{ "id": "2032507e-3d46-4ece-8ba2-fab34dd688d0", "created_at": "2026-04-06T00:07:42.040788Z", "updated_at": "2026-04-10T03:36:33.989405Z", "deleted_at": null, "sha1_hash": "c3f99bbc2c63b32eb9f5007406ab819545daf499", "title": "Earth Preta Updated Stealthy Strategies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1883706, "plain_text": "Earth Preta Updated Stealthy Strategies\r\nBy By: Vickie Su, Nick Dai, Sunny Lu Mar 23, 2023 Read time: 20 min (5505 words)\r\nPublished: 2023-03-23 · Archived: 2026-04-05 18:18:51 UTC\r\nIn our previous research, we disclosed and analyzed a new campaign initiated by the threat actor group Earth Preta\r\n(aka Mustang Panda). In a more recent campaign we’ve been tracking, we discovered Earth Preta delivering lure\r\narchives via spear-phishing emails and Google Drive links. After months of investigation, we found that several\r\nundisclosed malware and interesting tools used for exfiltration purposes were used in this campaign. We also\r\nobserved that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security\r\nsolutions. In this blog entry, we will introduce and analyze the other tools and malware used by Earth Preta.\r\nInfection chain\r\nAs we previously mentioned in our past blog entry, the entire attack begins with a spear-phishing email. After a\r\nlong-term investigation into the attack routine, we’ve determined that the full infection chain works as follows:\r\nWe categorize the different TTPs into six stages: arrival vectors, discovery, privilege escalation, lateral movement,\r\ncommand and control (C\u0026C) and exfiltration, respectively. In our previous research, we covered most of the new\r\nTTPs and malware during the first stage, arrival vectors. However, we observed that some of TTPs have been\r\nchanged. In the following sections, we focus on the updated arrival vectors and their succeeding stages.\r\nArrival vectors\r\nWe previously summarized the arrival vectors used by Earth Preta by categorizing them into three types (DLL\r\nsideloading, shortcut links, and fake file extensions). Starting in October and November 2022, we observed that\r\nthe threat actors began changing their TTPs to deploy the TONEINS, TONESHELL, and PUBLOAD malware.\r\nWe believe that the threat actors are employing these new techniques to avoid detection.\r\nBased on our earlier observation, the TONEINS and TONESHELL malware were downloaded from the Google\r\nDrive link embedded in the body of an email. To bypass email-scanning services and email gateway solutions, the\r\nGoogle Drive link has now been embedded in a lure document. The document lures users into downloading a\r\nmalicious password-protected archive with the embedded link. The files can then be extracted inside via the\r\npassword provided in the document. By using this technique, the malicious actor behind the attack can\r\nsuccessfully bypass scanning services.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 1 of 23\n\nopen on a new tab\r\nFigure 2. A lure document (allegedly concerning the government-related Myanmar Sustainable\r\nDevelopment Plan) embedded with a Google Drive link and a password\r\nFor the new arrival vector, the whole infection flow has been changed to the procedure shown in Figure 3.\r\nFile name  Detection name Description\r\nLetter Head.docx  \r\nDecoy document with Google Drive\r\nlink\r\nList of terrorist personnel at the border.rar (all entries below are part of this archive)\r\nList of terrorist personnel at the\r\nborder.exe\r\n \r\nFirst-stage legitimate executable for\r\nDLL sideloading\r\nlibcef.dll Trojan.Win32.TONEINS First-stage malware\r\n~$Evidence information.docx  \r\nSecond-stage legitimate executable\r\nfor DLL sideloading\r\n~$List of terrorist personnel at\r\nthe border.docx\r\nBackdoor.Win32.TONESHELL Second-stage