{ "id": "fc3d4d5e-c516-4878-b02b-bd59c8b05225", "created_at": "2026-04-06T00:14:47.332501Z", "updated_at": "2026-04-10T03:36:48.167616Z", "deleted_at": null, "sha1_hash": "53389e84e1cd2170d8725eb6aa8d42cf4f84300e", "title": "A Dive into Earth Baku’s Latest Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63302, "plain_text": "A Dive into Earth Baku’s Latest Campaign\r\nBy By: Ted Lee, Theo Chen Aug 09, 2024 Read time: 6 min (1512 words)\r\nPublished: 2024-08-09 · Archived: 2026-04-05 17:51:01 UTC\r\nBased on our investigation, the targeted sectors included the following:\r\nGovernment\r\nMedia and Communications\r\nTelecom\r\nTechnology\r\nHealthcare\r\nEducation\r\nInfection Vector\r\nIn the group’s recent operations, Earth Baku’s attacks exploited public-facing applications, specifically IIS servers,\r\nas an entry point for attacks. Once the perpetrators gain access, they deploy the Godzilla webshell, which allows\r\nthem to maintain control over the compromised server. Through Godzilla, Earth Baku is then able to deploy the\r\nshellcode loader StealthVector and its backdoor components, Cobalt Strike, and a new backdoor named\r\nSneakCross.\r\nDuring the post-exploitation stage, Earth Baku will attempt to build reverse tunnels to maintain control access by\r\nusing publicly available reverse tunneling tools. In addition, we observed MEGAcmd tool being deployed into the\r\nvictim’s environment, likely for data exfiltration.\r\nTechnical Analysis\r\nStealthVector is a customized backdoor loader used to launch Earth Baku’s backdoor components in stealth mode.\r\nThis year, we observed Earth Baku adding two new loaders to launch its backdoor components: CobaltStrike and\r\nSneakCross (aka MoonWalk).\r\nThe new StealthVector is very similar to the one found in 2021. Although it has changed little in terms of\r\nconfiguration structure, it now uses AES as its encryption algorithm instead of customized  ChaCha20. In some\r\nvariants, we also observed a code virtualizer being used for code obfuscation, making the malware more difficult\r\nto analyze. It also inherited other defense evasion techniques to make sure the backdoor components were\r\nexecuted stealthily.\r\nETW and CFG Disable: Disabling Event Tracing for Windows (ETW) and Control Flow Guard (CFG) to\r\nmitigate footprint and avoid detection.\r\nDLL Hollowing: StealthVector will import a legitimate DLL from the System32 folder and inject\r\nmalicious code into the section of the legitimate DLL file.\r\nhttps://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html\r\nPage 1 of 4\n\nStealthReacher (aka DodgeBox) can be considered as an enhanced variant of StealthVector, featuring code\r\nobfuscation techniques such as FNV1-a and other defense evasion mechanisms. Compared to the older\r\nStealthVector, it uses AES algorithms for encryption and MD5 hashing for checksum. Based on our observations,\r\nStealthReacher is the specified loader to launch the new modular backdoor, SneakCross.\r\nIt’s noting that both StealthVector and StealthReacher will perform re-encryption after the first initiation via XOR\r\nencryption, with the key being the victim’s computer name. From a digital forensics' aspect, it is challenging to\r\ndecrypt and analyze the collected payload even though all the components (loader and payload) were collected at\r\nthe same time.\r\nSneakCross is a new modular backdoor that uses Google services for its command-and-control (C\u0026C)\r\ncommunication. It employs Windows Fibers to evade detection from network protection products and EDR\r\nsolutions. We believe it to be the successor to their previous modular backdoor, ScrambleCross, which was\r\nmentioned in our previous report. The modular design allows attackers to easily update its capabilities, modify its\r\nbehavior, and customize functionality for different scenarios.\r\nIn Google Cloud’s report, they mentioned that they successfully found at least 15 plugins that support various\r\nbackdoor functions including:\r\nShell Operations\r\nFile System Operations\r\nProcess Operations\r\nNetwork Probing\r\nNetwork Store Interface Operations\r\nScreen Operations\r\nSystem Information Discovery\r\nFile Manipulation Operations\r\nKeylogger\r\nActive Directory Operations\r\nFile Uploader\r\nRDP\r\nDNS Operations\r\nDNS Cache Operations\r\nRegistry Operations\r\nPost-Exploitation routine\r\nDuring the post-exploitation stage, Earth Baku will deploy various tools on the victim’s environment for\r\npersistence, privilege escalation, discovery and exfiltration. In this section, we ‘ll examine the most noteworthy of\r\nthese tools.\r\nPersistence: reverse-tunnel\r\nWe found the threat actors attempting to build reverse tunnels with the following tools for persistent control access\r\nto compromised machines:\r\nhttps://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html\r\nPage 2 of 4\n\nCustomized iox tool           \r\nThe perpetrators built their own iox tunneling tool based on its public source code. Changes include simplified\r\nrequired arguments (local IP/Port) and an additional special argument -ggg. To launch the tool, the user needs to\r\ninput this special argument, after which the tool works properly.