{ "id": "54b07c2c-4426-4184-bf68-e2428cede7b4", "created_at": "2026-04-06T00:22:11.897693Z", "updated_at": "2026-04-10T03:32:21.323729Z", "deleted_at": null, "sha1_hash": "a7fdecc7d32357ab7b2b5f345a5c7b34c8252b68", "title": "Earth Baku Returns: Uncovering the Upgraded Toolset Behind the APT Group’s New Cyberespionage Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1281642, "plain_text": "Earth Baku Returns: Uncovering the Upgraded Toolset Behind the\r\nAPT Group’s New Cyberespionage Campaign\r\nArchived: 2026-04-05 14:29:02 UTC\r\n open on a new tabDownload Earth Baku: An APT Group\r\nTargeting Indo-Pacific Countries With New Stealth Loaders and Backdoor\r\nLast year, we began studying new malware tools that surfaced as part of a cyberespionage campaign, which Earth\r\nBaku — a notorious advanced persistent threat (APT) group, better known as APT41 — had carried out against\r\norganizations in the Indo-Pacific region. While we have yet to determine the exact motives behind Earth Baku’s\r\noperations, we share our key findings from our analysis with a view to encouraging further research into this\r\nactive campaign.\r\nVictim profile\r\nFor this campaign, Earth Baku has leveled its attacks against entities in the airline, computer hardware,\r\nautomotive, infrastructure, publishing, media, and IT industries. According to our detections, these organizations\r\nare located in the Indo-Pacific region. So far, we have registered hits in India, Indonesia, Malaysia, the\r\nPhilippines, Taiwan, and Vietnam.\r\nFigure 1. Countries affected by Earth Baku’s campaign, all in the Indo-Pacific region\r\nSource: Trend Micro™ Smart Protection Network™ infrastructure\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns\r\nPage 1 of 6\n\nNew tools\r\nOur analysis indicates that Earth Baku employs previously unidentified pieces of malware in this campaign: two\r\nshellcode loaders, which we have named StealthVector and StealthMutant, and a backdoor, which we have dubbed\r\nScrambleCross.\r\nThe loaders: StealthVector and StealthMutant\r\nStealthVector, a shellcode loader written in C/C++, has various configurable features that malicious actors can\r\neasily implement without changing its source code. It can be configured to uninstall itself, run its payload in a\r\nspecific location, avoid detection by disabling Event Tracing for Windows (ETW), and perform username\r\nchecking for context awareness. StealthVector’s configuration is difficult to decrypt because the loader is\r\nencrypted with the ChaCha20 routine and a fixed custom initial counter.\r\nFigure 2. The locations of StealthVector’s encrypted configuration and ChaCha20 key information\r\nStealthMutant, a C# implementation of StealthVector, executes its payload by performing process hollowing, a\r\ntechnique widely used by both malicious actors and red teams. Like StealthVector, StealthMutant can disable\r\nETW and go undetected by Windows’ built-in logging system. Most of the StealthMutant samples we have\r\nobserved use AES-256-ECB to decrypt their payloads, but we have also found older versions of this loader that\r\nuse XOR instead.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns\r\nPage 2 of 6\n\nFigure 3. A StealthMutant sample that uses AES-256-ECB for decryption\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns\r\nPage 3 of 6\n\nFigure 4. A sample of an older StealthMutant version that uses XOR for decryption\r\nThe payloads: ScrambleCross and Cobalt Strike beacon\r\nA shellcode-based backdoor, ScrambleCross is one of the two kinds of payloads found in StealthMutant and\r\nStealthVector samples, the other being the Cobalt Strike beacon. ScrambleCross fields backdoor commands to and\r\nfrom its command-and-control (C\u0026C) server, enabling it to receive and then manipulate plug-ins. Because we\r\nhave yet to retrieve any plug-ins from its C\u0026C server, we have not ascertained the full extent of ScrambleCross’\r\nplug-in manipulation capabilities.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns\r\nPage 4 of 6\n\nAttack vectors\r\nThis campaign uses different means to enter and infect a target system:\r\nInjection of an SQL script into the system’s Microsoft SQL Server to upload a malicious file\r\nExploitation of the Microsoft Exchange Server ProxyLogon vulnerability CVE-2021-26855 to upload a\r\nmalicious web shell\r\nPossible distribution through emails containing malicious attachments\r\nUse of the installer application InstallUtil.exe in a scheduled task\r\nAttribution\r\nThis campaign is tied to one of Earth Baku’s earlier cyberespionage campaigns, which the group is perpetrating\r\nunder the alias APT41. This older campaign has been ongoing since November 2018 and uses a different\r\nshellcode loader, which we have named LavagokLdr, but these two campaigns are alike in many ways.\r\nFigure 5. A timeline of Earth Baku’s previous campaign and its new campaign\r\nWe have attributed this new campaign to Earth Baku on the basis of its code similarities to the other campaign:\r\nBoth campaigns use the installer script called install.bat.\r\nTheir shellcode loaders have the same kind of dynamic link library (DLL), Storesyncsvc.dll, and similar\r\nprocedures for loading APIs.\r\nTheir payloads perform similar processes for signature checking and decoding their main functions.\r\nSkilled actors, upgraded tools\r\nOur analysis of StealthMutant, StealthVector, and ScrambleCross demonstrates that Earth Baku has improved its\r\nmalware tools since its last campaign. This suggests that the group’s members specialize in different areas,\r\nincluding low-level programming, software development, and techniques used by red teams. While we have yet to\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns\r\nPage 5 of 6\n\nascertain Earth Baku’s motives behind this campaign, the group has designed these sophisticated new tools to be\r\neasily modified and to avoid detection more efficiently when infiltrating a targeted network.\r\nOur research paper “Earth Baku: An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and\r\nBackdoor”open on a new tab sheds more light on Earth Baku’s operations in general and the capabilities of its\r\nnew pieces of malware in particular. It also provides security recommendations that can help organizations protect\r\ntheir networks from campaigns like Earth Baku’s.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns" ], "report_names": [ "earth-baku-returns" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434931, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7fdecc7d32357ab7b2b5f345a5c7b34c8252b68.pdf", "text": "https://archive.orkl.eu/a7fdecc7d32357ab7b2b5f345a5c7b34c8252b68.txt", "img": "https://archive.orkl.eu/a7fdecc7d32357ab7b2b5f345a5c7b34c8252b68.jpg" } }