{ "id": "917de6ce-db8e-4c47-bd64-6b1d09a57c38", "created_at": "2026-04-06T00:14:36.847956Z", "updated_at": "2026-04-10T03:33:45.637242Z", "deleted_at": null, "sha1_hash": "a881afecdff063680e3cef8aa5dd29175614a4ca", "title": "Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6826859, "plain_text": "Guess Who’s Back - The Return of ANEL in the Recent Earth\r\nKasha Spear-phishing Campaign in 2024\r\nBy By: Hara Hiroaki Nov 26, 2024 Read time: 11 min (3056 words)\r\nPublished: 2024-11-26 · Archived: 2026-04-05 14:04:58 UTC\r\nAPT \u0026 Targeted Attacks\r\nTrend Micro has identified a spear-phishing campaign active in Japan since June 2024. Evidence about the\r\nmalware used by this campaign suggests this was part of a new operation by Earth Kasha.\r\nThis blog is a part of a blog series about Earth Kasha. Kindly refer to our blog about the previous campaigns,\r\nwhere we discussed the tactics and targets of Earth Kasha in detail, read here for a deeper understanding,\r\nIntroduction\r\nAccording to research by Trend Micro, a new spear-phishing campaign targeting individuals and organizations in\r\nJapan has been underway since around June 2024. An interesting aspect of this campaign is the comeback of a\r\nbackdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not\r\nbeen observed since then. Additionally, NOOPDOOR, known to be used by Earth Kasha, has been confirmed to\r\nbe used in the same campaign. Based on these findings, we assess this campaign as part of a new operation by\r\nEarth Kasha.\r\nCampaign Details\r\nThe campaign, observed around June 2024 and attributed to Earth Kasha, employed spear-phishing emails for\r\nInitial Access. Specific targets include individuals affiliated with political organizations, research institutions,\r\nthink tanks, and organizations related to international relations. In 2023, Earth Kasha primarily attempted to\r\nexploit vulnerabilities against edge devices for intrusionopen on a new tab but this new campaign reveals that they\r\nhave once again changed their TTPs. This shift appears to be driven by a target change, moving from enterprises\r\nto individuals. Additionally, an analysis of the victim profiles and the names of the distributed lure files suggests\r\nthat the adversaries are particularly interested in topics related to Japan’s national security and international\r\nrelations.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 1 of 19\n\nFigure 1. Brief timeline of Earth Kasha’s campaigns\r\nThe spear-phishing emails used in this campaign were sent either from free email accounts or from compromised\r\naccounts. The emails contained a URL link to a OneDrive. They included a message in Japanese encouraging the\r\nrecipient to download a ZIP file. Here are some potential email subjects that were observed, likely crafted to\r\nattract the interest of the targeted recipients:\r\n取材申請書 (Interview Request Form)\r\n米中の現状から考える日本の経済安全保障 (Japan's Economic Security in Light of Current US-China\r\nRelations)\r\n[官公庁・公的機関一覧] ([List of Government and Public Institutions])\r\nThe files in the ZIP file, which works as the infection vector, vary depending on the period and the target.\r\nCase 1: Macro-Enabled Document\r\nThe simplest case involves a document with embedded macros. The infection begins when the document is\r\nopened and the user enables the macros. This document file is a malicious dropper that we have named\r\nROAMINGMOUSE. As explained later, ROAMINGMOUSE can extract and execute embedded ANEL-related\r\ncomponents (a legitimate EXE, ANELLDR, and encrypted ANEL). Two patterns are observed in this process: one\r\ninvolves dropping a ZIP file and then extracting it, while the other consists of directly dropping the components.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 2 of 19\n\nFigure 2. Execution flow of Case 1\r\nCase 2: Shortcut + SFX + Macro-Enabled Template Document\r\nIn other cases, the ZIP file did not directly contain ROAMINGMOUSE. Instead, it included a shortcut file and an\r\nSFX (self-extracting) file disguised as a document by changing its icon and extension.\r\nFigure 3. Execution flow of Case 2\r\nWhen the shortcut file is opened, it executes the SFX file in the same directory disguised as a .docx file.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 3 of 19\n\nFigure 4. Shortcut file to execute another file\r\nThe SFX file places two document files into the %APPDATA%\\Microsoft\\Templates folder. One of these files is a\r\nharmless decoy document, while the other, named \"normal_.dotm,\" contains a macro called ROAMINGMOUSE.