{ "id": "e704fafb-af60-49db-82ad-515f55cf893f", "created_at": "2026-04-06T00:21:40.70347Z", "updated_at": "2026-04-10T03:32:24.904544Z", "deleted_at": null, "sha1_hash": "b28d40918ab3d08a093ce53ce6526f8f0d73a53c", "title": "The Espionage Toolkit of Earth Alux A Closer Look at its Advanced Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2329479, "plain_text": "The Espionage Toolkit of Earth Alux A Closer Look at its\r\nAdvanced Techniques\r\nBy By: Lenart Bermejo, Ted Lee, Theo Chen Mar 31, 2025 Read time: 13 min (3480 words)\r\nPublished: 2025-03-31 · Archived: 2026-04-02 10:36:00 UTC\r\nKey takeaways:\r\nTrend Research’s consistent monitoring and investigation efforts have uncovered Earth Alux’s stealthy\r\nactivities and advanced techniques. One of the tools in the arsenal of this advanced persistent threat group\r\n(APT) is its primary backdoor, VARGEIT.\r\nLeft undetected, the attack can maintain a foothold in the system and carry out cyberespionage. The long-term collection and exfiltration of data could lead to far-reaching consequences, such as disrupted\r\noperations and financial losses.\r\nThe attacks are targeted toward the Asia-Pacific (APAC) and Latin American regions, hitting key sectors\r\nsuch as government, technology, logistics, manufacturing, telecommunications, IT services, and retail.\r\nRegular patching and updating, vigilant monitoring for any signs of compromise, and proactive protection\r\ncan help prevent such threats from infiltrating organizations’ systems.\r\nThe Earth Alux APT group’s schemes and tactics have been uncloaked through our relentless monitoring and\r\ninvestigation efforts. The China-linked intrusion set is actively launching cyberespionage attacks against the\r\ngovernment, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors.\r\nThe first sighting of its activity was in the second quarter of 2023; back then, it was predominantly observed in the\r\nAPAC region. Around the middle of 2024, it was also spotted in Latin America.\r\nEarth Alux has also been observed to conduct regular tests for some of its toolsets to ensure stealth and longevity\r\nin the target environment.\r\nOverview of an Earth Alux attack\r\nTo gain entry into the system, Earth Alux mostly exploits vulnerable services in exposed servers. It then implants\r\nweb shells such as GODZILLA to facilitate the delivery of its backdoors.\r\nIt has mainly utilized VARGEIT as its primary backdoor and control tool, along with COBEACON. VARGEIT is\r\nused as a first, second, and/or later-stage backdoor, while COBEACON is employed as a first-stage backdoor.\r\nThis is distinguishable in the way VARGEIT is loaded: the first stage utilizes loading via a debugger script using\r\ncdb.exe, while later stages use DLL sideloading, which can include execution guardrails and timestomping\r\ntechniquesopen on a new tab via the RAILLOAD (loader component) and RAILSETTER (installation and\r\ntimestomping tool).\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 1 of 21\n\nVARGEIT is also the chief method through which Earth Alux operates supplemental tools for various tasks, such\r\nas lateral movement and network discovery in a fileless manner.\r\nAmong its various backdoor functions is the ability to load tools directly from its command-and-control (C\u0026C)\r\nserver to a spawned process of mspaint. As such, several mspaint processes can be observed performing tasks for\r\nthe backdoor, including network reconnaissance, collection, and exfiltration.\r\nFigure 1. Overview of Earth Alux\r\nEarth Alux TTPs\r\nEarth Alux employs a variety of advanced tactics, techniques, and procedures (TTPs) to facilitate its scheme.\r\nBelow is a detailed view of each phase of the attack:\r\nInitial access\r\nEarth Alux primarily utilizes vulnerable services in exposed servers for gaining initial access and for implanting\r\nweb shells such as GODZILLA to allow delivery of its first-stage backdoors.\r\nExecution, persistence, and defense evasion\r\nUpon gaining control via the implanted webshell, Earth Alux installs a first-stage backdoor (either COBEACON\r\nor VARGEIT) via different loading methods.\r\nCOBEACON\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 2 of 21\n\nPopular among many threat actors, COBEACON is also among the tools used by Earth Alux. It is primarily used\r\nas a first-stage backdoor and loaded as an encrypted payload of the DLL side-loaded MASQLOADER, or as a\r\nshellcode using RSBINJECT.