{ "id": "87e22e70-fd13-465e-aaf3-ba2090ca9610", "created_at": "2026-04-06T00:19:02.196039Z", "updated_at": "2026-04-10T03:37:01.089353Z", "deleted_at": null, "sha1_hash": "8b39444ef3586d5aa8ebb7e0681fe3f02e6ebfc1", "title": "Rewterz Threat Alert – China-Linked Earth Krahang APT Breached 70 Organizations in 23 Nations – Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 192989, "plain_text": "Rewterz Threat Alert – China-Linked Earth Krahang APT\r\nBreached 70 Organizations in 23 Nations – Active IOCs - Rewterz\r\nPublished: 2024-03-19 · Archived: 2026-04-05 17:50:38 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nAn advanced cyber campaign targeting at least 116 organizations in 45 countries has compromised 70, and it is\r\nbelieved to be the work of the Chinese advanced persistent threat (APT) group known as “Earth Krahang.” The\r\ncampaign has been ongoing since at least 2022 and it mainly targets government organizations.\r\nIn particular, 48 federal agencies—ten of which are ministries of foreign affairs—have been infiltrated by the\r\nthreat actors, who have also targeted 49 other government institutions. The attackers utilize spear-phishing emails\r\nand weak internet-facing servers to install custom backdoors and conduct cyber espionage. Earth Krahang creates\r\nVPN servers on infected systems, employs brute force to break passwords for important email accounts, and\r\nexploits its presence on exploited government infrastructure to attack other governments.\r\nCybersecurity analysts said, “One of the infection vectors used involves the scanning of public-facing\r\nservers. Earth Krahang heavily employs open-source scanning tools that perform recursive searches of\r\nfolders such as .git or .idea.”\r\nThe threat actors use open-source tools to search public-facing servers for specific vulnerabilities like CVE-2022-\r\n21587 (Control Web Panel) and CVE-2023-32315 (Openfire). They use web shells to get unauthorized access and\r\npersist on victim networks by taking advantage of these security flaws. Alternately, they employ spear-phishing\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs\r\nPage 1 of 4\n\nfor initial access, luring the recipients into opening the attachments or clicking on the links with communications\r\ncentered on geopolitical themes.\r\nAfter gaining access to the network, Earth Krahang hosts malicious payloads, engages in proxy attacks, and sends\r\nspear-phishing emails to its associates or other governments using compromised government email accounts.\r\nNotably, Earth Krahang fetches hundreds of email addresses from their targets in the reconnaissance phase. In one\r\ninstance, the actor sent a malicious attachment to 796 email addresses associated with the same government\r\nagency via a compromised mailbox.\r\nTo propagate the infection and achieve redundancy in the event of detection and cleanup, these emails contain\r\nmalicious attachments that open backdoors on the machines of the victims. According to the researchers, the\r\nattackers employ hacked Outlook accounts to try and guess Exchange credentials, and they have also discovered\r\nPython scripts designed to extract emails from Zimbra servers.\r\nThe APT group also uses SoftEtherVPN to create VPN servers on infected public-facing servers to gain access to\r\ntheir victims’ private networks and increase their capacity to move laterally within such networks. After being\r\nestablished on the network, Earth Krahang uses tools and malware that can execute commands and gather data,\r\nlike Cobalt Strike, RESHELL, and XDealer. The more advanced and intricate of the two backdoors, XDealer, can\r\nintercept clipboard data, record keystrokes, grab screenshots, and work with both Windows and Linux.\r\nBased on command and control (C2) overlaps, the security researchers claim to have first discovered connections\r\nbetween Earth Krahang and another China-linked actor Earth Lusca, although it has now concluded that this is a\r\ndistinct cluster. These threat groups probably function as a specialized task force for cyber espionage against\r\ngovernment institutions, working under the Chinese corporation I-Soon.\r\nFurthermore, XDealer and RESHELL were formerly connected to the ‘Luoyu’ threat actors and the ‘Gallium’\r\norganization respectively. The analysis, however, indicates that these instruments are probably distributed among\r\nthe threat actors, each of whom uses a different encryption key.