{ "id": "bf7387c2-9c16-40f8-95b1-b4455d3949b0", "created_at": "2026-04-06T00:07:57.396101Z", "updated_at": "2026-04-10T03:36:13.971193Z", "deleted_at": null, "sha1_hash": "aac3f85bef8083fa7ef88e174324c3c28b856e8a", "title": "Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3330180, "plain_text": "Game of Emperor: Unveiling Long Term Earth Estries Cyber\r\nIntrusions\r\nPublished: 2024-11-25 · Archived: 2026-04-05 16:14:33 UTC\r\nAPT \u0026 Targeted Attacks\r\nSince 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated\r\ntechniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.\r\nBy: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee Nov 25, 2024 Read time: 14 min (3744 words)\r\nSummary\r\n \r\nEarth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and\r\ngovernment entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.\r\nThe group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER,\r\nSNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and\r\ngovernment entities.\r\nEarth Estries exploits public-facing server vulnerabilities to establish initial access and uses living-off-the-land binaries for lateral movement within networks to deploy malware and conduct long-term espionage.\r\nThe group has compromised over 20 organizations, targeting various sectors including\r\ntelecommunications, technology, consulting, chemical, and transportation industries, as well as government\r\nagencies and NGOs in numerous countries.\r\nEarth Estries uses a complex C\u0026C infrastructure managed by different teams, and their operations often\r\noverlap with TTPs of other known Chinese APT groups, indicating possible use of shared tools from\r\nmalware-as-a-service providers.\r\nSince 2023, Earth Estriesopen on a new tab (aka Salt Typhoon, FamousSparrow, GhostEmperor and UNC2286)\r\nhas emerged as one of the most aggressive Chinese advanced persistent threat (APT) groups, primarily targeting\r\ncritical industries such as telecommunications and government entities in the US, the Asia-Pacific region, the\r\nMiddle East, and South Africa. In this blog entry, we will highlight their evolving attack techniques and analyze\r\nthe motivation behind their operations, providing insights into their long-term targeted attacks.\r\nA key finding from our recent investigation is the discovery of a new backdoor, GHOSTSPIDER, identified\r\nduring attacks on Southeast Asian telecommunications companies. We will explore the technical details of\r\nGHOSTSPIDER, its impact across multiple countries, and interesting findings when we were tracking its\r\ncommand-and-control (C\u0026C) infrastructure. We have also uncovered the group’s use of the modular backdoor\r\nSNAPPYBEE (aka Deed RAT)open on a new tab, another tool shared among Chinese APT groups. \r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 1 of 19\n\nFurthermore, we discovered that Earth Estries uses another cross-platform backdoor, which we initially identified\r\nduring our investigation of Southeast Asian government incidents in 2020. We named it MASOL RAT based on its\r\nPDB string. We couldn’t link MASOL RAT to any known threat group at the time due to limited information.\r\nHowever, this year we observed that Earth Estries has been deploying MASOL RAT on Linux devices targeting\r\nSoutheast Asian government networks. More details about MASOL RAT will be provided in this blog entry.\r\nRecently, we also noticed that Microsoft has tracked the APT groups FamousSparrow and GhostEmperor under\r\nthe name Salt Typhoonopen on a new tab. However, we don’t have sufficient evidence that Earth Estries is related\r\nto the recent news of a recent Salt Typhoon cyberattackopen on a new tab, as we have not seen a more detailed\r\nreport on Salt Typhoon. Currently, we can only confirm that some of Earth Estries’ tactics, techniques, and\r\nprocedures (TTPs) overlap with that of FamousSparrow and GhostEmperor. \r\nMotivation\r\nWe have observed that Earth Esties has been conducting prolonged attacks targeting governments and internet\r\nservice providers since 2020. In mid-2022, we noticed that the attackers also started targeting service providers for\r\ngovernments and telecommunications companies. For example, we found that in 2023, the