\r\nCOBEACON loader – MASQLOADER\r\nThe first observed loading method used to execute COBEACON payloads is via MASQLOADER, a DLL side-loaded loader. This loader component decrypts its payload using a substitution cipher, where the encrypted\r\npayload contains 1-3 character strings that has a hex value equivalent based on MASQLOADER’s substitution\r\ntable.\r\nFigure 2. MASQLOADER loading sequence\r\nFigure 3. Encrypted payload\r\nFigure 4. Substitution cipher array\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 3 of 21\n\nLater MASQLOADER versions also added an anti-API hooking technique. It does this by overwriting the code\r\nsection of ntdll.dll in its memory space with the code section of ntdll.dll taken directly from the file, effectively\r\noverwriting any API hooks inserted by monitoring tools and security tools with the original code.\r\nThis feature allows MASQLOADER and the injected payload to evade detections based on intercepted API calls\r\nfrom security software.\r\nFigure 5. Anti-API hooking of MASQLOADER\r\nOur telemetry suggests MASQLOADER is also being used by other groups besides Earth Alux. Additionally, the\r\ndifference in MASQLOADER’s code structure compared to other tools such as RAILSETTER and RAILLOAD\r\nsuggests that MASQLOADER’s development is separate from those toolsets.\r\nCOBEACON loader – RSBINJECT\r\nAnother tool used by Earth Alux to load COBEACON is RSBINJECT, a Rust-based command line shellcode\r\nloader.\r\nIt does not have decryption routines and loads the shellcodes directly. Instead, it has other features that help test\r\nthe shellcode using optional flags and subcommands.\r\nFigure 6. RSBINJECT flags and subcommands\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 4 of 21\n\nWhile RSBINJECT has been observed in attacks, its functionality suggests that it also doubles as a testing tool for\r\nshellcodes. Like MASQLOADER, this tool is likely not exclusive to Earth Alux.\r\nFirst stage VARGEIT execution – CDB\r\nFirst stage VARGEIT is executed via shellcode injection using debugger script. This method uses the cdb.exe\r\n(renamed as fontdrvhost.exe when dropped by the webshell) as the debugger and the host, running the script based\r\non the LOLBASopen on a new tab method.\r\nThe debugger script config.ini contains both a loader shellcode and the code for VARGEIT. This produces the\r\nfollowing command line:\r\nC:\\programdata\\fontdrvhost.exe -cf c:\\programdata\\config.ini -o c:\\programdata\\fontdrvhost.exe\r\nThis loading method is commonly used as the first-stage backdoor installation, delivered via the initial access\r\nmethods typically involving exploitation of externally exposed servers, and is often observed to install second and\r\nlater-stage VARGEIT.\r\nA variation of this loading method uses a shellcode, which loads an encrypted VARGEIT payload from a separate\r\nfile component.\r\nSecond stage VARGEIT execution – DLL side-loading\r\nSecond stage VARGEIT is executed via DLL side-loading involving the RAILLOAD loader tool. This method is\r\noften used for second or later-stage installations and can have execution guardrails implemented via the said tool,\r\nas well as evasive measures via RAILSETTER.\r\nRAILLOAD as second stage VARGEIT loader\r\nRAILLOAD is a loader tool executed via DLL side-loading and is used for second-stage loading.\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 5 of 21\n\nFigure 7. RAILLOAD loading sequence\r\nThis tool comes with its own configuration and has been seen to have a variety of payload components from either\r\nan encrypted file or a registry location.\r\nThe RAILLOAD configuration is base64-encoded and contains information separated by “||”:\r\nFile-based Configuration\r\n\u003cpath and filename of encrypted payload\u003e||\u003cAES Key\u003e||\u003chost path and filename\u003e\r\nRegistry-based Configuration\r\n\u003cRegistry Key\u003e||\u003cRegistry Data\u003e||\u003cAES Key\u003e||\u003cspecific host path and filename\u003e\r\nRAILLOAD decryption and execution guardrails\r\nRAILLOAD’s decryption routine uses base64 decoding followed by AES-128 CBC mode decryption. This can\r\nhave execution guardrails in some variants.\r\nFor example, if the config does not contain an AES key (can be left blank), RAILLOAD uses information from\r\nthe infected machine’s registry as a decryption key.\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 6 of 21\n\nIn older variants, the first 16 bytes of HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid is used,\r\nwhile on newer variants, the first 16 bytes of HKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductID is applied instead.