malware\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 2 of 23\n\nInternal Letter.docx   Decoy document\r\nLetter Head.docx   Decoy document\r\nTable 1. Files in the new arrival vector\r\nAfter analyzing the downloaded archive, we discovered it to be a malicious RAR file with the TONEINS malware\r\nlibcef.dll and the TONESHELL malware ~List of terrorist personnel at the border.docx. The infection flow for\r\nthese is similar to the arrival vector type C in our previous report, with the only difference being that the fake\r\n.docx files have XOR-encrypted content to prevent detection. For example, ~$Evidence information.docx is a file\r\ndisguising itself as an Office Open XML document. As such, it seems harmless and can even be opened by using\r\ndecompression software such as 7-Zip.\r\nWe found that the threat actors have hidden a PE file in one of the archive’s ZIPFILERECORD structures. The\r\nTONEINS malware, libcef.dll, will decrypt this file with a single byte in XOR operations, find the PE header, and\r\ndrop the payload to the specified path.\r\nopen on a new tab\r\nFigure 4. A PE file is revealed after decrypting the frData member in the last ZIPFILECECORD\r\nstructure.\r\nThe succeeding behaviors of the infection flow are generally the same as those in our previous analysis, where we\r\nprovide more details.\r\nIn more recent cases, the malware PUBLOAD was also being delivered through Google Drive links embedded in\r\ndecoy documents.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 3 of 23\n\nopen on a new tab\r\nFigure 6. The lure document Invitation letter from the US embassy.docx\r\nSince October 2022, we have been observing a new variant of PUBLOAD, which uses the spoofed HTTP header\r\nto transfer the data, as LAC’s report also discusses. In contrast to the previous PUBLOAD variant, it prepends an\r\nHTTP header with a legitimate-looking host name to the packets. We believe that the threat actors are trying to\r\nconceal malicious data among normal traffic. The data in the HTTP body is the same as the past variant, which has\r\nthe same magic bytes 17 03 03 and the encrypted victim information. We were able to successfully retrieve the\r\npayload from a live C\u0026C server and were therefore able to continue our analysis.\r\nOnce the payload is received, it will check if the first three magic bytes are 17 03 03 and if the following two\r\nbytes are the size of payload. It will then decrypt the encrypted payload with the predefined RC4 key 78 5A 12 4D\r\n75 14 14 11 6C 02 71 15 5A 73 05 08 70 14 65 3B 64 42 22 23 20 00 00 00 00 00 00 00, which is the same as the\r\none used in the PUBLOAD loader. \r\nopen on a new tab\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 4 of 23\n\nFigure 8. The first payload retrieved from the PUBLOAD HTTP variant\r\nAfter decryption, it then checks if the first byte of the decrypted payload is 0x06. The decrypted payload contains\r\nanother payload that is XOR-encrypted with the bytes 23 BE 84 E1 6C D6 AE 52 90.\r\nopen on a new tab\r\nFigure 9. The second payload retrieved from the PUBLOAD HTTP variant\r\nAfter this is decrypted, there is yet another final backdoor payload that supports data upload and command\r\nexecution.\r\nCommand Internal string\r\n0x03 -\r\n0x01 -\r\n0x1B UploadBegin error : %d!\r\n0x1D UploadData error : %d!\r\n0x1A -\r\n0x1E CmdStart error : %d!\r\n0x1F CmdWrite error : %d!\r\n0x30 CmdWrite error : %d\r\n0x20 -\r\nTable 2. Command codes in the PUBLOAD HTTP variant\r\nIn addition, we found some interesting debug strings and event names among the PUBLOAD samples.\r\nIn summary, we think that the new TONESHELL and PUBLOAD archives have been evolving and now have\r\nsomething in common. For example, both of them are now being placed in decoy documents (such as Google\r\nDrive links) in order to bypass antivirus scanning.