attackers had also\r\ntargeted consulting firms and NGOs that work with the U.S. federal government and military. The attackers use\r\nthis approach to gather intelligence more efficiently and to attack their primary targets more quickly. \r\nNotably, we observed that attackers targeted not only critical services (like database servers and cloud servers)\r\nused by the telecommunications company, but also their vendor network. We found that they implanted the\r\nDEMODEX rootkit on vendor machines. This vendor is a primary contractor for the region’s main\r\ntelecommunications provider, and we believe that attackers use this approach to facilitate access to more targets.\r\nVictimology\r\nWe found that Earth Estries successfully compromised more than 20 organizations in areas that include the\r\ntelecommunications, technology, consulting, chemical, and transportation industries, government agencies, and\r\nnon-profit organizations (NGOs). Victims also came from numerous countries, including:\r\nAfghanistan\r\nBrazil \r\nEswatini\r\nIndia\r\nIndonesia\r\nMalaysia\r\nPakistan\r\nThe Philippines\r\nSouth Africa\r\nTaiwan\r\nThailand\r\nUS\r\nVietnam\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 2 of 19\n\nFigure 1. Victimology map of Earth Estries\r\nInitial access\r\nEarth Estries is aggressively targeting the public-facing servers of victims. We have observed them exploiting\r\nserver-based N-day vulnerabilities, including the following:\r\nTable 1. The list of vulnerabilities exploited by Earth Estries\r\nAfter gaining control of the vulnerable server, we observed that the attackers leveraged living-off-the-land binaries\r\n(LOLBINs) like WMIC.exe and PSEXEC.exe for lateral movement, and deployed customized malware such as\r\nSNAPPYBEEopen on a new tab, DEMODEX, and GHOSTSPIDER to conduct long-term espionage activities\r\nagainst their targets.\r\nCampaign overview\r\nOur analysis suggests that Earth Estries is a well-organized group with a clear division of labor. Based on\r\nobservations from multiple campaigns, we speculate that attacks targeting different regions and industries are\r\nlaunched by different actors. Additionally, the C\u0026C infrastructure used by various backdoors seems to be\r\nmanaged by different infrastructure teams, further highlighting the complexity of the group's operations.\r\nCampaign Alpha\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 3 of 19\n\nFigure 2. Campaign Alpha overview\r\nIn the attacks we observed last October targeting the Taiwanese government and a chemical company, we found\r\nthat the attackers downloaded malicious tools from their C\u0026C server (23.81.41[.]166). While investigating the\r\ndownload site (23.81.41[.]166), we found more interesting samples on the C\u0026C server which had an open\r\ndirectory on port 80.\r\nFigure 3. The C\u0026C with open directory vulnerability\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 4 of 19\n\nThe notable samples are listed in Table 2 below, based on our monitoring from October 2023 to April 2024.\r\n    File         Description    \r\nsql.toml     frpc config (C\u0026C server: 165.154.227[.]192)     \r\nonedrived.zip     Contains the PowerShell script ondrived.ps1.    \r\nNsc.exe    \r\nThe first SNAPPYBEE sample set  \r\n(SNAPPYBEE C\u0026C domain: api.solveblemten[.]com)    \r\n123.zip/WINMM.dll  \r\n \r\nNortonLog.txt    \r\n0202/*    \r\nAnother SNAPPYBEE sample set (imfsbSvc.exe, imfsbDll.dll, DgApi.dll, and\r\ndbindex.dat).\r\n(SNAPPYBEE C\u0026C domain: esh.hoovernamosong[.]com)    \r\nOthers     Open-source hacktools like frpc, NeoReGeorg tunnel, and fscan.    \r\nTable 2. Notable samples\r\nHere is a summary of notable findings:\r\nThe frpc C\u0026C 165.154.227[.]192 could be linked to an SSL certificate (SHA256:\r\n2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31) previously used by\r\nShadowPad, which is another shared tool among several Chinese APT groups. In addition, the C\u0026C IP\r\naddress was also mentioned in a Fortinet reportopen on a new tab and indicators of compromiseopen on a\r\nnew tab related to the Ivanti exploit.\r\nWe observed the TTPs used by onedrived.ps1 are similar to those of GhostEmperoropen on a new\r\ntab’s first-stage PowerShell dropper. The only difference is that the strings are encoded using base64\r\nalgorithm in this new variant.