{ "id": "81ab3a17-6e98-41d4-92e8-799560d8a0d6", "created_at": "2026-04-06T00:14:17.977184Z", "updated_at": "2026-04-10T03:36:48.115248Z", "deleted_at": null, "sha1_hash": "73cb5e24f764de563ef1349ecd4db2ffaed1546d", "title": "Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1237939, "plain_text": "Earth Lusca Uses KTLVdoor Backdoor for Multiplatform\r\nIntrusion\r\nBy By: Cedric Pernet, Jaromir Horejsi Sep 04, 2024 Read time: 6 min (1736 words)\r\nPublished: 2024-09-04 · Archived: 2026-04-05 16:07:23 UTC\r\nMalware\r\nWhile monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated\r\nmultiplatform backdoor, as part of a large-scale attack campaign.\r\nSummary\r\nDuring our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new\r\nmultiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and\r\nLinux versions.\r\nKTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing\r\nattackers to carry out a variety of tasks including file manipulation, command execution, and remote port\r\nscanning.\r\nThe malware's configuration and communication involve sophisticated encryption and obfuscation\r\ntechniques to hinder malware analysis.\r\nThe scale of the attack campaign is significant, with over 50 C\u0026C servers found hosted at a China-based\r\ncompany; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with\r\nother threat actors.\r\nWe discovered a new multiplatform backdoor written in Golang that we named KTLVdoor while monitoring Earth\r\nLusca, a Chinese-speaking threat actor we had previously covered. Our investigation also uncovered both\r\nMicrosoft Windows and Linux versions of this new malware family.\r\nThis previously unreported malware is more complex than the usual tools used by the threat actor. It is highly\r\nobfuscated and is being spread in the wild impersonating various system utilities names or similar tools, such as\r\nsshd, java, sqlite, bash, edr-agent, and more. The backdoor (agent) is usually distributed as a dynamic library\r\n(DLL, SO).  The malware features enable the attackers to fully control the environment: run commands,\r\nmanipulate files, provide system and network information, using proxies, download/upload files, scan remote\r\nports and more.\r\nThe scale of the attack campaign is surprising, as we were able to find more than 50 C\u0026C servers, all hosted at\r\nAlibaba in China, communicating with variants of the malware family. While some of those malware samples are\r\ntied to Earth Lusca with high confidence, we cannot be sure that the whole infrastructure is used solely by this\r\nthreat actor. The infrastructure might be shared with other Chinese-speaking threat actors.\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 1 of 10\n\nWe could only find one target of the operation for the moment, a trading company based in China. It is not the first\r\ntime a Chinese-speaking threat actor has targeted a Chinese company; groups like Iron Tigeropen on a new tab\r\nand Void Arachneopen on a new tab have likewise used tools aimed specifically at Chinese-language speakers.\r\nKTLVdoor malware analysis\r\nHighly obfuscated\r\nMost of the samples discovered in this campaign are obfuscated: embedded strings are not directly readable,\r\nsymbols are stripped and most of the functions and packages were renamed to random Base64-like looking\r\nstrings, in an obvious effort from the developers to slow down the malware analysis (Figure 1).\r\nFigure 1. Obfuscated function names as shown in decompiler\r\nConfiguration\r\nThe first step is the initialization of the agent’s configuration parameters. The initialization values are XOR-encrypted and Base64-encoded in the agent’s binary (Figure 2). \r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 2 of 10\n\nFigure 2. Example of the decrypted configuration\r\nThe configuration’s file format is a custom TLVopen on a new tab-like (length-type-length-value) format. The\r\n“KTLV” marker is usually prepended with four-byte length of the structure and behaves like a marker of the\r\nbeginning of the structure. Then, a list of parameters and their values follows. From Figure 3, you can notice a\r\n“proto” parameter, which is five bytes long (notice 05 followed by proto string, followed by type 02 ( = string ),\r\nfollowed by length 04 ( = 4 bytes ), followed by string http, which is the protocol parameter value.