\r\nDiscovery\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 5 of 23\n\nOnce the threat actors obtain access to the victim’s environment, they can start inspecting the environment via the\r\nfollowing commands:\r\nnet user\r\nnet user \u003cusername\u003e\r\nnet user \u003cusername\u003e /DOMAIN\r\nPrivilege escalation\r\nIn this campaign, we discovered several tools used for UAC bypass in Windows 10. We will go into detail for\r\neach of them.\r\nHackTool.Win32.ABPASS is a tool used to bypass UAC in Windows 10. Based on our analysis, it reuses codes\r\nfrom the function ucmShellRegModMethod3, which is from a famous open-source project called UACME. A\r\nreport from Sophosnews article introduces this tool. news article\r\nThis tool accepts an argument, and the following data is written into registry:\r\nRegistry Key Name Value\r\nHKEY_USERS\\\u003cSID\u003e-1001_Classes\\aaabbb32\\shell\\open\\command (Default) argv[1]\r\nHKEY_USERS\\\u003cSID\u003e-1001_Classes\\ms-settings\\CurVer (Default) aaabbb32\r\nTable 3. Registry keys changed by ABPASS\r\nIt also changes how Windows handles the ms-settings protocol — in this case, the string ms-settings is a\r\nProgrammatic Identifier (ProgID). If the CurVer key is set under a ProgID, it will be used for versioning and\r\nmapping the current ProgID (ms-settings) to the one specified in the CurVer’s default value. In turn, the behavior\r\nof ms-settings is redirected to the custom defined ProgID aaabbb32. It also sets up a new ProgID aaabbb32 and\r\nits shell open command. Finally, fodhelper.exe or computerDefaults.exe will be executed to trigger the ms-settings\r\nprotocol.\r\nHackTool.Win32.CCPASS is another tool that is also used for Windows 10 UAC bypass and similarly reuses\r\ncodes from the function ucmMsStoreProtocolMethod in the project UACME.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 6 of 23\n\nopen on a new tab\r\nFigure 14. Code similarities in CCPASS and ucmMsStoreProtocolMethod\r\nIt works in a similar way to ABPASS. However, unlike ABPASS, it hijacks the ms-windows-store protocol. The\r\nhack tool CCPASS works as follows:\r\n1. It disables the application association toasts for the protocol ms-windows-store.\r\n2. It creates a new Shell in the registry.\r\n3. It invokes the undocumented API UserAssocSet to update the file association.\r\n4. It executes WSReset.exe to trigger this protocol.\r\nIn Windows 10 and above, the system shows a new toast dialog for selecting the open application for the selected\r\nfile type. To hide this window, the tool explicitly adds new entries to\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts to disable all toasts related to\r\nthe protocol ms-windows-store.\r\nOnce this is done, the tool starts to alter the shell command of ms-windows-store and finally triggers it using\r\nWSReset.exe.\r\nIn Windows 10, there is a native Windows service called “SilentCleanup.” This service has the highest privileges\r\nthat can be abused for Windows 10 UAC bypass. Normally, this service is intended for running\r\n%windir%\\system32\\cleanmgr.exe. However, the environment variable %windir% can be hijacked and changed to\r\nany path to achieve privilege escalation.\r\nWe observed that the threat actors used this technique to execute c:\\users\\public\\1.exe.\r\nLateral movement\r\nIn this stage, we observed certain malware such as HIUPAN and ACNSHELL (initially introduced and analyzed\r\nby Mandiant and Sophosnews article) being used to install themselves to removable disks and create a reverse\r\nshell.\r\nWe found a pair of malware comprised of a USB worm and a reverse shell —includin g a USB worm and a\r\nreverse shell (detected as Worm.Win32.HIUPAN and Backdoor.Win32.ACNSHELL, respectively,) — being used\r\nto spread themselves over removable drives. \r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 7 of 23\n\nFigure 18 shows the infection chain for both.