\r\nBased on our analysis, although the two sets of samples used different DLL hijacking combinations\r\nand decoding algorithms to decrypt the payload, we found that the backdoor characteristics matched\r\nthose of the previous SNAPPYBEE. (We identified that the decrypted shellcode module header\r\nsignature is 0xDEED4554 and the Main/Root module ID is still 0x20, can be seen in Figure 4).\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 5 of 19\n\nFigure 4. The analysis screenshot of SNAPPYBEE\r\nDEMODEX rootkit infection chain\r\nFigure 5. The infection chain of DEMODEX rootkit\r\nThere are two requirements to analyze the DEMODEX rootkit:\r\n1. The first-stage PowerShell script requires a decryption key as an argument.\r\n2. The second-stage service loader uses the computer name as the AES decryption key.\r\nBased on our telemetry, we discovered that the attacker used PSEXEC.exe to execute the following commands to\r\ninstall the DEMODEX rootkit:\r\nPowershell.exe -ex bypass c:\\windows\\assembly\\onedrived.ps1\r\npassword@123\r\nNotably, we discovered that all components related to the DEMODEX rootkit use control flow flattening\r\ntechniques to increase the difficulty of analysis (Figure 6). \r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 6 of 19\n\nFigure 6. DEMODEX Anti-analysis techniques (control flow flattening)\r\nFigure 7. Core-implant malware configuration (C\u0026C: 103.91.64[.]214)\r\nC\u0026C infrastructure activities\r\nWhile tracking the C\u0026C infrastructure of the aforementioned backdoor, we found the following notable findings:\r\n1. We found that one of the SNAPPYBEE C\u0026C domains, api.solveblemten[.]com, has WHOIS registration\r\ninformation that overlaps with some indicators of compromise (IOCs) mentioned in Mandiant's UNC4841\r\nreportopen on a new tab. Based on our research, we believe that these related C\u0026C domains were likely\r\nregistered by the same provider and shared them in different operations. However, we don't have sufficient\r\nevidence to consider UNC4841 as one of the subgroups related to Earth Estries.\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 7 of 19\n\n2. Another SNAPPYBEE C\u0026C domain (esh.hoovernamosong[.]com) resolved to a C\u0026C IP address\r\n(158.247.222[.]165), which could be linked to a SoftEther domain (vpn114240349.softether[.]net).\r\nTherefore, we believe the threat actor also used SoftEther VPN to establish their operational networks,\r\nmaking it more difficult to track their activities.\r\n3. Notably, we discovered and downloaded victim data from the SNAPPYBEE C\u0026C (158.247.222[.]165)\r\nwith an open directory on 8000 port this February. Based on our analysis, we believe the victim data was\r\nexfiltrated from a US NGO. Most of the victim data is composed of financial, human resources, and\r\nbusiness-related documents. It's worth noting that the attacker also collected data related to multiple\r\nmilitary units and federal government entities.  \r\nPost-exploitation findings\r\nIn this campaign, we observed that the attackers primarily used the following LOLbin tools to gather endpoint\r\ninformation and perform lateral movement to gain access to more compromised machines.\r\n    Tools         Description     \r\nfrpc related     \r\nWMIC.exe /node:\u003cREDATED\u003e /user:\u003cREDATED\u003e /password:\u003cREDATED\u003e\r\nprocess call create \"cmd.exe /c expand c:/windows/debug/1.zip\r\nc:/windows/debug/notepadup.exe\r\ncmd.exe /c ping 165.154.227.192 -n 1 \u003e c:\\Windows\\debug\\info.