\r\nRAILSETTER for persistence and timestomping\r\nRAILSETTER is a persistence installer component designed to work with RAILLOAD. Its main functions\r\ninclude:\r\nCopying and renaming RAILLOAD’s intended host from c:\\windows\\system32 to the intended target\r\ndirectory\r\nTimestomping RAILLOAD and its host’s create, access, and modify time\r\nCreating a scheduled task for persistence.\r\nRAILSETTER also has a base64-encoded configuration, which contains the information needed to perform its\r\nfunctions. The configuration is structured as follows:\r\n||\u003ctarget host from system\u003e||\u003ctimestomping date\u003e||\u003chost destination and new filename\u003e||\u003cRAILLOAD file\u003e||\r\n\u003cScheduled task\u003e||\u003cscheduled task description\u003e||\u003cScheduled Task Trigger Time\u003e||\r\nThe component’s execution flow is illustrated below:\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 7 of 21\n\nFigure 8. RAILSETTER execution flow\r\nRAILSETTER has been designed to be loaded via regsvr32.exe. RAILSETTER’s host is also deployed similarly\r\nto how RAILLOAD’s host is a relocated and renamed copy of an already existing file in the system. In later\r\nincidents involving Earth Alux, RAILSETTER no longer lands as a file but is instead executed via VARGEIT’s\r\nmspaint injection method.\r\nBackdoor and Command \u0026 Control\r\nThe majority of Earth Alux’s activities for these stages are handled using VARGEIT’s features, with one of them\r\nbringing in miscellaneous tools.\r\nAs a multi-channel configurable backdoor, the following are its available channels, which are mostly for\r\ncommunication and can be set in the configuration:\r\nID Channel\r\n0x00 HTTP\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 8 of 21\n\n0x01 Reverse TCP\r\n0x02 Reverse UDP\r\n0x03 Bind TCP\r\n0x04 Bind HTTP\r\n0x05 Outlook\r\n0x06 ICMP\r\n0x07 DNS\r\n0x08 Web\r\n0x09 Bind SMB\r\nTable 1. VARGEIT channels\r\nThe Outlook channel, which utilizes Graph API , is predominantly used in all observed attacks. Later variants also\r\ninclude versions where the Outlook channel is the only option.  \r\nGraph API enables authorized access to a user's Outlook mail data, allowing email-related operations such as\r\nreading, sending, and managing emails, as well as accessing calendar events and contacts from primary and shared\r\nmailboxes.\r\nVARGEIT’s configuration can also vary depending on the channel used. The Outlook channel type configuration\r\ncontains the following information:\r\nOffset Size Value\r\n0x00 ~(up to 0x1388) Refresh token for MS Auth\r\n0x1388 ~(up to 0xC8) URL for backup refresh token\r\n0x1450 0x10 GUID used as registry data where (auth) token is stored\r\n0x1478 0x02 Unknown ID added to communication message + 0x2B\r\n0x147a 0x04 Unknown DW value\r\n0x147e 0x01 Channel byte; decides which communication channel will be used\r\n0x147f 0x10 AES-128 key used for message decryption/Encryption\r\n0x148f 0x01 Flag to get external IP or not\r\n0x1490 0x01 Unknown byte\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 9 of 21\n\n0x1491 0x01 Exit byte\r\n0x1492 0x04 Unknown DW value\r\nTable 2. VARGEIT Outlook channel type configuration\r\nIn later versions of the backdoor, the URL for the backup refresh token and GUID used as registry data for auth\r\ntoken storage has been removed from the configuration, adjusting the offset location for the rest of the\r\ninformation.\r\nUsing Graph API, the Outlook communication channel utilizes the draft folder for message exchanges between\r\nthe backdoor and the controller. Backdoor messages are prepended with p_, while messages from the controller\r\nare prepended with r_.\r\nMessages processed by the backdoor are also deleted to remove tracks, and based on observation, the controller is\r\nalso likely to have the same functionality:\r\nFigure 9. VARGEIT and controller interaction\r\nServer message\r\nThe message from the C\u0026C server is prepended with r_. A message ID allows the controller to keep track of the\r\nbackdoor instance being controlled and enables the backdoor’s instance to identify which message it should read.\r\nThe message ID is generated per backdoor instance using the fnv-1a x64 hash of a randomly generated GUID.\r\nThe decimal equivalent of the fnv-1a x64 hash is used in the message title, while the hex equivalent is also\r\nembedded in the communication packet.\r\nThe server message body contains the actual communication data, which is encrypted using AES-128 CBC mode\r\nand compressed using zlib. It is then stored as a base64-encoded string within the message body.