\r\nThe USB Driver.exe program first sideloads u2ec.dll, which then loads the payload file usb.ini. They have the\r\nfollowing PDB strings, respectively:\r\nG:\\project\\APT\\U盘劫持\\new\\u2ec\\Release\\u2ec.pdb\r\nG:\\project\\APT\\U盘劫持\\new\\shellcode\\Release\\shellcode.pdb\r\nThe string U盘劫持 means “U disk hijacking,” where “U disk” refers to removable drives.\r\nUSB Driver.exe then starts checking whether it is properly installed. If it is installed, it will start to infect more\r\nremovable disks and copy files to a folder named autorun.inf. If it is not installed, it installs itself to\r\n%programdata% and then sets the registry run key for persistence.\r\nFinally, the ACNSHELL malware rzlog4cpp.dll is sideloaded. It will then create a reverse shell via ncat.exe to the\r\nserver closed[.]theworkpc[.]com.\r\nCommand and Control (C\u0026C) stage\r\nEarth Preta employed several tools and commands for the C\u0026C stage. For example, the group used certutil.exe to\r\ndownload the legitimate WinRAR binary as rar1.exe from the server 103[.]159[.]132[.]91.\r\nWe also observed that the threat actors used PowerShell to download multiple malware and archives from the\r\nserver 103[.]159[.]132[.]181 for future use.\r\nIn certain instances, they even leveraged the WinRAR binary installed on the victim hosts to decompress all the\r\nmalware.\r\nAlthough we found several logs involving multiple pieces of dropped malware, we only managed to retrieve a few\r\nof them. Among all our collected samples, we will introduce the most noteworthy ones.\r\nThe file name of the backdoor CLEXEC is SensorAware.dll. This is a simple backdoor that is capable of executing\r\ncommands and clearing event logs.\r\nThe backdoor COOLCLIENT was first introduced in a report from Sophosnews article;  the sample mentioned in\r\nthe report was compiled in 2021. In our case, the COOLCLIENT sample we analyzed had a more recent\r\ncompilation time in 2022, and while it provides the same functionalities, it has the added capability to open a\r\ndecoy document (work.pdf) when the current process name has “.pdf” or “.jpg” file extensions. It contains less\r\nOutputDebugStrings calls. Meanwhile, loader.ja is used under two processes: One is under googleupdate.exe,\r\nwhich is used for the first sideloading. The second is under winver.exe, which is injected to conduct backdoor\r\nbehaviors. Furthermore, COOLCLIENT applies obfuscation techniques that we discuss in later sections.\r\nFigure 24 shows the whole execution flow of COOLCLIENT.\r\nThe arguments of COOLCLIENT provide the following capabilities:\r\ninstall. There are several ways to install COOLCLIENT, detailed here:\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 8 of 23\n\n1. It installs itself by creating an InstallSvc service called InstallSvc which will trigger “googleupdate.exe\r\nwork”..\r\n2. It sets up a run key for via the command C:\\ProgramData\\GoogleUpdate\\googleupdate.exe work for\r\npersistence.\r\nwork. The malware will continue to read and decrypt goopdate.ja and inject it into winver.exe for the next-stage\r\npayload (COOLCLIENT), which contains malicious behaviors.\r\npassuac. The malware will check if the process avp.exe exists. If avp.exe doesn’t exist, UAC bypass will be\r\nexecuted via the CMSTPLUA COM interface. If avp.exe exists, UAC bypass will be executed via the AppInfo\r\nRPC service.\r\nAccording to our analysis, it reads the encrypted configuration file time.sig. It is also able to communicate through\r\ndifferent network protocols such as UDP (User Datagram Protocol) and TCP (Transmission Control Protocol).