\r\ncmd.exe /c c:/windows/debug/win32up.exe -c c:/windows/debug/sql.toml\r\ncmd.exe /c wevtutil qe security /format:text\r\n/q:\\\"Event[System[(EventID=4624)]\\\" \u003e c:\\windows\\debug\\info.log\r\nps.exe\r\n(PSEXEC.exe)    \r\nC:\\Windows\\assembly\\ps.exe /accepteula \\\\\u003cREDATED\u003e -u \u003cREDATED\u003e -p\r\n\u003cREDATED\u003e -s cmd /c c:\\Windows\\assembly\\1.bat\r\nWMIC.exe /node:\u003cREDATED\u003e /user:\u003cREDATED\u003e /password:\u003cREDATED\u003e\r\nprocess call create \"cmd.exe /c c:\\Windows\\debug\\1.bat\"\"\r\nTable 3. LOLbin tools used to gather endpoint information and perform lateral movement\r\nCampaign Beta\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 8 of 19\n\nFigure 8. Campaign Beta overview\r\nIn this section, we will introduce Earth Estries’ long-term attacks on telecommunications companies and\r\ngovernment entities. According to our research, most of the victims have been compromised for several years. We\r\nbelieve that in the early stages, the attackers successfully obtained credentials and control target machines through\r\nweb vulnerabilities and the Microsoft Exchange ProxyLogon exploit chain. We observed that for these long-term\r\ntargets, the attackers primarily used the DEMODEX rootkit to remain hidden within the victims' networks.\r\nNotably, in a recent investigation into attacks on telecommunications companies in Southeast Asia, we discovered\r\na previously undisclosed backdoor; we have named it GHOSTSPIDER.\r\nGHOSTSPIDER’s technique analysis\r\nGHOSTSPIDER is a sophisticated multi-modular backdoor designed with several layers to load different modules\r\nbased on specific purposes. This backdoor communicates with its C\u0026C server using a custom protocol protected\r\nby Transport Layer Security (TLS), ensuring secure communication.\r\nFigure 9. The GHOSTSPIDER infection flow\r\nInitial infection and stager deployment\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 9 of 19\n\nBased on our telemetry, we observed that the threat actor installs the first-stage stager via regsvr32.exe, which is\r\nused to install a DLL (with export names such as core.dll or spider.dll) as a service. The stager is designed to\r\ncheck for a specific hostname hard-coded in the DLL, ensuring that it only runs on the targeted machine. Once the\r\nstager is executed, it connects to the stager's C\u0026C server to register a new connection and subsequently receives a\r\nmodule (DLL export name: login.dll) to load and execute in memory. This login module collects basic information\r\nabout the infected endpoint and sends it back to the stager's C\u0026C server. After this initial phase, the stager enters a\r\npolling mode, waiting for the threat actor's next payload.\r\nBeacon loader deployment\r\nOn the infected endpoint, the threat actor deploys a legitimate executable file alongside a malicious DLL file for\r\nDLL search order hijacking. This malicious DLL, another GHOSTSPIDER module known as the beacon loader\r\n(DLL export name: loader.dll), is used to launch the beacon payload in memory. A scheduled task is created to\r\nlaunch the executable. The beacon loader contains an encrypted .NET DLL payload (DLL export name: client.dll),\r\nwhich is decrypted and executed in memory.\r\nCommunication protocol\r\nThe communication requests that are used by the GHOSTSPIDER stager follow a common format. A connection\r\nID is placed in the HTTP header's cookie as “phpsessid”. The connection ID is calculated using CRC32 or CRC64\r\nwith UUID4 values. Figure 10 shows an example of a stager's first request to the C\u0026C server. \r\nFigure 10. Example of a stager's first request to the C\u0026C server\r\nHere is an example of a decrypted response:\r\n=|did=96A52F5C1F2C2C67|wid=13CF3E8E0E5580EB|act=2|tt=41003562|\u003cf\r\nThe data is separated by “|” with the following items:\r\n \r\nAn unknown prefix\r\n \r\ndid: the connection ID calculated from the infected machine\r\n \r\nwid: the remote ID for a specific connection \r\n \r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 10 of 19\n\nact: an action code\r\n \r\ntt: tick count\r\n \r\nAn unknown suffix\r\nBeacon communication and command codes\r\nLike the stager, the GHOSTSPIDER beacon uses an almost identical format to communicate with the beacon\r\nC\u0026C server to receive command codes. \r\nTable 4 outlines the command codes supported by the GHOSTSPIDER beacon.\r\nCode Action Description    \r\n1      upload    \r\nLoad and invoke delegate from received buffer, with 3 methods from delegate: Open /\r\nClose / Write    \r\n2     create      Call the Open method from the loaded delegate    \r\n3    \r\nnormal  \r\n \r\nCall the Write method from the loaded delegate     \r\n4     close     Unload and remove the delegate    \r\n5      heartbeat Heartbeat, no action.