\r\nWhen the decoy document is opened, ROAMINGMOUSE is automatically loaded as a Word Template file. The\r\nbehavior of ROAMINGMOUSE after execution is identical to that observed in Case 1.\r\nCase 3: Shortcut + CAB + Macro-Enabled Template Document\r\nA similar case to Case 2 has also been observed, where the shortcut file executes PowerShell, which then drops an\r\nembedded CAB file.\r\nFigure 5. Execution flow of Case 3\r\nThe shortcut file contained a PowerShell one-liner in this case, as shown in the figure below. This script dropped\r\nand extracted a CAB file embedded at a specific offset within the shortcut file and executed a decoy file. The\r\ndecoy file then automatically loaded ROAMINGMOUSE as a template file, following the same process as in Case\r\n2.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 4 of 19\n\nFigure 6. PowerShell oneliner in the shortcut file\r\nFigure 7. CAB file embedded in the shortcut file\r\nMalware on Initial Access\r\nROAMINGMOUSE\r\nThe macro-enabled document we created for initial access in this campaign is called \"ROAMINGMOUSE.\" This\r\ndocument acts as a dropper for components related to ANEL. The primary role of ROAMINGMOUSE is to\r\nexecute the subsequent ANEL payload while minimizing the chances of detection. To achieve this, it implements\r\nvarious evasion techniques.\r\n(Basic) Sandbox Evasion\r\nThe ROAMINGMOUSE variant introduced in Case 1 requires the user to enable macros. This variant includes a\r\nfeature that initiates malicious activity based on specific mouse movements made by the user. This functionality is\r\nachieved by implementing a function that responds to the \"MouseMove\" event, triggered when the mouse hovers\r\nover a user form embedded within the document.\r\nFigure 8. Malicious routine will be triggered when moving a mouse properly.\r\nThis feature ensures that malicious activities do not begin unless specific user interactions occur, which is likely\r\nimplemented as a sandbox evasion technique. However, it should be noted that many commercial and open-source\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 5 of 19\n\nsandboxes have addressed such sandbox evasion techniques in recent years, making them less effective.\r\nCustom Base64-encoded Payloads\r\nThe classification of this as an evasion technique is up for debate; however, it is undeniably one of the distinctive\r\nfunctions of ROAMINGMOUSE. This technique was employed in Pattern 1 of Case 1. ROAMINGMOUSE\r\nembeds the ZIP file containing the ANEL-related components by encoding it in Base64 and splitting it into three\r\nparts, with one part encoded using a custom Base64 encoding table. The files within the ZIP file are then extracted\r\nto a specific path.\r\nFigure 9. Partially custom Base64-encoded data embedded in ROAMINGMOUSE\r\nThis technique may slow down analysis, but it may also be an evasion technique against modern tools that\r\nautomatically decode Base64 embedded in VBA. Such tools have become more common recently, making this a\r\npotential countermeasure.\r\nHEX-encoded Payloads\r\nIn some instances, such as in Case 1 and PATTERN 2, we observed cases where the ANEL-related components\r\nwere directly dropped without being processed through a Base64-encoded ZIP file. Each component was\r\nembedded in the VBA code as HEX-encoded strings in these cases.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 6 of 19\n\nFigure 10. HEX-encoded payloads embedded in ROAMINGMOUSE\r\nExecution Through WMI\r\nThe dropped files include the following ANEL-related components:\r\n1. ScnCfg32.Exe: A legitimate application that loads the DLL in the same directory via DLL sideloading.\r\n2. vsodscpl.dll: The ANELLDR loader.\r\n3. \u003cRANDOM\u003e: The encrypted ANEL.\r\nROAMINGMOUSE executes ANEL by running the legitimate application \"ScnCfg32.exe,\" which loads the\r\nmalicious DLL \"vsodscpl.dll\" through DLL sideloading. It uses WMI to execute \"explorer.exe\" with\r\n\"ScnCfg32.Exe\" as an argument during this process.\r\nFigure 11. Program execution through WMI\r\nThis approach aims to avoid detection by security products, which are more likely to flag processes like\r\n\"cmd.exe\" when executed directly from a document file, such as a Word document. By bypassing \"cmd.exe\" and\r\nrunning the program through WMI, they attempt to evade these detection mechanisms.