\r\nImpact\r\nCyber Espionage\r\nUnauthorized Access\r\nSensitive Data Theft\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs\r\nPage 2 of 4\n\nIndicators of Compromise\r\nMD5\r\nac805ddb262214cc50b1e7ae45551e3e\r\nd524867c321910ab6ea584019e74c99b\r\naac4141dba6328f3529b38a28f8dbb92\r\n87fb1af534b0913bb23fe923afd34064\r\n8d403b49e57dbec1de505bb244b6dbe6\r\nc667cae395fd34323e7acecbed584db8\r\n5b7ce4a1328f3e9fff4f678999a9dbe8\r\nbd824d170b9422375b3c9931f746f1f2\r\n6c52c837ba6ebe6615d18bfb15f26dce\r\n8138f1af1dc51cde924aa2360f12d650\r\n6c23ce5827c541f6a713ea991fc35a17\r\nSHA-256\r\n10b2a7c9329b232e4eef81bac6ba26323e3683ac1f8a99d3a9f8965da5036b6f\r\n18f4f14857e9b7e3aa1f6f21f21396abd5f421342b7f4d00402a4aff5a538fa1\r\n1e278cfe8098f3badedd5e497f36753d46d96d81edd1c5bee4fc7bc6380c26b3\r\n2e3645c8441f2be4182869db5ae320da00c513e0cb643142c70a833f529f28aa\r\n8218c23361e9f1b25ee1a93796ef471ca8ca5ac672b7db69ad05f42eb90b0b8d\r\n2e850cb2a1d06d2665601cefd88802ff99905de8bc4ea348ea051d4886e780ee\r\n521b3add2ab6cee5a5cfd53b78e08ef2214946393d2a156c674606528b05763a\r\n01b09cb97a58ea0f9bf2b98b38b83f0cfc9f97f39f7bfd73a990c9b00bcdb66c\r\nacfcf97ee4ff5cc7f5ecdc6f92ea132e29c48400ab6244de64f9b9de4368deb2\r\n15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45\r\n1d3d460b22f70cc26252673e12dfd85da988f69046d6b94602576270df590b2c\r\nSHA-1\r\n9da6d0356582c17d9abeceb81bc4474eaba01e5c\r\nbfe73dfed7863ff9dbf26390bec2b004f7f1bb4f\r\ne5bde7ae2fde36edcab5885cb5fbc52a905e06ea\r\n8d4770c418ae0e99fb4d5e3c70d3cbe15e45602c\r\nc905ebe27704ef84d78d193dd36b59cf1c682ec7\r\n44cf84693216f7a4b44c89bdbffa10e72fbfffdd\r\n8a2382101c784c683d3e649861b991e2f307ed44\r\n5eb6c7b72120fbdacc41c4abcf676af7b58daf69\r\nced4d0919179210c0fdbd5db440de17c65a7a4e1\r\n74b1da190d670fa4c207afb0fbca4d7df701538a\r\nc747544c6a42afd337351c096a0baa97e1343c85\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs\r\nPage 3 of 4\n\nDomain Name\r\ngtldgtld.store\r\ntfirstdaily.store\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nSearch for Indicators of compromise (IOCs) in your environment utilizing your respective security controls\r\nNever trust or open links and attachments received from unknown sources/senders.\r\nIdentify and isolate compromised systems or hosts that are confirmed to be affected by the malware.\r\nDisconnect them from the network to prevent further communication with command-and-control servers.\r\nRegularly update and patch software and systems to mitigate vulnerabilities.\r\nConduct regular security audits and penetration testing to identify and address weaknesses.\r\nReview and reset user account passwords, especially those with elevated privileges, to prevent\r\nunauthorized access. Disable or remove any compromised accounts.\r\nEnsure secure storage of backups and sensitive information with access restricted to authorized personnel\r\nonly.\r\nImplement strict access controls and the principle of least privilege (PoLP) to restrict user and system\r\naccess rights. This reduces the attack surface.\r\nContinuously monitor command-and-control (C2) traffic patterns and communications to identify\r\nanomalies and block malicious C2 activity.\r\nTrain employees and staff on cybersecurity best practices and how to recognize phishing attempts and\r\nsocial engineering tactics.\r\nDevelop a robust incident response plan that outlines steps to take in the event of a breach. This should\r\ninclude procedures for containment, investigation, and notification of affected parties.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-a\r\nctive-iocs\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs" ], "report_names": [ "rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5451198-ac6b-40af-b8ef-1afb549c2dc8", "created_at": "2024-03-21T02:00:04.728286Z", "updated_at": "2026-04-10T02:00:03.60345Z", "deleted_at": null, "main_name": "Earth Krahang", "aliases": [], "source_name": "MISPGALAXY:Earth Krahang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "f86ac24d-0aef-425c-8087-c0dd270060b9", "created_at": "2024-04-24T02:02:07.638437Z", "updated_at": "2026-04-10T02:00:04.663683Z", "deleted_at": null, "main_name": "Earth Krahang", "aliases": [], "source_name": "ETDA:Earth Krahang", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "DinodasRAT", "Kaba", "Korplug", "POISONPLUG.SHADOW", "PlugX", "RedDelta", "Reshell", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XDealer", "XShellGhost", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434742, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b39444ef3586d5aa8ebb7e0681fe3f02e6ebfc1.pdf", "text": "https://archive.orkl.eu/8b39444ef3586d5aa8ebb7e0681fe3f02e6ebfc1.txt", "img": "https://archive.orkl.eu/8b39444ef3586d5aa8ebb7e0681fe3f02e6ebfc1.jpg" } }