{
	"id": "24475fdd-f3ec-45d0-86ef-d9c40a78c1ce",
	"created_at": "2026-04-06T00:18:26.649844Z",
	"updated_at": "2026-04-10T03:30:42.663075Z",
	"deleted_at": null,
	"sha1_hash": "6c434c66201cc3fd3085391ac3048395ba1142b6",
	"title": "Connecting Taidoor’s Dots: Earth Aughisky Over The Last 10 Years",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 718332,
	"plain_text": "Connecting Taidoor’s Dots: Earth Aughisky Over The Last 10\r\nYears\r\nArchived: 2026-04-05 18:06:28 UTC\r\n open on a new tabDownload The Rise of Earth Aughisky:\r\nTracking the Campaigns Taidoor Started\r\nTrend Micro uses Earth Aughisky to refer to the APT group, while Taidoor is used to refer to one of the malware\r\nfamilies deployed by the group for campaigns.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 1 of 11\n\nopen on a new tabDownload The Rise of Earth Aughisky:\r\nTracking the Campaigns Taidoor Started\r\nSince its first documented activity in 2011, advanced persistent threat (APT) group Earth Aughisky’s campaigns\r\ncontinued to plague organizations’ operations and disrupt everyday activities. Trend Micro’s monitoring of the\r\ngroup over the last decade yielded significant patterns for attribution, connections, and even changes. This\r\ncyberespionage group expends efforts at evading detection once inside targets’ systems by abusing legitimate\r\naccounts, software, applications, and other potential weaknesses in the network design and infrastructure.\r\nTracking this APT group’s history and continuous activities has allowed researchers and cybersecurity\r\npractitioners to learn its movements, technical developments, and potential relationships with other cybercriminal\r\nand cyberespionage groups.\r\nTargeting background\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 2 of 11\n\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 3 of 11\n\nObservations of Earth Aughisky’s campaign deployments were primarily found to be focused on organizations in\r\nTaiwan, consistently updating its arsenal to circumvent developments in security solutions. Over the last decade,\r\nour analyses have observed the malware families’ and tools’ increasing sophistication, until more recent changes\r\nin their routines indicated potential changes in the APT’s organization.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 4 of 11\n\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 5 of 11\n\nWe observed that the cyberespionage group began expanding their targets to Japan towards the end of 2017,\r\npotentially suggestive of changes in the sponsor’s objectives and real-world organizational structures. This is also\r\nevident in the other changes security analysts have tracked occurring in recent years, such as malware arsenal use\r\nand infrastructure.\r\nMalware connections\r\nIn the research paper, “The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started,”open on a new tab\r\nresearchers listed the analysis of all the malware families previously attributed to the group. These studies on the\r\nroutines and tools documented from previous samples and incidents revealed similarities with a number of\r\nmalware families and tools that have yet to be attributed to Earth Aughisky or seen being used by other\r\ncyberespionage groups.\r\nHere is a summary of the malware families and tools attributed to Earth Aughisky, how each are connected, and\r\nbrief technical and historical descriptions of each. Click on each of the malware families to find the year of\r\ndisclosure and a brief description.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 6 of 11\n\nIP/Domain/Passive DNS overlap\r\nHost on same repository\r\nSame function (logging/proxy)\r\nPayload and downloader\r\nSpecial string (marker/class name)\r\nSame incident\r\nSame loader/Dropper\r\nSame campaigns code/Password\r\nKuangdao (also known as KD)\r\nYear tracked: 2007\r\nThis malware’s name was based on the .pdb string observed and matched in multiple backdoor\r\nconfigurations, and shared similarities with a number of Earth Aughisky’s malware families.\r\nSpecas\r\nYear tracked: 2008\r\nSpecas was previously identified as Roudan or Taleret; behavior analysis showed a difference from\r\nboth malware families in functions.\r\nGOORAT\r\nYear tracked: 2009\r\nA backdoor preceding Taleret and no longer in use, samples of GOORAT were configured to\r\nretrieve data from Google groups or blogs.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 7 of 11\n\nTWTRAT\r\nYear first documented: 2010\r\nAn old backdoor used for a short period, TWTRAT abused direct messages in social media platform\r\nTwitter for C\u0026C communication.\r\nASRWEC Downloader\r\nYear first documented: 2011\r\nA downloader capable of searching for payloads — either Roudan or SiyBot, or both — in blogs\r\nand other repositories.\r\nSiyBot\r\nYear first documented: 2011\r\nA backdoor not yet documented and rarely observed in a few attack incidents, it abused legitimate\r\napplications such as Gubb or 30 Boxes for C\u0026C communication.\r\nRoudan\r\nYear first documented: 2011\r\nThe malware first attributed to Earth Aughisky using different callback traffic techniques.\r\nK4RAT\r\nYear first documented: 2012\r\nActive between 2012 to 2016, this backdoor contained basic functions for collecting system\r\ninformation from targets.\r\nComeon Downloader\r\nYear first documented: 2012\r\nA downloader used to deliver Roudan malware from private servers and repositories.\r\nIllitat Downloader\r\nYear first documented: 2012\r\nThis downloader collected system information and used the local environment to call back to the\r\nC\u0026C server and downloads Roudan malware.