{ "id": "30ba869d-85ea-422a-80d2-3df52fb3b51b", "created_at": "2026-04-06T01:32:20.349515Z", "updated_at": "2026-04-10T03:32:20.727192Z", "deleted_at": null, "sha1_hash": "ae57acad1ee53001654051a8870c307dc0b40ab2", "title": "APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 614996, "plain_text": "APT41 Resurfaces as Earth Baku With New Cyberespionage\r\nCampaign\r\nBy Ted Lee ( words)\r\nPublished: 2021-08-24 · Archived: 2026-04-06 00:52:39 UTC\r\nWe have uncovered a cyberespionage campaign being perpetrated by Earth Baku, an advanced persistent threat\r\n(APT) group with a known history of carrying out cyberattacks under the alias APT41. This is not the group’s first\r\nforay into cyberespionage, and its long list of past cybercrimes also includes ransomware and cryptocurrency\r\nmining attacksopen on a new tab.\r\nEarth Baku deploys its ongoing campaign, which can be traced to as far back as July 2020, through multiple attack\r\nvectors that are designed based on different exploits or the infrastructure of its targeted victim's environment:\r\n• SQL injection to upload a malicious file\r\n• Installment through InstallUtil.exe in a scheduled task\r\n• Possibly a malicious link (LNK) file sent as an email attachment\r\n• Exploitation of the ProxyLogon vulnerability CVE-2021-26855 to upload a China Chopper web shell\r\nThis campaign uses previously unidentified shellcode loaders, which we have named StealthVector and\r\nStealthMutant, and a backdoor, which we have dubbed ScrambleCross. Earth Baku has developed these new\r\nmalware tools to facilitate targeted attacks on public and private entities alike in specific industries that are located\r\nin the Indo-Pacific region. Thus far, the affected countries include India, Indonesia, Malaysia, the Philippines,\r\nTaiwan, and Vietnam. \r\nhttps://www.trendmicro.com/en_us/research/21/h/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html\r\nPage 1 of 4\n\nFigure 1. Countries affected by Earth Baku’s new campaign\r\nSource: Trend Micro™ Smart Protection Network™ infrastructure\r\nStealthVector\r\nWe initially observed StealthVector, a shellcode loader written in C/C++, in October 2020. StealthVector is\r\ndesigned with various configurable features that make it easy for malicious actors to modify and tailor it to their\r\nneeds, including a feature that disables Event Tracing for Windows (ETW), allowing the malware to run in stealth\r\nmode. This loader can stealthily run its payload in various ways, such as using the CreateThread function,\r\nbypassing Microsoft’s Control Flow Guard (CFG), module stomping, and phantom dynamic link library (DLL)\r\nhollowing.\r\nStealthMutant\r\nLike StealthVector, StealthMutant, which supports both 32-bit and 64-bit operating systems, can disable ETW.\r\nThis loader, written in C#, has been used by malicious actors since July 2020. Many of the StealthMutant samples\r\nwe have analyzed use AES-256-ECB for decryption; alternatively, an earlier variant of the loader uses XOR. After\r\nits payload is decrypted, StealthMutant performs process hollowing to execute its payload in a remote process.\r\nScrambleCross\r\nhttps://www.trendmicro.com/en_us/research/21/h/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html\r\nPage 2 of 4\n\nBoth StealthMutant and StealthVector contain a payload of either the Cobalt Strike beacon or ScrambleCross, a\r\nnewly discovered backdoor. ScrambleCross receives instructions from its command-and-control (C\u0026C) server\r\nthat allow it to receive and manipulate plug-ins. However, we have yet to retrieve and study one of these plug-ins.\r\nIt has many of the same capabilities as another backdoor, Crosswalk, which has also been used by Earth Baku. For\r\nexample, both calculate the hash of the code section as an anti-bugging technique, both are designed as fully\r\nposition-independent code, and both support various kinds of network communication protocols.\r\nConnections to other campaigns\r\nEarth Baku’s recent activities are related to another campaign that has been active since at least November 2018,\r\nas reported by FireEyeopen on a new tab and Positive Technologiesopen on a new tab. While the older campaign\r\nuses a different shellcode loader, which we have named LavagokLdr, we have observed similar code and\r\nprocedures between LavagokLdr and StealthVector. In the same vein, we have observed that LavagokLdr’s\r\npayload, Crosswalk, and one of StealthVector’s payloads, ScrambleCross, perform similar techniques for\r\ndecryption and signature checking. But because Earth Baku has updated its toolset with StealthVector,\r\nStealthMutant, and ScrambleCross for this new campaign, we have identified it as its own separate operation.\r\nFigure 2. A timeline of Earth Baku’s previous campaign as APT41 and its new campaign\r\nHow Earth Baku creates its malware tools\r\nEarth Baku is known for its use of self-developed toolsopen on a new tab. To continue doing so, it appears to be\r\nfilling its ranks with malicious actors who are pooling their diverse skills. Interestingly, the new malware tools\r\ninvolved in Earth Baku’s new campaign indicates that the APT group has likely recruited members who specialize\r\nin low-level programming, software development, and red-team techniques.\r\nFor more details about Earth Baku’s new campaign, read our research paper \"Earth Baku: An APT Group\r\nTargeting Indo-Pacific Countries With New Stealth Loaders and Backdoor.\"open on a new tab\r\nhttps://www.trendmicro.com/en_us/research/21/h/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html\r\nPage 3 of 4\n\nSource: https://www.trendmicro.com/en_us/research/21/h/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html\r\nhttps://www.trendmicro.com/en_us/research/21/h/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/21/h/apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html" ], "report_names": [ "apt41-resurfaces-as-earth-baku-with-new-cyberespionage-campaign.html" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439140, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae57acad1ee53001654051a8870c307dc0b40ab2.pdf", "text": "https://archive.orkl.eu/ae57acad1ee53001654051a8870c307dc0b40ab2.txt", "img": "https://archive.orkl.eu/ae57acad1ee53001654051a8870c307dc0b40ab2.jpg" } }