{ "id": "7509c8e3-ec58-4549-89e1-31c10d33b6c3", "created_at": "2026-04-06T00:18:41.425677Z", "updated_at": "2026-04-10T03:36:47.942488Z", "deleted_at": null, "sha1_hash": "b5dbcf77e13cf178285a017f956282e61ad937b6", "title": "Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2392930, "plain_text": "Earth Krahang Exploits Intergovernmental Trust to Launch\r\nCross-Government Attacks\r\nBy By: Joseph C Chen, Daniel Lunghi Mar 18, 2024 Read time: 12 min (3285 words)\r\nPublished: 2024-03-18 · Archived: 2026-04-05 13:33:50 UTC\r\nIntroduction\r\nSince early 2022, we have been monitoring an APT campaign that targets several government entities worldwide,\r\nwith a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa. The threat actor\r\nexploits public-facing servers and sends spear phishing emails to deliver previously unseen backdoors.\r\nOur research allowed us to identify the campaign’s multiple connections with a China-nexus threat actor we track\r\nas Earth Lusca. However, since the campaign employs independent infrastructure and unique backdoors, we\r\nbelieve it to be a separate intrusion set that we named Earth Krahang. We will examine these connections, as well\r\nas potential links to a Chinese company named I-Soon, in a separate section.\r\nOne of the threat actor’s favorite tactics involves using its malicious access to government infrastructure to attack\r\nother government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send\r\nspear-phishing emails to government-related targets using compromised government email accounts. Earth\r\nKrahang also uses other tactics, such as building VPN servers on compromised public-facing servers to establish\r\naccess into the private network of victims and performing brute-force attacks to obtain email credentials. These\r\ncredentials are then used to exfiltrate victim emails, with the group’s ultimate goal being cyberespionage.\r\nDue to mistakes on the attacker’s side, we managed to retrieve multiple files from Earth Krahang’s servers,\r\nincluding samples, configuration files, and log files from its attack tools. Combining this information with our\r\ntelemetry helped us understand the Earth Krahang operation and build a clear view of the threat actor’s\r\nvictimology and interests. In addition, we will also share their preferred malware families and post-exploitation\r\ntools in this report.\r\nReconnaissance and initial access\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 1 of 12\n\nFigure 1. Infection chain of an Earth Krahang’s spear-phishing attack (see the MITRE ATT\u0026CK\r\nsection for the details of each technique ID)\r\nOne of the infection vectors used involves the scanning of public-facing servers. Earth Krahang heavily employs\r\nopen-source scanning tools that perform recursive searches of folders such as .git or .idea. The threat actor also\r\nresorts to simply brute-forcing directories to help identify files that may contain sensitive information such as file\r\npaths or passwords on the victim’s servers. They also tend to examine the subdomains of their targets to find\r\ninteresting and possible unmaintained servers. Earth Krahang also conducts vulnerability scanning with tools like\r\nsqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan to find web server vulnerabilities  that will allow them to\r\naccess the server, drop web shells, and install backdoors.\r\nThe threat actor abused the following vulnerabilities multiple times:\r\nCVE-2023-32315open on a new tab: command execution on OpenFire\r\nCVE-2022-21587open on a new tab: command execution on Oracle Web Applications Desktop Integrator\r\nEarth Krahang also makes use of spear phishing email to attack its targets. Like most spear phishing attacks, the\r\nemails are intended trick their targets into opening attachments or embedded URL links that ultimately lead to the\r\nexecution of a prepared backdoor file on the victim’s machine. Our telemetry data and some of the group’s\r\nbackdoors uploaded on VirusTotal revealed that the backdoor filenames are usually related to geopolitical topics,\r\nindicating their preferred type of lure:\r\n\"Plan of Action (POA) - TH-VN - TH_Counterdraft_as of Feb 2022.doc.exe\"\r\nคำ บอกกล่าวคำ ฟ้อง.rar\r\n(translated as “Notice of complaint.rar”)\r\n“ร่างสถานะ ครม. รว. ไทย-โรมาเนีย as of 25 Feb 2022.doc.exe”\r\n(translated as “Draft Cabinet status of Thailand-Romania