\r\nBased on some internal strings and the APIs used by Earth Preta, the functionalities of this backdoor can be\r\ninferred as follows:\r\nSend portmap\r\nBuild connection\r\nRead file\r\nDelete file\r\nKeystrokes and windows monitoring\r\nThe backdoor TROCLIENT, which was also first disclosed in Sophos’s report, is similar to  COOLCLIENT.\r\nHowever, this backdoor has an anti-debugging technique, which will check if the running processes have the\r\nstrings dbg.exe or olly. \r\nFigure 28 shows the whole execution flow of TROCLIENT.\r\nThe arguments of TROCLIENT provide the following capabilities:\r\ninstall. There are two  waysto determine the method of installation for TROCLIENT, detailed here:\r\n1. It installs itself by creating aservice called InstallSvc which will trigger “C:\\programdata\\netsky\\netsky.exe\r\nonline”.\r\n2. It sets up a run key for the command C:\\programdata\\netsky\\netsky.exe online for persistence.\r\nonline: It will read the next stage payloads, free.plg and main.plg, and inject them into dllhost.exe.\r\npassuac: The malware will check if the process avp.exe exists. If it does not, UAC bypass is executed via the\r\nCMSTPLUA COM interface. If avp.exe exists, UAC bypass is executed via token manipulation.\r\nThis backdoor provides the following capabilities:\r\nRead file\r\nDelete file\r\nMonitor keystrokes and windows\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 9 of 23\n\nThere are several similarities and differences between COOLCLIENT and TROCLIENT, as Table 3 shows.\r\nArgument/Behaviors COOLCLIENT TROCLIENT\r\ninstall\r\nCreates a service named InstallSvc ✓ ✓\r\nExecutes itself with passuac ✓ ✓\r\nSets Run Key with “work/online” ✓ ✓\r\npassuac\r\nAppInfo RPC ✓  \r\nCMSTPLUA COM ✓ ✓\r\nToken manipulation   ✓\r\nwork/online\r\nSend portmap ✓  \r\nConnect to C\u0026C ✓ ✓\r\nFile operations ✓ ✓\r\nKeylogging ✓ ✓\r\nTable 3. Comparison of COOLCLIENT and TROCLIENT\r\nIn addition to the aforementioned malware, we also found several shellcode loaders for PlugX. Since it is a known\r\nmalware family, we will not expand on its details in this blog entry.\r\nExfiltration\r\nBased on our telemetry, we found that Earth Preta used multiple approaches to exfiltrate sensitive data from the\r\nvictims. For example, in some cases, we observed that WinRAR and curl (or cURL) were leveraged to collect and\r\ntransfer data to the threat actor’s server. After further investigation, we even found some previously unseen pieces\r\nof malware that were used to collect data in a custom-made file format. In the following sections, we share the\r\ndetails of the unique exfiltration toolsets developed by Earth Preta.\r\nAccording to some of our monitoring logs, the threat actors abused the installed WinRAR binary and the uploaded\r\ncurl executable to exfiltrate the files (Figure 30 shows the executed command). Note that the executable log.log is\r\na legitimate curl binary. All the exfiltrated data was collected and sent back to the threat actor-controlled FTP (File\r\nTransfer Protocol) server.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 10 of 23\n\nIn some cases, we accidentally stumbled on the account and password of the FTP server. Upon checking the FTP\r\nserver, we learned that the threat actors focused on sensitive and confidential documents, most of which were\r\ncompressed and protected with a password. Based on our observations, the documents were organized via the\r\ncategorization of the victim’s host name and disk drive.\r\nApart from well-known legitimate tools, the threat actors also crafted highly customized tools used for\r\nexfiltration. We named this malware “NUPAKAGE,\" a name derived from its unique PDB string,\r\nD:\\Project\\NEW_PACKAGE_FILE\\Release\\NEW_PACKAGE_FILE.pdb.