\r\n6     update Update interval value (idle time)\r\nTable 4. Command codes supported by the GHOSTSPIDER beacon\r\nThe GHOSTSPIDER beacon is segmented into distinct delegates, each tailored to specific functions. These\r\nmodules are retrieved from the C\u0026C server and are reflectively loaded into memory as dictated by specific\r\ncommand codes.\r\nThis modular design significantly enhances the backdoor's flexibility and adaptability, as individual components\r\ncan be deployed or updated independently based on the attacker’s evolving needs. Additionally, it complicates\r\ndetection and analysis, as analysts are forced to piece together a fragmented view of the malware’s full\r\nfunctionality. By isolating different capabilities across separate modules, GHOSTSPIDER not only reduces its\r\nfootprint, but also makes it challenging to construct a comprehensive understanding of its operation and overall\r\nobjectives.\r\nThe new DEMODEX infection flow\r\nThis year, we observed that the attackers used another variant of DEMODEX. In this new installation flow, the\r\nattackers no longer use a first-stage PowerShell script to deploy the additional needed payload. Instead, the\r\nrequired registry data (the encrypted configuration and the shellcode payload) for installation are bundled in a\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 11 of 19\n\nCAB file. The CAB bundle will be deleted after installation is finished. This approach ensures that, even after we\r\ncollected the first-stage PowerShell script, the analysis cannot proceed due to the lack of additional information.\r\nWe found a report published by another vendor that mentions findings consistent with our observations.\r\nFigure 11. New DEMODEX infection flow\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 12 of 19\n\nFigure 12. The DEMODEX rootkit installation flow observed in Trend Vision One™\r\nAdditional C\u0026C infrastructure analysis\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 13 of 19\n\nDeploying the MASOL backdoor (aka Backdr-NQ) on a Linux server \r\nWhile investigating the C\u0026C infrastructure related to Campaign Alpha, we tracked the associated C\u0026C IP\r\n(103.159.133[.]251) to a Linux backdoor (name: dash_board, SHA256:\r\n44ea2e85ea6cffba66f5928768c1ee401f3a6d6cd2a04e0d681d695f93cc5a1f). Our analysis confirmed that this\r\nsample is linked to the MASOL RAT, which we identified in 2020 and observed being used to target Southeast\r\nAsian government entities (Figure 13). Based on the backdoor's PDB string\r\n(E:\\Masol_https190228\\x64\\Release\\Masol.pdb), we believe the backdoor may have been developed as early as\r\n2019. We observed the new Linux variant of MASOL in the wild after 2021. However, we haven’t seen the\r\nWindows variant of MASOL after 2021. Currently, we have moderate to high confidence that Earth Estries uses\r\nMASOL RAT to target Linux servers within Southeast Asian governments recent years.\r\nFigure 13. The extracted MASOL RAT malware configuration\r\nBased on the following reasons, we currently only have low confidence that Earth Estries has previously deployed\r\nthe MASOL RAT through CVE-2022-3236:\r\nSince August of this year, we have observed a new campaign launched by Earth Estries targeting Southeast\r\nAsian governments. Our Deep Discovery Inspector (DDI) detected a compromised Linux server\r\ncommunicating with the MASOL RAT C\u0026C. During the same period, we also observed other\r\ncompromised hosts within the same organization communicating with the C\u0026C infrastructure associated\r\nwith the sub-domain of CrowDoor backdooropen on a new tab. We will continue monitoring this ongoing\r\ncampaign and may provide more details after we have completed our investigation.\r\nWe didn’t find any C\u0026C infrastructure that overlaps between our research and the Sophos reportopen on a\r\nnew tab. Although we only observed limited MASOL RAT IOCs in the wild, we cannot rule out the\r\npossibility that MASOL RAT is a shared tool among limited Chinese APT threat groups.\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 14 of 19\n\nAdditional GHOSTSPIDER C\u0026C infrastructure\r\nCurrently, we do not have sufficient evidence to attribute the DEMODEX rootkit and GHOSTSPIDER as a\r\nproprietary backdoor used by Earth Estries. Therefore, we will only list the C\u0026C infrastructure used by two\r\ncampaigns discussed above in the IOC section. However, we discovered some interesting GHOSTSPIDER C\u0026C\r\ninfrastructure.