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 7 of 19\n\nANELLDR\r\nWe have been tracking the unique loader used to execute ANEL in memory, which we have named ANELLDR.\r\nANELLDR has been observed as early as 2018. In terms of its functionality, the version used in this campaign is\r\nidentical to the one used in 2018. Beyond its core functionality, ANELLDR is known for using anti-analysis\r\ntechniques such as junk code insertion, Control Flow Flattening (CFF), and Mixed Boolean Arithmetic\r\n(MBA)open on a new tab. The ANELLDR observed in this campaign also implemented the same techniques.\r\nFigure 12. Repeatedly inserted junk codes\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 8 of 19\n\nFigure 13. Obfuscated function by CFF\r\nFigure 14. Simple XOR instruction converted into complex instructions by MBA.\r\nAlthough there is some publicly available information about ANELLDR, a thorough description of its behavior\r\nstill needs to be provided. We will give a detailed explanation of the loader's functionality.\r\nANELLDR is activated via DLL sideloading from a legitimate application to begin its malicious activities. Once\r\nexecuted, it enumerates files in the current directory to search for encrypted payload files. Notably, the decryption\r\nlogic of ANELLDR differs between the initial and subsequent executions.\r\nDuring the initial execution, ANELLDR calculates the Adler-32 checksum for the last four bytes of the target file,\r\nas well as the data up to file size minus 0x34 bytes (where 0x34 bytes accounts for the 0x30 bytes of AES material\r\nand 0x4 bytes of checksum, explained later). It then compares the checksum to check whether the target file is the\r\nexpected encrypted file. If a directory exists at the same level, it recursively processes the files within that\r\ndirectory.\r\nOnce the file passed verification, the decryption process begins. For this, the last 0x30 bytes of the file are divided\r\ninto two parts: the first 0x20 bytes are used as the AES key, while the remaining 0x10 bytes are used as the AES\r\nIV. ANELLDR then decrypts the encrypted data (up to the file size minus 0x34 bytes) using AES-256-CBC and\r\nexecutes the payload in memory.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 9 of 19\n\nFigure 15. Execution flow of ANELLDR\r\nOnce ANELLDR successfully decrypts the encrypted payload, it updates the key and IV, re-encrypts the payload\r\nusing AES-256-CBC, and overwrites the original encrypted payload file with the newly encrypted data. The AES\r\nkey and IV used in this process are generated based on the file path of the executing file and a hardcoded string.\r\nThis involves utilizing a custom Base64 encoding, the Blowfish encryption algorithm, and XOR operations, which\r\nensures that the key and IV are unique to the running environment. Since the AES key and IV used for encryption\r\nare not embedded in the file, you must know the exact file path where the payload was initially stored to decrypt\r\nan encrypted payload file obtained from an infected environment.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 10 of 19\n\nFigure 16. File structure of the re-encrypted payload blob\r\nThe 2nd-stage shellcode\r\nThe decrypted data is shellcode-formed and executed in memory. This 2nd-stage shellcode is responsible for\r\nloading and executing the final payload, a DLL, in memory. First, the 2nd-stage shellcode attempts to evade being\r\ndebugged by calling ZwSetInformationThread API with the second argument set to ThreadHideFromDebugger\r\n(0x11)open on a new tab. Next, it retrieves the address of the encrypted data. To do this, it calls a unique function\r\nfilled with NOP instructions to obtain the current address in memory. After obtaining this address, it calculates the\r\nlocation of the encrypted payload-related data, which is located immediately after this function.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 11 of 19\n\nFigure 17. Unique function filled with NOP instructions\r\nThe encrypted data section is structured in the following format:\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 12 of 19\n\nFigure 18. Structure of the encrypted data section\r\nANELLDR decodes the subsequent encrypted data using a 16-byte XOR key. A distinctive feature of this process\r\nis that each byte of the encrypted data is XORed with the entire 16-byte key. In other words, the algorithm applies\r\nXOR to each data byte 16 times, using a different key byte for each operation.