as of 25 Feb 2022.doc.exe”)\r\n“Malaysian defense minister visits Hungary.Malaysian defense minister visits Hungary.exe”\r\n“ICJ public hearings- Guyana vs. Venezuela.ICJ public hearings- Guyana vs. Venezuela.exe”\r\n“On the visit of Paraguayan Foreign Minister to Turkmenistan.exe”\r\n“pay-slip run persal payslip.pay-slip run persal payslip.docx.exe”\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 2 of 12\n\nWe noticed that Earth Krahang retrieves hundreds of email addresses from their targets during the reconnaissance\r\nphase. In one case, the actor used a compromised mailbox from a government entity to send a malicious\r\nattachment to 796 email addresses belonging to the same entity. The malicious attachment was a RAR archive\r\ncontaining an LNK file that deployed the Xdealer malware (which we will discuss in the Delivered malware\r\nfamilies section) and opened a decoy document (available online) related to the governmental entity. It is likely\r\nthat the actor discovered the weak credentials of the compromised mailbox using brute-forcing tools.\r\nEarth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently\r\nuses compromised government webservers to host their backdoors and send download links to other government\r\nentities via spear phishing emails. Since the malicious link uses a legitimate government domain of the\r\ncompromised server, it will appear less suspicious to targets and may even bypass some domain blacklists.\r\nIn addition, the actor used a compromised government email account to send email to other governments. We\r\nnoticed the following email subjects being used for spear-phishing emails:\r\nsalary\r\nMalaysian Ministry of Defense Circular\r\nMalaysian defense minister visits Hungary\r\nICJ public hearings- Guyana vs. Venezuela\r\nAbout Guyana Procurement Proposal for Taiwan \u003credacted\u003e\r\nFigure 2. The Python script used by Earth Krahang to send spear-phishing emails to other\r\ngovernments via a stolen government account (redacted)\r\nOur telemetry also showed that the threat actor compromised a government web server and leveraged it to scan\r\nvulnerabilities in other government targets.\r\nPost-exploitation TTPs\r\nThe threat actor installs the SoftEtheropen on a new tab VPN on compromised public-facing servers and uses\r\ncertutil commands to download and install the SoftEther VPN server. The SoftEther server executable is renamed\r\nto either taskllst.exe, tasklist.exe, or tasklist_32.exe for the Windows executable and curl for the Linux executable\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 3 of 12\n\nto make it look like a legitimate file on the installed system. With the VPN server installed, the actor can then\r\nconnect to the victim’s network to conduct their post-exploitation movements.\r\nAdditional post-exploitation movements include:\r\nMaintaining backdoor persistence with task scheduling\r\nEnabling Remote Desktop connections by modifying the Windows Registry “fDenyTSConnections”\r\nAccessing credentials by dumping Local Security Authority Subsystem Service (LSASS) with Mimikatz or\r\nProcDump\r\nAccessing credentials by dumping the SAM database (HKLM/sam) from the Windows Registry\r\nScanning the network using Fscan\r\nLateral code execution via WMIC\r\nUsing tools such as BadPotato, SweetPotato, GodPotato, or PrinterNotifyPotato for privilege escalation on\r\nWindows systems\r\nExploiting CVE-2021-4034, CVE-2021-22555, and CVE-2016-5195 for privilege escalation on Linux\r\nsystems\r\nEmail exfiltration\r\nWe observed Earth Krahang conducting brute force attacks on Exchange servers via their Outlook on the web\r\n(formerly known as Outlook Web Access, or OWA) portals of its victims. The threat uses a list of common\r\npasswords to test the email accounts on the target’s email server.  We have observed the group using a custom\r\nPython script targeting the ActiveSync service on the OWA server to perform their brute-force attack.\r\nWe also found the threat actor using the open-source tool ruleropen on a new tab to brute force email accounts and\r\npasswords. Email accounts using weak passwords can be identified by the attacker, who can then perform email\r\nexfiltration or abuse the compromised account to send spear phishing emails (as we discussed earlier).