\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 10 of 21\n\nFigure 10. Server message example\r\nFigure 11. Decoded message from the C\u0026C server\r\nThe base64-decoded layer has a header structure, and the actual encrypted data is in offset 0x2a:\r\nOffset Size Value\r\n0x00 0x1e (First unboxed sequence) Randomly generated padding bytes\r\n0x1e 0x04 (Boxed in red) Size of the ByteArray\r\n0x22 0x08 (Boxed in yellow) messageID in hex\r\n0x2a ~ (Boxed in black) Start of encrypted data\r\nTable 3. Communication header structure\r\nAfter decryption and decompression of the encrypted data, the message follows a specific  structure:\r\nFigure 12. Decrypted data from C\u0026C\r\noffset Size Data\r\n0x00 0x04 (First unboxed sequence) Size of the uncompressed message\r\n0x04 0x04\r\n(Boxed in red) Size of the remaining data passed as a parameter for the corresponding\r\ncommand’s function call\r\n0x08 0x01 (Boxed in yellow) Command ID\r\n0x09 0x08 (Boxed in black) Unknown\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 11 of 21\n\n0x11 ~ (Boxed in white) Start of additional arguments (varies with command ID)\r\nTable 4. Decrypted communication data structure\r\nFigure 13. VARGEIT backdoor message example\r\nFigure 14. Decoded message from the backdoor\r\nIt shares a similar structure with the server message, with some additional data in the message header block:\r\nOffset Size Data\r\n0x00 0x1e Randomly generated padding bytes\r\n0x1e 0x04 Total size of the bytearray\r\n0x22 0x01\r\nUnknown communication flag\r\n     A message with empty content has a value of 0x00\r\n     A message in response to collect message id has a value of 0x01 \r\n0x23 0x08 messageID in hex\r\n0x2b 0x08 ID from config+0x1478\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 12 of 21\n\nThe ID from the config only has the size of WORD, but when sending communication to\r\nthe server, the allocated size for this ID is in QW\r\n0x33 ~ Start of the encrypted data to be sent\r\nTable 5. Decoded communication header structure\r\nThe encrypted data has a structure that varies based on what command the backdoor is responding to.\r\nFigure 15. Decrypted data from the backdoor\r\nThe example in the image above is a response to the system info collection command, and it shows information\r\nsuch as the username, computer name, external IP address, internal IP address, OS version, user admin flag, host\r\nprocess name, and host process ID.\r\nVARGEIT capabilities\r\nVARGEIT’s backdoor capabilities are as follows:\r\nCollect system information\r\nCommunicate using different channels\r\nInteract with Windows Defender Firewall\r\nCollect drive information\r\nCollect running processes information\r\nGet, set, search, create, and delete directories\r\nRead and write to file\r\nExecute command lines\r\nInject misc tools to a controlled mspaint or conhost instance\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 13 of 21\n\nAttackers use the mspaint injection to directly execute additional tools from the C\u0026C server to the target machine\r\nwithout file landing. VARGEIT opens an instance of mspaint where a shellcode from the C\u0026C server is to be\r\ninjected.\r\nCode injection and execution use RtlCreateUserThread, VirtualAllocEx, and WriteProcessMemory. For\r\ncommand line tools, VARGEIT creates a pipe where the output can be read and sent back to the controller. For\r\ninjected tools that require interaction, the backdoor uses the named pipe.\r\nFigure 16. Method 1: Executing the remote code\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 14 of 21\n\nFigure 17. Method 2: Reading the output of the tool via an anonymous pipe\r\nFigure 18. Method 3: Interacting with the injected process via named pipe\r\nDiscovery, collection, and exfiltration\r\nIt is also worth noting that VARGEIT can launch multiple instances of MSPaint to host tools. Various activities\r\ncan be performed in the stages of the attack:\r\nInstallation\r\nIn more recent attacks, Earth Alux has changed the deployment method of RAILSETTER, one of its persistence\r\ninstallation tools. After being deployed as a DLL file to be loaded via regsvr32.exe, this tool is executed via the\r\nmspaint method.\r\nThough there is no distinguishable argument in the mspaint process, the installation and timestomping behavior of\r\nRAILSETTER can be observed to come from it.\r\nDiscovery\r\nEarth Alux deploys tools that appear to perform security event log and group policy discovery, as well as\r\nnetwork/LDAP reconnaissance.