\r\nIn the certificate used by the GHOSTSPIDER C\u0026C 141.255.164[.]98:2096 (C\u0026C active timeline: August 2, 2024\r\nto August 22, 2024), we found that one of the certificate’s alternative names, “palloaltonetworks[.]com”, was\r\nmentioned in a vendor reportopen on a new tab related to a Inc Ransom attack (Figure 14). Although we haven’t\r\nobserved any GHOSTSPIDER-related incidents that links it to Inc Ransom, based on these OSINT findingsopen\r\non a new tab, it is possible that Earth Estries may use ransomware in their operations for espionage or for financial\r\ngain.\r\nFigure 14. Certificate used by GHOSTSPIDER\r\nAttribution\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 15 of 19\n\nFigure 15. Attribution overview (demonstrates a possible joint operation across different units)\r\nIn our first Earth Estries blog entryopen on a new tab, we found some TTPs that overlapped between Earth Estries\r\nand FamousSparrowopen on a new tab. Since then, we have found the two campaigns that are related to the\r\nDEMODEX rootkit mentioned in GhostEmperor report. Since we found that the attacker also used SNAPPYBEE,\r\nwe suspect that the tools used by Earth Estries might come from different malware-as-a-service (MaaS) providers.\r\nWe attribute the two campaigns to Earth Estries with high confidence based on the following shared TTPs: \r\n1. Campaign Alpha and Campaign Beta’s C\u0026C domain shared the same WHOIS registration information.\r\n2. Both campaigns utilized the DEMODEX rootkit and GHOSTSPIDER.\r\n3. We observed the DEMODEX, SparrowDoor, and CrowDoor used the same C\u0026C infrastructure in the past.\r\nAdditionally, the C\u0026C 27.102.113[.]240 was mentioned in the FamousSparrowopen on a new tab and\r\nGhostEmperoropen on a new tab reports. Therefore, we believe that Earth Estries has used DEMODEX,\r\nGHOSTSPIDER, SparrowDoor and CrowDoor. But we’re not sure if these customized backdoors are\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 16 of 19\n\nproprietary tools used by Earth Estries, so some of the C\u0026C infrastructure cannot be attributed to this\r\nthreat group.\r\nBased on our telemetry, we observed that the Campaign Alpha actors deployed another x86 SNAPPYBEE sample\r\nset at %SYSTEMROOT%\\assembly\\imfsbDll.dll (SHA256:\r\n6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc) and\r\n%SYSTEMROOT%\\assembly\\DgApi.dll (SHA256:\r\n25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b) in their operations on October 10,\r\n2024. We detected the same hashes in two other government entities.\r\nWe also found that one of these government entities had been compromised by Earth Estries since 2020. Notably,\r\nSNAPPYBEE was deployed in the ZINGDOOR attack chains on October 13, 2024. This is why we believe Earth\r\nEstries used distinct C\u0026C infrastructure for different targets, and that the operations might have been launched by\r\ndifferent teams. Some of the TTPs differ significantly, even though the same toolset was shared.\r\nIt's worth noting that we observed the following C\u0026C infrastructure overlapping across multiple victim\r\nenvironments. First, we found DEMODEX and Cobalt Strike beacon samples in the same infected machine. The\r\nDEMODEX C\u0026C domain pulseathermakf[.]com is used by operator of Campaign Beta. The Cobalt Strike beacon\r\nC\u0026C cloudlibraries[.]global[.]ssl[.]fastly[.]net (with the sample downloaded from the C\u0026C\r\nhxxp://103.159.133[.]205/lib3.cab) and the post-exploitation activity is linked to TrillClient attack chainsopen on\r\na new tab, which involve the Hemigate, SparrowDoor, and CrowDoor toolsets.   \r\nNext, we found that the DEMODEX C\u0026C domain pulseathermakf[.]com has been used to target a Southeast\r\nAsian government agency for several years. However, on August 28, 2024, we detected a network connection to\r\npulseathermakf[.]com from a compromised server belonging to a Southeast Asian telecommunications company\r\n(Campaign Beta). We speculate that the attacker may have made a mistake while deploying the backdoor.