\r\nRakshasa\r\nRakshasa is a powerful proxy tool written in Go, designed specifically for multi-level proxying and internal\r\nnetwork penetration.\r\nTailscale\r\nTailscale is a Virtual Private Network (VPN) service created to enable secure connectivity between devices within\r\na unified virtual network. Recently, we have identified threat actors attempting to incorporate compromised\r\nsystems into their virtual networks using the Tailscale platform. Additionally, these threat actors have been using\r\nlegitimate Tailscale servers as intermediaries, significantly complicating the process of tracing the origins of their\r\nactivities.\r\nExfiltration\r\nWithin the victim’s environment, we found many MEGAcmd tools dropped onto infected machines. MEGAcmd\r\nis a command-line tool used for interacting with the MEGA cloud storage service.  We infer that the threat actors\r\nattempted to use this tool for exfiltrating stolen data to MEGA, hoping to capitalize on its ability to efficiently\r\nupload large volumes of data. This procedure was also observed with an associated group, Earth Lusca.\r\nConclusion\r\nEarth Baku has significantly expanded its reach from the Indo-Pacific to Europe and MEA since late 2022. Their\r\nrecent operations showcase advanced techniques, including the use of public-facing applications like IIS servers\r\nfor initial access and the deployment of the Godzilla webshell for control. The group has employed new loaders\r\nsuch as StealthVector and StealthReacher, to stealthily launch backdoor components, and added SneakCross as\r\ntheir latest modular backdoor. Earth Baku also used several tools during its post-exploitation including a\r\ncustomized iox tool, Rakshasa, TailScale for persistence, and MEGAcmd for efficient data exfiltration. These\r\ndevelopments underscore Earth Baku’s evolving and increasingly sophisticated threat profile, which can\r\npotentially pose significant challenges for cybersecurity defenses.\r\nRecommendations\r\nTo defend against cyberespionage tactics and minimize the risk of compromise, both individual users and\r\norganizations implement the following best practices:\r\nImplementing the principle of least privilege: Restricting access to sensitive data and closely monitoring\r\nuser permissions makes it more challenging for attackers to move laterally within a corporate network.\r\nAddressing security gaps: Regularly updating systems and applications and enforcing strict patch\r\nmanagement policies allows organizations to address security gaps within their system. Furthermore,\r\nhttps://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html\r\nPage 3 of 4\n\nemploying virtual patching can help secure legacy systems for which patches are unavailable.\r\nDeveloping a proactive incident response strategy: Deploying defensive measures designed to identify\r\nand mitigate threats in the event of a breach, and conducting regular security drills improves the\r\neffectiveness of an organization’s incident response plan.\r\nAdopting the 3-2-1 backup rule: Maintaining at least three copies of corporate data in two different\r\nformats, with one air-gapped copy stored off-site ensures that data remains intact even in the event of a\r\nsuccessful attack. Regularly updating and testing these backups helps ensure the integrity of the data.\r\nTrend solutions\r\nOrganizations looking to defend themselves from sophisticated attacks can consider powerful security\r\ntechnologies such as Trend Vision One™products, which allows security teams to continuously identify attack\r\nsurfaces, including both known and unknown, plus managed and unmanaged cyber assets.\r\nIt assists organizations in prioritizing and addressing potential risks and vulnerabilities by evaluating critical\r\nfactors, such as the likelihood and impact of possible attacks, providing a comprehensive set of prevention,\r\ndetection, and response capabilities, all supported by advanced threat research, intelligence, and AI. Vision One\r\nenhances an organization's overall security posture and effectiveness, offering robust protection against all types\r\nof attacks.\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html\r\nhttps://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html" ], "report_names": [ "earth-baku-latest-campaign.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434487, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/53389e84e1cd2170d8725eb6aa8d42cf4f84300e.pdf", "text": "https://archive.orkl.eu/53389e84e1cd2170d8725eb6aa8d42cf4f84300e.txt", "img": "https://archive.orkl.eu/53389e84e1cd2170d8725eb6aa8d42cf4f84300e.jpg" } }