\r\nFigure 3. Parameter proto, type string (02), value http, as stored in configuration file\r\nFigure 4. Parameter sleep, type long long (08), value 0x7530 = 30 000 milliseconds = 30 seconds,\r\nas stored in configuration file\r\nThe supported type formats are shown in Table 1:\r\nValue Type\r\n01 structure/iteration (followed by KTLV marker)\r\n02 string\r\n03 boolean (1byte)\r\n08 long long (8 bytes)\r\n09 integer (4 bytes)\r\n0B byte (1 byte)\r\nTable 1. Supported value type formats\r\nThe configuration file may contain the following parameters, as shown in Table 2:\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 3 of 10\n\nParameter name Type Description/comment\r\nlisten string active mode (default) / passive mode\r\nconnect string Encrypted C\u0026C servers\r\nduplex boolean Simplex or duplex delivery\r\nconn_timeout long long  \r\nmax_read_limit long long  \r\nconn_max_retry long long  \r\nproxy string  \r\nproto string http, tcp, dns, icmp\r\ndomain string  \r\nhost string  \r\nsecret string To decrypt value(s) of “connect”\r\ntls boolean Enabled or disabled\r\nstls boolean Enabled or disabled\r\nsleep long long  \r\njitter long long Sleep time variation\r\nsilent boolean  \r\nlong_connection_boundary long long  \r\nshort_connection_wait_time long long  \r\nclient_id string Hardcoded GUID of target\r\nexternal_channel_enabled boolean Should get external IP or not\r\nexternal_type string  \r\nauth_param struct Contains “http_header” and “uri”\r\nhttp_header string  \r\nuri string Request’s URL path\r\ndebug boolean Enabled or disabled\r\nTable 2. Supported configuration parameters\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 4 of 10\n\nThe configuration is processed, and the internal configuration structure (Config) is updated. Part of the Config\r\nstructure is the HostInfo structure, which also contains additional parameters about the currently infected machine\r\n(Table 3). These structures are updated based on the current machine environment.\r\nParameter name Type Description/comment\r\nSession string Randomly generated GUID during each run\r\nRealIP string Obtained from ipconfig / ifconfig\r\nUsername string  \r\nHostname string  \r\nProcessName string  \r\nExecutable string  \r\nPID uint32 Process ID\r\nParentProcessName string  \r\nPPID uint32 Parent process ID\r\nArch string 32 or 64 bit\r\nOS string OS name\r\nPlatform string OS name + version\r\nDisks string List of available disks\r\nDiskDetails string List of available disks + their sizes\r\nUptime string  \r\nFeature string MachineGuid from HKLM\\SOFTWARE\\Microsoft\\Cryptography\r\nProtocol string Value from the config\r\nProxy string Value from the config\r\nDomain string Value from the config\r\nHost string Value from the config\r\nTLSEnable boolean Value from the config\r\nSTLSEnable boolean Value from the config\r\nExternalIP string\r\nExternal IP address obtained via http://myip.ipip.netopen on a new tab;\r\nonly if external_channel_enabled set\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 5 of 10\n\nSleepTime uint64 Value from the config\r\nJitter uint64 Value from the config\r\nReConnectTime uint64 Value from the config\r\nEnv string Environment variables\r\nClientID string Value from the config\r\nIsAdmin boolean True or false\r\nMode string Active or passive\r\nTable 3. HostInfo parameters\r\nConnection settings\r\nThe C\u0026C server(s) are stored in the “connect” value. The value is AES-GCM-encrypted and Base64-encoded. The\r\nAES-GCM method uses a standard prepended 12-byte nonce and appended 16-byte tag. The AES-GCM key is\r\nderived from a “secret” value by computing the MD5 hash of it and using key padding (extending the key size) to\r\n32-bytes by appending 16 zeroes (0x00 bytes) to it.\r\nKTLVdoor malware communication\r\nAfter the initialization steps are completed, the agent starts a communication loop with the C\u0026C server. The\r\ncommunication is done by sending and receiving messages, which are GZIP-compressed and AES-GCM-encrypted. Based on the configuration settings, the message delivery can be either in simplex mode (one device on\r\nchannel can only send, another device on the channel can only receive) or in duplex mode (both devices can\r\nsimultaneously send and receive messages).\r\nEach message contains a message header followed by the message data (msg).