\r\nWe also identified another Python script that the actor used to exfiltrate emails from a Zimbra mail server. The\r\nscript can package the victim’s mailbox via the mail server API using an authenticated cookie stolen by the threat\r\nactor. However, our investigation was unable to determine how the authenticated tokens were stolen from the\r\nvictim’s server.\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 4 of 12\n\nFigure 3. The Python script used by Earth Krahang to exfiltrate the victim’s mailbox\r\nDelivered malware families\r\nEarth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom\r\nbackdoors, RESHELL and XDealer, were employed during the initial stage of attack. We found that these\r\nbackdoors were delivered either through spear-phishing emails or deployed via web shell on compromised\r\nservers.\r\nWe found the RESHELL backdoor being used several times in attacks during 2022. It was mentioned being used\r\nin a targeted attack against a Southeast Asian government by Palo Alto in a previous research reportopen on a new\r\ntab. RESHELL is a simple .NET backdoor that possesses the basic capabilities of collecting information, dropping\r\nfiles, or executing system commands. Its binaries are packed with ConfuserEX and its command-and-control\r\n(C\u0026C) communication is encrypted with the AES algorithm.\r\nSince 2023, the Earth Krahang shifted to another backdoor (named XDealer by TeamT5open on a new tab and\r\nDinodasRATopen on a new tab by ESET). Compared to RESHELL, XDealer provides more comprehensive\r\nbackdoor capabilities. In addition, we found that the threat actor employed both Windows and Linux versions of\r\nXDealer to target different systems.\r\nEach XDealer sample embeds a mark string that represents the backdoor’s version. We observed the following\r\nmarks:\r\nMark First seen` Platform\r\nWin_%s_%s_%u_V10 2023-09 Windows\r\nDin_%s_%s_%u_V12 2023-04 Windows\r\nDin_%s_%s_%u_V10 2023-04 Windows\r\nLinux_%s_%s_%u_V10 2023-01 Linux\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 5 of 12\n\nWin_%s_%s_%u_V6 2022-10 Windows\r\nDin_%s_%s_%u_V1 2022-09 Windows\r\nRin_%s_%s_%u_V6 2021-04 Windows\r\nTable 1. The list of the identified marks embedded on XDealer samples\r\nThis finding indicates that the backdoor may have been used in the wild for some time now and is still under\r\nactive development.\r\nIt's worth noting that many early XDealer samples were developed as a DLL file packaged with an installer, a\r\nstealer module DLL, a text file contents ID string, and an LNK file. The LNK file executes the installer, which\r\nthen installs the XDealer DLL and the stealer module DLL on the victim’s machine. The stealer module can take\r\nscreenshots, steal clipboard data, and log keystrokes.\r\nIn one case, we found that the LNK file was replaced with another executable, which is an installer loader (it’s\r\nlikely that Earth Krahang employed a different execution scheme instead of a standalone executable).\r\nFurthermore, we found that some of the XDealer DLL loaders were signed with valid code signing certificates\r\nissued by GlobalSign to two Chinese companies. According to public information available on the internet, one is\r\na human resource company, while the other is a game development company. It’s likely that their certificates were\r\nstolen and abused to sign malicious executables.\r\nPackage\r\nname\r\nInstaller\r\nXDealer\r\nDLL\r\nScreenshot module\r\nDLL\r\nID file LNK/Loader\r\nGoogleVaS RuntimeInit.exe 1.dll 2.dll id.data RuntimeInit.lnk\r\nGoogleUps GoogleUpdate.exe 1.dll 2.dll Id.data GoogleUpdate.lnk\r\nGoogleInc GoogleUpdate.exe twain_64.dll advapi64.dll - svrhost.exe\r\nTable 2. The list of packages delivering XDealer DLL and other files\r\nCertificate hash Certificate\r\nbe9de0d818b4096d80ce7d88110917b2a4e8273f 上海笑聘网络科技有限公司\r\nbe31e841820586e9106407d78ae190915f2c012d 上海指聚网络科技有限公司\r\nTable 3. The list of certificates abused to sign the XDealer loader\r\nCobalt Strike was also frequently used during the initial stage of an attack. Interestingly, we found that instead of\r\nthe typical Cobalt Strike usage, Earth Krahang adds additional protection to their C\u0026C server through the\r\nadoption of the open-source project RedGuardopen on a new tab, which is basically a proxy that helps red teams\r\nhinder the discovery of their Cobalt Strike C\u0026C profile.