\r\nFigure 19. Unique algorithm using XOR 16-times\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 13 of 19\n\nAfter the XOR operation, the data is decompressed using the Lempel–Ziv–Oberhumer (LZO) data compression\r\nalgorithm. Additionally, the first 4 bytes and the Adler-32 checksum of the payload DLL are calculated and\r\ncompared to verify if the data has been correctly decoded and decompressed. If the integrity check passes, the\r\nDLL is dynamically initialized in memory, and the hardcoded export function is called to execute the payload.\r\nANEL\r\nANEL is a 32-bit HTTP-based backdoor that has been observed since around 2017 and was known as one of the\r\nprimary backdoors used by APT10 until around 2018. ANEL was actively developed during that time, and the last\r\nversion publicly observed in 2018 was “5.5.0 rev1.” However, through this new campaign in 2024, versions “5.5.4\r\nrev1,” “5.5.5 rev1,” “5.5.6 rev1,” and “5.5.7 rev1” have been observed, along with a newly identified version\r\nwhere the version information has been obfuscated.\r\n5.5.0 rev1 5.5.4 rev1 5.5.5 rev1 5.5.6 rev1 5.5.7 rev1 unknown\r\nC\u0026C Comm\r\nEncryption (GET)\r\nCustom ChaCha20 + random-byte XOR + Base64\r\nC\u0026C Comm\r\nEncryption (POST)\r\nCustom ChaCha20 + LZO\r\nChaCha20 Key\r\nGeneration\r\nSelected from the hardcoded key based on the C\u0026C URL\r\nBackdoor\r\nCommand\r\n0x97A168D9697D40DD\r\n(download)\r\n0x7CF812296CCC68D5 (upload)\r\n0x652CB1CEFF1C0A00 (in-memory PE exec)\r\n0x27595F1F74B55278\r\n(download and exec)\r\n0xD290626C85FB1CE3 (sleep)\r\n0x409C7A89CFF0A727 (get\r\nscreenshot)\r\nElse: execute command\r\n0x97A168D9697D40DD\r\n(download)\r\n0x7CF812296CCC68D5 (upload)\r\n0x652CB1CEFF1C0A00 (in-memory PE exec)\r\n0x27595F1F74B55278\r\n(download and exec)\r\n0xD290626C85FB1CE3 (sleep)\r\n0x409C7A89CFF0A727 (get\r\nscreenshot)\r\n0x596813980E83DAE6 (UAC\r\nbypass)\r\nElse: execute command\r\nFrom here, we'll take a closer look at the specific updates and changes in each version.\r\n5.5.4 rev1\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 14 of 19\n\nThis version of ANEL did not introduce any major changes, but a few minor fixes and updates were implemented.\r\nOne notable change was the removal of the feature that stored an error code in the HTTP Cookie header and sent it\r\nto the C\u0026C server, which had been present up to version “5.5.0 rev1.” This feature was previously identified as a\r\ndetection point for ANEL, so its removal might have been intended to evade detection. Another update involved\r\nthe version information sent to the C\u0026C server. It now includes information about the OS architecture of the\r\nexecution environment. Although ANEL is a 32-bit application, when running on a 64-bit OS, the string “wow64”\r\nis appended to the version information before being sent to the C\u0026C server.\r\nFigure 20. OS architecture included\r\n5.5.5 rev1\r\nVersion “5.5.5 rev1” did not include significant changes either. One notable update was the addition of code to\r\nrenew the local IP address during the initial access to the C\u0026C server.\r\nFigure 21. Renew the local IP address by Windows API.\r\n5.5.6 rev1 / 5.5.7 rev1\r\nIn version “5.5.6 rev1,” a new backdoor command was added. ANEL processes the command string received from\r\nthe C\u0026C server by converting it to uppercase and hashing it with xxHash, then comparing it to a hardcoded hash\r\nvalue to determine the command. In this version, a new command corresponding to the hash value\r\n“0x596813980E83DAE6” was implemented.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 15 of 19\n\nFigure 22. New backdoor command introduced in 5.5.6 rev1\r\nThis command provides the functionality to execute a specified program with elevated privileges (Integrity High)\r\nby abusing the CMSTPLUA COM interface, a known UAC bypass technique.\r\nFigure 23. Abusing CMSTPLUA COM interface\r\nOn the other hand, in “5.5.7 rev1”, no additional notable functionality was observed.\r\nUnknown version\r\nAfter observing version “5.5.7 rev1,” an ANEL variant was detected with obfuscated version information. In this\r\ninstance, the version information field contained a Base64-encoded string, which resulted in the data “A1 5E 99\r\n00 E7 DE 2B F5 AD A1 E8 D1 55 D5 0A 22” after decoding. This data was concatenated with “wow64” and sent\r\nto the C\u0026C server. This change has made it more difficult to track versions and compare functionality.