\r\nAn mspaint process performing a security event log and group policy discovery can show the following command\r\nline arguments:\r\nC:\\Windows\\System32\\mspaint.exe Aslire597 \u003cadditional parameters\u003e\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 15 of 21\n\nAn mspaint process performing network/LDAP reconnaissance can be seen with the following arguments:\r\nC:\\Windows\\System32\\mspaint.exe sElf98RqkF ldap \u003cIP\u003e \u003cAD Domain\u003e \u003cmachine AD domain\u003e\r\nThe network/LDAP reconnaissance process can also generate files containing network information. These are\r\ncreated inside a folder with the format \u003cdata path\u003e\\\u003cad domain name\u003e_\u003cdate and time of collection\u003e\\ (for\r\nexample, c:\\programdata\\data\\ad.domain.name_20241111062500\\). The following files can be created under\r\nthis path:\r\nadcs.txt\r\nadmin.keyword.users.txt\r\nall.dc.host.txt\r\nall.dns.record.txt\r\nall.exchange.host.txt\r\nall.gpo.txt\r\nall.group.user.txt\r\nall.host.txt\r\nall.mssql.host.txt\r\nall.old.host.txt\r\nall.ou.txt\r\nall.spn.txt\r\nall.trusted.domain.txt\r\nall.trusted.txt\r\nall.user.workstations.host.txt\r\nall.users.txt\r\nas-rep_roasting.txt\r\ndelegation.host.txt\r\ndelegation.users.txt\r\ndisabled.users.txt\r\ndomain.admin.groups.txt\r\ndomain.adminsdholder.users.txt\r\nlocked.users.txt\r\nneverexpire.users.txt\r\npassword_policy.txt\r\nunconstrained_delegation.host.txt\r\nunconstrained_delegation.users.txt\r\nThese files are then archived under the data path (c:\\programdata\\data in the example), with the filename\r\nad.domain.name_20241111062500.zip.\r\nCollection\r\nEarth Alux loads a possible custom compression tool to mspaint for collection purposes. The process has the\r\nfollowing arguments and output for a compressed file (with the file extension .tar.gz):\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 16 of 21\n\nC:\\Windows\\System32\\mspaint.exe \u003ctarget directory for compression\u003e \u003cpath and filename of compressed file\u003e\r\n\u003cunknown argument\u003e\r\nAmong the collected files are ones produced during the discovery stage.\r\nExfiltration\r\nEarth Alux also deploys an exfiltration tool via this method to exfiltrate the compressed file created during the\r\ncollection stage. Here, it displays the following arguments:\r\nC:\\Windows\\System32\\mspaint.exe  gWgGfsq1PcUUoo \u003cregion\u003e \u003cbucket name\u003e \u003cID\u003e \u003csecret\u003e \u003cexpire time\u003e\r\ndm9TTlEwM0NXRkF3TXRkM3RVSHg3SGQ3TDl4YVNRNGY=  \u003cpath of data for exfiltration\u003e\r\nIt is interesting to note that the exfiltrated data is sent to an attacker-controlled cloud storage bucket. Based on our\r\ntelemetry, Earth Alux has used the same cloud storage bucket to exfiltrate from different targets.\r\nTesting and development\r\nEarth Alux conducts several tests with RAILLOAD and RAILSETTER. These include detection tests and\r\nattempts to find new hosts for DLL side-loading.\r\nDLL side-loading tests involve ZeroEyeopen on a new tab, an open source tool popular within the Chinese-speaking community, for scanning EXE files’ import tables for imported DLLs that can be abused for side-loading.\r\nFigure 19. Command line version options\r\nFigure 20. Scan result\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 17 of 21\n\nFigure 21. Qualified candidate output\r\nEarth Alux pairs ZeroEye with CloneExportTable, a tool used to clone the export table of a specified DLL into the\r\nexport table of the DLL that is used for side-loading. Use of this tool usually involves cloning the desired DLL’s\r\nexport table into RAILLOAD samples.\r\nFigure 22. CloneExportTable command\r\nFigure 23. Example of resulting export table\r\nEarth Alux also used VirTest, another testing tool popular among the Chinese-speaking community, for detection\r\ntesting purposes and to enhance their toolsets’ evasive features.\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 18 of 21\n\nFigure 24. VirTest tool\r\nVirTest allows users to pinpoint codes in their tools that cause file-based detections from security software and\r\nmodify the pinpointed codes to bypass file-based detections.\r\nTarget industries\r\nEarth Alux has predominantly targeted a diverse array of sectors, namely government, technology, logistics,\r\nmanufacturing, telecommunications, IT services, and retail, reflecting its strategic focus on high-value and\r\nsensitive information across different industries.\r\nThe group's activities have primarily been observed in the APAC region, specifically affecting countries such as\r\nThailand, the Philippines, Malaysia, and Taiwan. In mid-2024, Earth Alux extended its operations to Latin\r\nAmerica, with notable incidents reported in Brazil.