\r\nTaleret (also known as Dalgan)\r\nYear first documented: 2013\r\nMarked to run with different implementations — XXXXX and Artemis — this malware abused\r\npublic blogs and other repositories to locate the command and control (C\u0026C) configurations.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 8 of 11\n\nGrubbyRAT\r\nYear first documented: 2014\r\nThis rarely deployed backdoor was observed from attacks seemingly categorized based on\r\nindicators on the targets such as value, criticality, sensitivity, economic stature, and/or industry,\r\namong others.\r\nBuxzop/DropNetClient\r\nYear first documented: 2015\r\nWhile DropNetClient has been previously documented, Buxzop is its updated version. This\r\nmalware uploaded and stole victim information by abusing a DropBox API for C\u0026C\r\ncommunication.\r\nTaikite (also known as SVCMONDR)\r\nYear first documented: 2015\r\nTaikite was first identified with a routine reportedly abusing CVE-2015-2545, but no other reports\r\nattribute this malware to Earth Aughisky.\r\nSerkdes (also known as Yalink)\r\nYear first documented: 2018\r\nThis malware was documented to have several conflicting versions and samples, strongly indicative\r\nthat this was used by more than one APT group. This backdoor was also identified in attacks on\r\nJapanese organizations.\r\nLuckDLL\r\nYear first documented: 2021\r\nLuckDLL is a relatively new backdoor, and some samples have been observed containing one of\r\ntwo program database strings in .pdb.\r\nUpdates and changes\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 9 of 11\n\nThe longevity of Earth Aughisky in the cyberespionage world allows cybersecurity researchers and analysts to\r\nfollow patterns, and even notice subtle changes when they occur. For instance, the recent changes in activity\r\nfrequency, overlaps in malware and tools attributed to other groups, and even the simplification in codes of known\r\nand established malware have attracted attention. These subtle series of deviations have prompted researchers to\r\nmatch real-world changes of known sponsors, take a closer look at other groups, and reference potential changes\r\nin motivations and structures.\r\nConclusion and insights\r\nOver the years, the consistent monitoring of APT group Earth Aughisky enabled cybersecurity researchers to gain\r\ninsights into the inner workings of other similar cyberespionage groups. The amount of data gathered using\r\nvarious analysis techniques show an overview of motivations, the maturity of their technical skills, and even the\r\nplausible real-world connections of incidents. Groups like Earth Aughisky have sufficient resources at their\r\ndisposal that allow them the flexibility to match their arsenal for long-term implementations of cyberespionage,\r\nand organizations should consider this observed downtime from this group’s attacks as a period for preparation\r\nand vigilance for when it becomes active again.\r\nRead our full analysis and recommendations on APT group Earth Aughisky in our research “The Rise of Earth\r\nAughisky: Tracking the Campaigns Taidoor Started.”open on a new tab The full list of indicators of compromise\r\n(IOCs) can be downloaded here.open on a new tab\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 10 of 11\n\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-l\r\nast-10-years\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years"
	],
	"report_names": [
		"connecting-taidoors-dots-earth-aughisky-over-the-last-10-years"
	],
	"threat_actors": [
		{
			"id": "71b19e59-b5f7-4bc6-816d-194be0f02af0",
			"created_at": "2022-10-25T16:07:24.301036Z",
			"updated_at": "2026-04-10T02:00:04.928222Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Budminer",
				"Earth Aughisky",
				"G0015"
			],
			"source_name": "ETDA:Taidoor",
			"tools": [
				"Dripion",
				"Masson",
				"Taidoor",
				"simbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2608db3e-7f7a-42c0-922b-4c9cb22c7ce9",
			"created_at": "2023-01-06T13:46:38.278691Z",
			"updated_at": "2026-04-10T02:00:02.90849Z",
			"deleted_at": null,
			"main_name": "APT16",
			"aliases": [
				"SVCMONDR",
				"G0023"
			],
			"source_name": "MISPGALAXY:APT16",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef",
			"created_at": "2023-01-06T13:46:38.998658Z",
			"updated_at": "2026-04-10T02:00:03.176186Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"G0015",
				"Earth Aughisky"
			],
			"source_name": "MISPGALAXY:Taidoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "478e9b27-39b9-49e4-a3c5-81569a767275",
			"created_at": "2022-10-25T15:50:23.417339Z",
			"updated_at": "2026-04-10T02:00:05.41593Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Taidoor"
			],
			"source_name": "MITRE:Taidoor",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6301aade-ca8b-431c-b5e4-1b6ddd497ffc",
			"created_at": "2022-10-25T16:07:23.328033Z",
			"updated_at": "2026-04-10T02:00:04.544144Z",
			"deleted_at": null,
			"main_name": "APT 16",
			"aliases": [
				"APT 16",
				"G0023",
				"SVCMONDR"
			],
			"source_name": "ETDA:APT 16",
			"tools": [
				"ELMER",
				"Elmost",
				"IRONHALO",
				"SVCMONDR"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434706,
	"ts_updated_at": 1775791842,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c434c66201cc3fd3085391ac3048395ba1142b6.pdf",
		"text": "https://archive.orkl.eu/6c434c66201cc3fd3085391ac3048395ba1142b6.txt",
		"img": "https://archive.orkl.eu/6c434c66201cc3fd3085391ac3048395ba1142b6.jpg"
	}
}