\r\nFigure 24. Encrypted version information\r\nPost-Exploitation Activities\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 16 of 19\n\nTracking the adversary’s activities after installing ANEL revealed that they collected information from the infected\r\nenvironment, such as taking screenshots and executing commands like arp and dir to gather network and file\r\nsystem details. In some cases, additional malware, specifically NOOPDOOR, was also installed.\r\nNOOPDOOR, observed since at least 2021, is a modular backdoor with more advanced capabilities. It appears to\r\nwork as a further payload Earth Kasha uses, particularly for high-value targets. In this campaign, we believe\r\nNOOPDOOR was deployed against targets of special interest to the adversary.\r\nAttribution and Insights\r\nBased on the analysis of the ongoing campaign, Trend Micro assesses that the spear-phishing campaign using\r\nANEL, observed since June 2024, is part of a new operation conducted by Earth Kasha.\r\nFigure 25. Diamond Model of the new campaign in 2024\r\nThe attribution to Earth Kasha is based on the following reasons:\r\nUntil early 2023, Earth Kasha had been conducting campaigns targeting individuals and organizations in\r\nJapan via spear-phishing emails as the primary intrusion vector. There are no significant inconsistencies in\r\nterms of TTPs or victim profiles.\r\nNOOPDOOR, believed to be used exclusively by Earth Kasha, was also deployed in this campaign.\r\nAs previously mentioned, there are code similarities between ANELLDR and NOOPDOOR, suggesting the\r\ninvolvement of the same developer or someone with access to both source codes. Therefore, the reuse of\r\nANEL in this campaign is unsurprising and further supports the connection between the former APT10 and\r\nthe current Earth Kasha.\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 17 of 19\n\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can proactively\r\nprotect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nGuess Who’s Back? The Return of ANEL in the Recent Spear-phishing Campaign by Earth Kasha in 2024\r\nTrend Micro Vision One Threat Insights App\r\nThreat Actors: Earth Kasha\r\nEmerging Threats: Guess Who’s Back? The Return of ANEL in the Recent Spear-phishing Campaign by\r\nEarth Kasha in 2024\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.   \r\nMalware detection associated with the spear-phishing campaign by Earth Kasha\r\n(malName:*ANEL* OR malName:*ROAMINGMOUSE*) AND eventName: MALWARE_DETECTION\r\nMalicious IPs used by ANEL in spear-phishing campaign 2024\r\neventId:3 AND (dst:\"139.84.131.62\" OR dst:\"139.84.136.105\" OR dst:\"45.32.116.146\" OR dst:\"45.77.252.85\"\r\nOR dst:\"208.85.18.4\" OR src:\"139.84.131.62\" OR src:\"139.84.136.105\" OR src:\"45.32.116.146\" OR\r\nsrc:\"45.77.252.85\" OR src:\"208.85.18.4\")\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledproducts.\r\nYARA rule\r\nThis YARA rule may be used to find Earth Kasha activity.\r\nConclusion\r\nEarth Kasha's campaigns are expected to continue evolving, with updates to their tools and TTPs. Many of the\r\ntargets are individuals, such as researchers, who may have different levels of security measures in place compared\r\nto enterprise organizations, making these attacks more difficult to detect. It is essential to maintain basic\r\ncountermeasures, such as avoiding opening files attached to suspicious emails. Additionally, it is important to\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 18 of 19\n\ngather threat intelligence and ensure that relevant parties are informed. As this campaign is believed to be ongoing\r\nas of October 2024, continued vigilance is necessary.\r\nIndicators of Compromise\r\nThe full list of IoCs may be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html\r\nPage 19 of 19\n\nhttps://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html \nFigure 17. Unique function filled with NOP instructions \nThe encrypted data section is structured in the following format:\n Page 12 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html" ], "report_names": [ "return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434476, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a881afecdff063680e3cef8aa5dd29175614a4ca.pdf", "text": "https://archive.orkl.eu/a881afecdff063680e3cef8aa5dd29175614a4ca.txt", "img": "https://archive.orkl.eu/a881afecdff063680e3cef8aa5dd29175614a4ca.jpg" } }