\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 6 of 12\n\nThe threat actor abused RedGuard to prevent its C\u0026C servers from being identified by blue team Cobalt Strike\r\nC\u0026C scanners or search engine web crawlers. It also helps the group monitor who is collecting their C\u0026C\r\nprofiles. We found that Earth Krahang’s C\u0026C server redirected invalid C\u0026C requests to security vendor websites\r\ndue to RedGuard’s protections.\r\nCobalt Strike exploits the DLL side-loading vulnerability. In one case we analyzed, the threat actor dropped three\r\nfiles, fontsets.exe, faultrep.dll, and faultrep.dat. The file fontsets.exe (SHA256:\r\n97c668912c29b8203a7c3bd7d5d690d5c4e5da53) is a legitimate executable that was abused to side-load the DLL\r\nfile faultrep.dll (SHA256: a94d0e51df6abbc4a7cfe84e36eb8f38bc011f46).\r\nThe faultrep.dll  file is a custom shellcode loader that will decode the encoded shellcode — which is Cobalt Strike\r\n— stored inside faultrep.dat. We also found another DLL loader with a similar decoding routine, but with different\r\nbyte values for decoding and loads shellcode from a different filename (conf.data).\r\nUsing our telemetry data, we found that the threat actor also dropped PlugX and ShadowPad samples in victim\r\nenvironments. The PlugX sample, named fualtrep.dll, is likely used for side-loading, similar to the Cobalt Strike\r\nroutine mentioned above. The ShadowPad samples had the exact same characteristics as seen in our previous\r\nEarth Lusca report.\r\nVictimology\r\nWe found approximately 70 different victims (organizations that were confirmed to be compromised) spread\r\nacross 23 different countries. Since we had access to some of Earth Krahang’s logs, we were also able to identify\r\n116 different targets (including those that were not confirmed to be compromised) in 35 countries.\r\nIn total, the threat actor was able to compromise or target victims in 45 different countries spread across different\r\nregions, most of them in Asia and America, but also in Europe and Africa.\r\nFigure 4. The map of victims targeted by Earth Krahang (countries in red are those that at least one\r\nentity compromised, while countries in yellow are those with at least one entity targeted)\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 7 of 12\n\nGovernment organizations seem to be Earth Krahang’s primary targets. As an example, in the case of one country,\r\nwe found that the threat actor compromised a diverse range of organizations belonging to 11 different government\r\nministries.\r\nWe found that at least 48 government organizations were compromised, with a further 49 other government\r\nentities being targeted. Foreign Affairs ministries and departments were a top target, compromising 10 such\r\norganizations and targeting five others.\r\nEducation is another sector of interest to the threat actor. We found at least two different victims and 12 targets\r\nbelonging to this sector. The communications industry was also targeted; we found multiple compromised\r\ntelecommunications providers. Other target organizations and entities include post offices (targeted in at least\r\nthree different countries), logistics platforms, and job services.\r\nThere were other industries targeted, but on a smaller scale, including the following:\r\nFinance/Insurance\r\nFoundations/NGOs/Thinkthanks\r\nHealthcare\r\nIT\r\nManufacturing\r\nMedia\r\nMilitary\r\nReal estate\r\nRetail\r\nSports\r\nTourism\r\nAttribution\r\nInitially, we had no attribution for this campaign since we found no infrastructure overlaps, and had never seen the\r\nRESHELL malware family before. Palo Alto published a reportopen on a new tab that attributes, with moderate\r\nconfidence, a particular cluster using RESHELL malware to GALLIUMopen on a new tab. However, the\r\nassessment is based on a toolset that is shared among many different threat actors, and we were hesitant to use this\r\nlink for proper attribution.  We also considered the possibility that RESHELL is a shared malware family.\r\nEarth Krahang switched to the XDealer malware family in later campaigns. In a research paperopen on a new tab\r\npresented by TeamT5, XDealer was shown to be associated with Luoyuopen on a new tab, a threat actor with\r\nChinese origins that used the WinDealeropen on a new tab and ReverseWindow malware families. Our colleague,\r\nwho was previously involved in the research of Luoyu, shared with us the insights on this association, particularly\r\nthe sharing of an encryption key between an old XDealer sample and a SpyDealer sample — suggesting a\r\nconnection between both malware families. ESET, which named this malware DinodasRAT, wrote an extensive\r\nreportopen on a new tab on its features. However they had no particular attribution apart from the possible China-nexus origin.