\r\nConclusion and security recommendations\r\nEarth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and\r\nadvanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin\r\nAmerica.\r\nIts reliance on the VARGEIT backdoor, along with the use of COBEACON and various loading methods,\r\nhighlights a strategic approach to maintaining stealth and persistence within target environments.\r\nThe group's ongoing testing and development of its tools further indicate a commitment to refining its capabilities\r\nand evading detection.\r\nUnderstanding the operational methods associated with Earth Alux is crucial for developing effective defenses and\r\nmitigating the risks posed by such advanced cyber threats. To bolster protection against APT attacks, organizations\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 19 of 21\n\ncan adopt a proactive security mindset by implementing security best practices such as the following:\r\nPeriodically patch and update systems used, as attackers can take advantage of vulnerabilities to gain initial\r\naccess.\r\nPerform vigilant monitoring to observe any unusual activity such as an uncommonly heavy network\r\nactivity, reduced performance and speed, and so on.\r\nLeverage solutions that help organizations take a proactive security stance and manage security holistically\r\nwith comprehensive prevention, detection, and response capabilities.\r\nAs organizations continue to face the challenges posed by Earth Alux, it is imperative to enhance their\r\ncybersecurity measures, adopt proactive threat detection strategies, and remain vigilant against the evolving tactics\r\nof this persistent adversary.\r\nProactive security with Trend Vision One™\r\nTrend Vision Oneone-platform™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This comprehensive approach helps\r\nyou predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed\r\nby decades of cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it\r\ndelivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time.\r\nSecurity leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend\r\nVision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into\r\na strategic partner for innovation.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and\r\nThreat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to\r\nprepare for emerging threats by offering comprehensive information on threat actors, their malicious activities,\r\nand their techniques.\r\nBy leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks,\r\nand effectively respond to threats.\r\nTrend Vision One Intelligence Reports App [IOC Sweeping]\r\nThe Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques\r\nTrend Vision One Threat Insights App\r\nThreat Actor: Earth Alux\r\nEmerging Threat: The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques\r\nHunting Queries\r\nTrend Vision One Search App\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 20 of 21\n\nTrend Vision One customers can use the Search App to match or hunt for the malicious indicators mentioned in\r\nthis blog post with data in their environment.\r\nEarth Alux Malware\r\nmalName: (*VARGEIT* OR *RAILLOAD* OR *RAILSETTER*) AND eventName:\r\nMALWARE_DETECTION\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement\r\nenabledproducts.\r\nIndicators of Compromise (IoC)\r\nThe indicators of compromise for this entry can be found here:\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nhttps://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html" ], "report_names": [ "the-espionage-toolkit-of-earth-alux.html" ], "threat_actors": [ { "id": "2f964894-0020-457e-b4e7-65a8c8fe740c", "created_at": "2025-05-29T02:00:03.202897Z", "updated_at": "2026-04-10T02:00:03.858601Z", "deleted_at": null, "main_name": "Earth Alux", "aliases": [], "source_name": "MISPGALAXY:Earth Alux", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "fdcb30ba-5fef-4ae2-97bd-f8200f4bd2e5", "created_at": "2025-04-22T02:01:52.35523Z", "updated_at": "2026-04-10T02:00:04.658231Z", "deleted_at": null, "main_name": "Earth Alux", "aliases": [], "source_name": "ETDA:Earth Alux", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Godzilla", "Godzilla Loader", "MASQLOADER", "RAILLOAD", "RAILSETTER", "RSBINJECT", "VARGEIT", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434900, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b28d40918ab3d08a093ce53ce6526f8f0d73a53c.pdf", "text": "https://archive.orkl.eu/b28d40918ab3d08a093ce53ce6526f8f0d73a53c.txt", "img": "https://archive.orkl.eu/b28d40918ab3d08a093ce53ce6526f8f0d73a53c.jpg" } }