\r\nCurrently, we observe that the attacker primarily uses the DEMODEX C\u0026C domains www[.]infraredsen[.]com\r\nand imap[.]dateupdata[.]com to target multiple Southeast Asian telecom companies.\r\nDuring our investigation of Campaign Beta, we discovered the GHOSTSPIDER backdoor. Subsequently, while\r\ntracking the C\u0026C infrastructure related to GHOSTSPIDER, we found that the attacker had also tested\r\nGHOSTSPIDER on the Campaign Alpha open directory C\u0026C server 23.81.41[.]166.\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 17 of 19\n\nFigure 16. The certificate (SHA256:\r\nb63c82fc37f0e9c586d07b96d70ff802d4b707ffb2d59146cf7d7bb922c52e7e) used by\r\nGHOSTPSIDER (Campaign Alpha)\r\nConclusion\r\nEarth Estries is one of the most aggressive Chinese APT groups, primarily targeting critical industries such as\r\ntelecommunications and government sectors. Their notable TTPs include exploiting known vulnerabilities and\r\nusing widely available shared tools, such as SNAPPYBEE. Earth Estries conducts stealthy attacks that start from\r\nedge devices and extend to cloud environments, making detection challenging. They employ various methods to\r\nestablish operational networks that effectively conceal their cyber espionage activities, demonstrating a high level\r\nof sophistication in their approach to infiltrating and monitoring sensitive targets.\r\nIt is crucial for organizations and their security teams to remain vigilant and proactively strengthen their\r\ncybersecurity defenses against cyberespionage campaigns. Through technologies like Trend Vision One™open on\r\na new tab, security practitioners can visualize all organizational components from a single platform, enabling them\r\nto monitor and track tools, behaviors, and payloads as they navigate their organization's networks, systems, and\r\ninfrastructure, while simultaneously detecting and blocking threats as early in the attack or infection process as\r\npossible.\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive\r\nsteps to protect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nGame of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions \r\nTrend Micro Vision One Threat Insights App\r\nThreat Actors: Earth Estriesopen on a new tab\r\nEmerging Threats: Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusiopen on a new\r\ntabons\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nVision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog\r\npost with data in their environment.    \r\nHunting DEMODEX Malware\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 18 of 19\n\nobjectFilePath:\"PsvchostDLL_X64.dll\" OR\r\nobjectFilePath:\"AesedMemoryBinX64.REG\" OR\r\nobjectFilePath:\"msmp4dec.dll\" OR objectFilePath:\"wpccfg.dll\" OR\r\nobjectFilePath:\"dumpfiskfss.sys\" OR\r\nobjectFilePath:\"SstpCfs.dll\" \r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a\r\nnew tab. \r\nYara Rules\r\nDownload the YARA rules hereopen on a new tab. \r\nIndicators of Compromise\r\nDownload the list of IOCs hereopen on a new tab. This IOC list was last updated on October 31, 2024, during\r\nwhich we observed some of IOCs were still used in the ongoing campaigns. This is not a comprehensive list of\r\nIOCs, because most of the related components of DEMODEX and GHOSTSPIDER have different file hashes for\r\ndifferent endpoints. We will release more IOCs and hunting queries on the Vision One platform.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/k/earth-estries.html" ], "report_names": [ "earth-estries.html" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d", "created_at": "2024-11-01T02:00:52.730802Z", "updated_at": "2026-04-10T02:00:05.330644Z", "deleted_at": null, "main_name": "INC Ransom", "aliases": [ "INC Ransom", "GOLD IONIC" ], "source_name": "MITRE:INC Ransom", "tools": [ "PsExec", "Nltest", "Rclone", "AdFind", "esentutl", "INC Ransomware" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434077, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aac3f85bef8083fa7ef88e174324c3c28b856e8a.pdf", "text": "https://archive.orkl.eu/aac3f85bef8083fa7ef88e174324c3c28b856e8a.txt", "img": "https://archive.orkl.eu/aac3f85bef8083fa7ef88e174324c3c28b856e8a.jpg" } }