{ "id": "16e98df7-3955-48bb-81f5-6dc9360dcd55", "created_at": "2026-04-06T00:12:46.572246Z", "updated_at": "2026-04-10T13:11:58.87316Z", "deleted_at": null, "sha1_hash": "6560a3543bfc7741219ecf18acbb6b05c7e6d995", "title": "Operation Earth Kitsune - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50054, "plain_text": "Operation Earth Kitsune - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 22:22:08 UTC\r\nHome \u003e List all groups \u003e Operation Earth Kitsune\r\n APT group: Operation Earth Kitsune\r\nNames Operation Earth Kitsune (Trend Micro)\r\nCountry North Korea\r\nMotivation Information theft and espionage\r\nFirst seen 2019\r\nDescription\r\n(Trend Micro) We previously wrote about the SLUB malware in 2019, noting that it\r\nabused (among others) Slack and GitHub as part of its routine. Its previous\r\ncampaigns used watering hole tactics as an infection vector, using websites that\r\ndiscussed topics related to North Korea. Our continuous monitoring of this threat\r\ncampaign shows that the threat actor behind SLUB didn’t stop their attacks even\r\nduring the pandemic. In 2020, we found multiple instances of their attacks in March,\r\nMay, and September, delivering a new variant of the malware — this time\r\nincorporating new techniques and capabilities.\r\nIn addition, we found two unknown malware variants delivered along with SLUB\r\nduring the latest attack at the end of September. Besides the CVEs already\r\nmentioned in the previous SLUB blog, we also found new exploits for the\r\nvulnerabilities CVE-2016-0189, CVE-2019-1458, CVE-2020-0674, and CVE-2019-\r\n5782, chained with another Chrome bug that does not have an associated CVE.\r\nThe campaign is very diversified, deploying numerous samples to the victim\r\nmachines and using multiple command-and-control (C\u0026C) servers during this\r\noperation. In total, we found the campaign using five C\u0026C servers, seven samples,\r\nand exploits for four N-day bugs. The scale of the attack and the samples’ custom\r\ndesign suggest that there is a group behind this operation. We dubbed the campaign\r\nas Operation Earth Kitsune.\r\nObserved Countries: Worldwide except South Korea.\r\nTools used agfSpy, dneSpy, SLUB, WhiskerSpy.\r\nOperations performed Late 2022 Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering\r\nHole Attack\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=877ff46d-bf14-444e-aa77-5a0a88c8b8c2\r\nPage 1 of 2\n\n\u003chttps://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html\u003e\r\nInformation\r\n\u003chttps://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf\u003e\r\nLast change to this card: 25 April 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=877ff46d-bf14-444e-aa77-5a0a88c8b8c2\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=877ff46d-bf14-444e-aa77-5a0a88c8b8c2\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=877ff46d-bf14-444e-aa77-5a0a88c8b8c2" ], "report_names": [ "showcard.cgi?u=877ff46d-bf14-444e-aa77-5a0a88c8b8c2" ], "threat_actors": [ { "id": "6158a31d-091c-4a5a-a82b-938e3d0b0e87", "created_at": "2023-11-17T02:00:07.61151Z", "updated_at": "2026-04-10T02:00:03.459947Z", "deleted_at": null, "main_name": "Earth Kitsune", "aliases": [], "source_name": "MISPGALAXY:Earth Kitsune", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f6650a3-9f50-47c4-bd7a-008b63bde191", "created_at": "2022-10-25T16:07:23.949232Z", "updated_at": "2026-04-10T02:00:04.803815Z", "deleted_at": null, "main_name": "Operation Earth Kitsune", "aliases": [], "source_name": "ETDA:Operation Earth Kitsune", "tools": [ "SLUB", "WhiskerSpy", "agfSpy", "dneSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434366, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6560a3543bfc7741219ecf18acbb6b05c7e6d995.pdf", "text": "https://archive.orkl.eu/6560a3543bfc7741219ecf18acbb6b05c7e6d995.txt", "img": "https://archive.orkl.eu/6560a3543bfc7741219ecf18acbb6b05c7e6d995.jpg" } }