\r\nField name Field type Field value\r\nsender String Session ID or admin\r\nreceiver String Session ID or admin\r\ntoken String  \r\nroute String  \r\ntask_id uint64  \r\ntask_status uint8  \r\ntask_type uint64  \r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 6 of 10\n\nsub_task_type uint64  \r\nTable 4. Message header fields\r\nFigure 5. Message with OS info sent to the C\u0026C server\r\nNotice that the sender of this outgoing message (from the infected machine to the C\u0026C server) has the session ID\r\nof the currently infected machine. The receiver is “admin”, which is the C\u0026C server. In the case of the incoming\r\nmessage (from the C\u0026C server to the infected machine), the “sender” is “admin” and the “receiver” is the session\r\nID. In the case of sending the HostInfo message to the C\u0026C server, notice that the parameter name “msg”\r\n(containing message content) followed by “KTLV” marker (Figure 5), which contains all the fields from HostInfo\r\nstructure (Table 4).\r\nReceiving task\r\nThe agent implements several handlers for processing received tasks from the C\u0026C server (Table 5).\r\nHandler Subtasks Parameters Description\r\nBreakchain  \r\nshell\r\nflag\r\ncmd\r\nabs_path\r\nStart terminal\r\nRun command\r\nWait three seconds\r\nKill terminal (SIGKILL)\r\nExit     Exit process\r\nFileDownload  \r\nfile_path\r\nsection_size\r\nRead file\r\nUpload it to C\u0026C\r\nFileMD5   file_path\r\nRead file\r\nCompute MD5 hash\r\nFileManager 01 - list all files\r\n02 - Create dir\r\ndirName\r\nOR\r\nFile and directory operations\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 7 of 10\n\n03 - Create file\r\n04 - Delete file\r\n05 - Copy file\r\n06 - Rename\r\n07 - Write file\r\n08 - Read file\r\n09 - Change access\r\npermissions\r\nfile_path\r\nOR\r\ndst_path\r\nsrc_path\r\nOR\r\nfile_path\r\nfile_content\r\nOR\r\nmode\r\nFileUpload  \r\nfile_path\r\nfile_contents\r\nposition\r\nWrite data from server to file on\r\nvictim machine\r\nGC     Run garbage collection\r\nInteractiveShell  \r\nsend\r\ndata\r\nOR\r\nstart\r\nOR\r\nstop\r\nOR\r\nrecv\r\n \r\nNetStat 01 - list connections    \r\nPortScan  \r\ngateway\r\nips\r\nports\r\n \r\n \r\nProcess\r\n01 - list\r\n02 - kill\r\npid  \r\nRefreshHostInfo      \r\nRun   cmdn! Run command\r\nSleep  \r\nsleep_time\r\njitter\r\n \r\nTimeStomp  \r\nsrc_path\r\ndst_path\r\ntime\r\n \r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 8 of 10\n\nTaskCache\r\n01 - list of tasks\r\n02 - delete task\r\n03 - clear task cache\r\ntask_id\r\n \r\n \r\nSoInject 04 -  inject to library\r\nplugin_task_type\r\ntmp_payload_cache\r\nparams\r\nRun shellcode, Linux platform\r\nReflectDllInject     Run shellcode, Windows platform\r\nSocks\r\n01 – start handler\r\n02 – get task\r\n04 – data via TCP\r\n05 – close TCP\r\n06 – data via UDP\r\n08 – connect to address\r\nvia UDP\r\nseq\r\naddr\r\nusername\r\npassword\r\nOR\r\ntask_id\r\nOR\r\nseq\r\ndata\r\n \r\nSocks proxy\r\nTable 5. Handlers for processing tasks from C\u0026C server\r\nPortScan implements many scanning methods, including:\r\nScanTCP\r\nScanRDP\r\nScanWinRM\r\nScanSmb2\r\nRdpWithNTLM\r\nDialTLS\r\nDialTCP\r\nScanPing\r\nScanPing\r\nScanMssql\r\nScanBanner\r\nScanWeb\r\nConclusion\r\nWe have been able to tie samples of KTLVdoor to the threat actor Earth Lusca with high confidence. However, we\r\nwere not able to tie several other samples of this malware family to this threat actor. In addition, the size of the\r\ninfrastructure we have been able to discover is very unusual. Seeing that all C\u0026C servers were on IP addresses\r\nfrom China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C\u0026C server\r\ncould not be some early stage of testing new tooling.\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 9 of 10\n\nThis new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors. While\r\na lot of details on this campaign are not yet known, we will keep monitoring this activity and possibly give\r\nupdates about it at a later time.\r\nTrend solutions\r\nOrganizations looking to defend themselves from sophisticated attacks can consider powerful security\r\ntechnologies such as Trend Vision One™open on a new tab, which allows security teams to continuously identify\r\nattack surfaces, including both known and unknown, plus managed and unmanaged cyber assets. Vision One™\r\noffers multilayered protection and behavior detection, helping block malicious tools and services before they can\r\ninflict damage on user machines and systems.\r\nIndicators of Compromise (IOCs)\r\nThe full list of IOCs can be found hereopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html" ], "report_names": [ "earth-lusca-ktlvdoor.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434457, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/73cb5e24f764de563ef1349ecd4db2ffaed1546d.pdf", "text": "https://archive.orkl.eu/73cb5e24f764de563ef1349ecd4db2ffaed1546d.txt", "img": "https://archive.orkl.eu/73cb5e24f764de563ef1349ecd4db2ffaed1546d.jpg" } }