\r\nURL Path Behavior\r\n/\u003cname\u003e/fav.icon\r\n/\u003cname\u003e/logo.png\r\n/\u003cname\u003e/tz.jpg\r\nRedirect to the victim’s organization logo picture; these URLs are usually\r\nembedded in the phishing emails as signatures.\r\n/fav/\u003cname\u003e\r\n/f/\u003cname\u003e\r\n/file/\u003cname\u003e\r\n/\u003cname\u003e/jquery.min.js\r\nServe different malicious archives based on the request header\r\nTable 11. The recorded URLs in the access logs\r\nThese URLs are usually embedded in the email body. The first type of URLs serves as the email signature and the\r\nsecond one as the download link. To count the number of victims who received the spear-phishing emails, we only\r\npreserved the logs with the first type of URLs since these signature URLs will be requested when victims open\r\ntheir emails. Based on our data, we determined that their main targets are from Lithuania, Latvia, Estonia, Japan,\r\nand Myanmar.\r\nFigure 26. The number of connections from different countries\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 20 of 22\n\nWe’d like to emphasize that these connections are only a small portion of this campaign since these logs are only\r\nbased on a single site. It’s also obvious that this site is used to host malicious files targeting victims from the\r\nEuropean region.\r\nWith the help of those logging files, we were able to collect many distributed links in the wild. These links are\r\nattached in the Appendix.\r\nConclusion\r\nIn our previous research published in 2022, we learned that Earth Preta was actively targeting victims in the APAC\r\nregion such as Australia, the Philippines, and Taiwan. This year, we found that the group not only targeted the\r\nAPAC region but also expanded its scope to Europe.\r\nWe suspect that the group used the Google accounts compromised in the previous wave of attacks to continue this\r\ncampaign. After analysis, we were also able to determine that it has been using different techniques to bypass\r\nvarious security solutions. From our monitoring of its used C\u0026C servers, we also observed the group’s tendency\r\nto reuse these servers in subsequent attack waves.\r\nFrom our observations of various Earth Preta campaigns, we’ve noticed that the group tends to build its arsenal\r\nwith similar C\u0026C protocols and capabilities in different programming languages, showing that the actors behind\r\nEarth Preta have likely been enhancing their development skills. However, because of their operational security\r\nmistakes, we were able to retrieve the scripts behind the scenes and learn the workflow of their attacks.\r\nIn the past, we have extensively analyzed the threat actor Earth Preta. The group’s evolution in its TTPs shows\r\nthat it is highly active and that it is likely we will see more campaigns by it in the future. As such, we will\r\ncontinue to monitor Earth Preta to keep the public informed of the group’s activities.\r\nMITRE ATT\u0026CK\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 21 of 22\n\nSource: https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html" ], "report_names": [ "behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-10T02:00:03.378226Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434653, "ts_updated_at": 1775792194, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e05ba5c588a654d3049bdb58ac763ec077de1b6.pdf", "text": "https://archive.orkl.eu/4e05ba5c588a654d3049bdb58ac763ec077de1b6.txt", "img": "https://archive.orkl.eu/4e05ba5c588a654d3049bdb58ac763ec077de1b6.jpg" } }