\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 8 of 12\n\nWhile we believe it could be possible that this campaign has links to LuoYu, we found no traces of other malware\r\nfamilies used by this threat actor. Also, the encryption key mentioned above is different from the samples we\r\nfound in this campaign, meaning that this malware family has multiple builders. This could suggest that either the\r\nkey was changed at some point in development, or that the tool is shared among different groups.\r\nIn January 2022, we reported on a China-nexus threat actor we called Earth Lusca, following up with updates on\r\ntheir use of a newly discovered backdoor named SprySOCKS and their recent activities capitalizing on the\r\nTaiwanese presidential election. During our investigation, we noticed malware being downloaded from IP\r\naddresses we attribute to Earth Lusca (45[.]32[.]33[.]17 and 207[.]148[.]75[.]122, for example) at the lateral\r\nmovement stage of this campaign. This suggests a strong link between this threat actor and Earth Lusca. We also\r\nfound infrastructure overlaps between some C\u0026C servers that communicated with malware we found during our\r\ninvestigation, and domain names such as googledatas[.]com that we attribute to Earth Lusca.\r\nWhile the infrastructure and the preference of the initial stage backdoors look to be very different between this\r\nnew campaign and the previously reported activities of Earth Lusca, our speculation is that they are two intrusion\r\nsets running independently but targeting a similar range of victims, becoming more intertwined as they approach\r\ntheir goal — possibly even being  managed by the same threat group. Due to these characteristics, we decided to\r\ngive the independent name, Earth Krahang, to this intrusion set.\r\nOur previous report suggests Earth Lusca might be the penetration team behind the Chinese company I-Soon,\r\nwhich had their information leaked on GitHub recently. Using this leaked information, we found that the company\r\norganized their penetration team into two different subgroups. This could be the possible reason why we saw two\r\nindependent clusters of activities active in the wild but with limited association. Earth Krahang could be another\r\npenetration team under the same company.\r\nConclusion\r\nIn this report, we shared our investigation on a new campaign we named Earth Krahang. Our findings show that\r\nthis threat actor focuses its efforts on government entities worldwide and abuses compromised government\r\ninfrastructure to enable its malicious operations.\r\nWe were also able to identify two unique malware families used in Earth Krahang’s attacks while also illustrating\r\nthe larger picture involving the group’s targets and malicious activities via our telemetry data and the exposed files\r\non their servers.\r\nOur investigation also identified multiple links between Earth Krahang and Earth Lusca. We suspected these two\r\nintrusion sets are managed by the same threat actor.\r\nGiven the importance of Earth Krahang’s targets and their preference of using compromised government email\r\naccounts, we strongly advise organizations to adhere to security best practices, including educating employees and\r\nother individuals involved with the organization on how to avoid social engineering attacks, such as developing a\r\nhealthy skepticism when it involves potential security issues, and developing habits such as refraining from\r\nclicking on links or opening attachments without verification from the sender. Given the threat actor’s exploitation\r\nof vulnerabilities in its attacks, we also encourage organizations to update their software and systems with the\r\nlatest security patches to avoid any potential compromise.\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 9 of 12\n\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nAcknowledgment\r\nSpecial thanks to Leon M Chang who shared to us insights about the overlap of  the TEA encryption key between\r\nXDealer and SpyDealer samples.\r\nMITRE ATT\u0026CK\r\nThe listed techniques are a subset of the MITRE ATT\u0026CK listopen on a new tab.\r\nTactic Technique ID\r\nReconnaissance\r\nActive Scanning: Scanning IP Blocks T1595.001\r\nActive Scanning: Vulnerability Scanning T1595.002\r\nActive Scanning: Wordlist Scanning T1595.003\r\nGether Victim Host Information T1592\r\nGether Victim Network Information T1590\r\nResource Development\r\nAcquire Infrastructure: Domains T1583.001\r\nAcquire Infrastructure: Virtual Private Server T1583.003\r\nCompromise Accounts: Email Account T1586.002\r\nCompromise Infrastructure: Server T1584.004\r\nObtain Capabilities: Malware T1588.001\r\nObtain Capabilities: Code Signing Certificates T1588.003\r\nStage Capabilities: Upload Malware T1608.001\r\nStage Capabilities: Upload Tool T1608.002\r\nStage Capabilities: Link Target T1608.005\r\nInitial Access Exploit Public-Facing Application T1190\r\n  Phishing: Spear phishing Attachment T1566.001\r\n  Phishing: Spear phishing Link T1566.002\r\n  Trusted Relationship T1199\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 10 of 12\n\nValid Accounts T1078\r\nExecution Command and Scripting Interpreter: PowerShell T1059.001\r\n  Command and Scripting Interpreter: Windows Command Shell T1059.003\r\n  Command and Scripting Interpreter: Python T1059.006\r\n  Exploitation for Client Execution T1203\r\n  System Services: Service Execution T1569.002\r\n  User Execution: Malicious File T1204.002\r\n  Windows Management Instrumentation T1047\r\nPersistence Create or Modify System Process: Windows Service T1543.003\r\n  External Remote Services T1133\r\n  Scheduled Task/Job: Scheduled Task T1053.005\r\n  Server Software Component: Web Shell T1505.003\r\nPrivilege Escalation Exploitation for Privilege Escalation T1068\r\n  Valid Accounts: Local Accounts T1078.003\r\nDefense Evasion Deobfuscate/Decode Files or Information T1140\r\n  Hijack Execution Flow: DLL Side-Loading T1574.002\r\n  Impersonation T1656\r\n  Masquerading: Match Legitimate Name or Location T1036.005\r\n  Masquerading: Double File Extension T1036.007\r\n  Modify Registry T1112\r\nCredential Access Brute Force: Password Spraying T1110.003\r\n  OS Credential Dumping: LSASS Memory T1003.001\r\n  OS Credential Dumping: Security Account Manager T1003.002\r\n  Steal Web Session Cookie T1539\r\nDiscovery Account Discovery: Local Account T1087.001\r\n  Account Discovery: Domain Account T1087.002\r\n  Permission Groups Discovery: Domain Groups T1069.002\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 11 of 12\n\nProcess Discovery T1057\r\n  System Owner/User Discovery T1033\r\n  System Service Discovery T1007\r\nLateral Movement Exploitation of Remote Services T1210\r\n  Internal Spear phishing T1534\r\n  Remote Services: Windows Remote Management T1021.006\r\nCollection Automated Collection T1119\r\n  Email Collection T1114\r\nCommand and Control Application Layer Protocol: Web Protocols T1071.001\r\n  Encrypted Channel: Symmetric Cryptography T1573\r\n  Ingress Tool Transfer T1105\r\n  Protocol Tunneling T1572\r\nExfiltration Automated Exfiltration T1020\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nhttps://www.trendmicro.com/en_us/research/24/c/earth-krahang.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html" ], "report_names": [ "earth-krahang.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5451198-ac6b-40af-b8ef-1afb549c2dc8", "created_at": "2024-03-21T02:00:04.728286Z", "updated_at": "2026-04-10T02:00:03.60345Z", "deleted_at": null, "main_name": "Earth Krahang", "aliases": [], "source_name": "MISPGALAXY:Earth Krahang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f86ac24d-0aef-425c-8087-c0dd270060b9", "created_at": "2024-04-24T02:02:07.638437Z", "updated_at": "2026-04-10T02:00:04.663683Z", "deleted_at": null, "main_name": "Earth Krahang", "aliases": [], "source_name": "ETDA:Earth Krahang", "tools": [ "Agent.dhwf", "Agentemis", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "DinodasRAT", "Kaba", "Korplug", "POISONPLUG.SHADOW", "PlugX", "RedDelta", "Reshell", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XDealer", "XShellGhost", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434721, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5dbcf77e13cf178285a017f956282e61ad937b6.pdf", "text": "https://archive.orkl.eu/b5dbcf77e13cf178285a017f956282e61ad937b6.txt", "img": "https://archive.orkl.eu/b5dbcf77e13cf178285a017f956282e61ad937b6.jpg" } }