\r\nThe NUPAKAGE malware needs a unique passcode to be executed, with the exfiltrated data being wrapped in a\r\ncustom file format. It seems that the threat actors are continuously updating this tool to provide more flexibility\r\nand lower the possibility of detection, including adding more command-line arguments and obfuscation\r\nmechanisms. By default, it only collects  documents, including the files with the following extensions:\r\n.doc\r\n.docx\r\n.xls\r\n.xlsx\r\n.ppt\r\n.pptx\r\n.pdf\r\nIt avoids collecting documents with file names starting with “$” or “~” since these types of documents are usually\r\neither temporary files generated by the system or PE files pretending to be decoy documents (as we discussed in\r\nthe arrival vectors section).\r\nThe usage of this tool is as follows:\r\nmalware.exe passcode start end chunk -s extension_A extension_B …\r\nArgument\r\nName\r\nFormat\r\nExample\r\nValue\r\nDescription\r\npasscode String comeon A unique code to execute it\r\nstart String 2022-01-01\r\nThe start range of the exfiltrated file’s modification\r\ntimestamp\r\nend String 2022-12-31\r\nThe end range of the exfiltrated file’s modification\r\ntimestamp\r\nchunk Integer 4096\r\nSplits the generated data in chunks by the specified size\r\n(MB)\r\n-s String   File extensions to be collected; optional\r\nTable 5. Arguments of the NUPAKAGE malware\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 11 of 23\n\nEvery NUPAKAGE malware needs a unique passcode as its first argument to continue execution. As Figure 32\r\nshows, it first checks if the passcode exists. If not, the malware execution procedure will terminate. In our\r\ncollection, we observed different passcodes in each malware.\r\nSHA256 Passcode\r\n634977a24e8fb2e3e82a0cddfe8d007375d387415eb131cce74ca03e0e93565f notebook\r\nc835577f1ddf66a957dd0f92599f45cb67e7f3ea4e073a98df962fc3d9a3fbe0 comeon\r\n2937580b16e70f82e27cfbc3524c2661340b8814794cc15cb0d534f5312db0e0 update\r\nc2f5a12ebaeb39d4861e4c3b35253e68e6d5dc78f8598d74bc85db21aeb504e8 comeon\r\nTable 4. Passcodes in NUPAKAGE\r\nAfter execution, NUPAKAGE will drop two files, xxx.zip and xxx.z. The file xxx.zip is a logging file with a fake\r\nZIP header prepended at offset 0x0 and taking up the first 0x100 bytes. Starting from the offset 0x100, the logging\r\nstrings are encrypted with a single byte in XOR operations as shown Figure 33.\r\nopen on a new tab\r\nFigure 33. The original logging file (top), with plain text revealed in the decrypted logging file\r\n(bottom)\r\nTaking one of the execution results as an example, much of the information of the exfiltrated data is saved,\r\nincluding the original file path, the original file size, and the compressed file size. We believe that the threat actors\r\nuse it to further track which files have been processed. For security researchers, this logging file also helps reveal\r\nhow much data is exfiltrated and provides information on the impact scope.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 12 of 23\n\n[+] Program ready!\r\n[+] FILE ORIGINAL PATH: C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\1494870C-9912-C184-\r\n4CC9-B401-A53F4D8DE290.pdf\r\n[+] FILE PATH SIZE: 198\r\n[+] FILE ORIGINAL SIZE: 186837\r\n[+] FILE COMPRESSED SIZE: 183734\r\n[+] FILE ORIGINAL PATH: C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\Click on ‘Change’ to\r\nselect default PDF handler.pdf\r\n[+] FILE PATH SIZE: 210\r\n[+] FILE ORIGINAL SIZE: 186837\r\n[+] FILE COMPRESSED SIZE: 183734\r\n...\r\n\u003comitted\u003e\r\n...\r\n[*] File or folder access denied!\r\n[*] File or folder access denied!\r\n[+] All completed!\r\nThe file with a .z extension is a blob of exfiltrated data within a self-defined file format. The NUPAKAGE\r\nmalware first generates a key blob randomly, with the key being encrypted in a custom algorithm. After, it stores\r\nthe encrypted key blob into the first 0x80 bytes of the file with the .z extension. Starting from the offset 0x80,\r\nthere exists a long array of all the exfiltrated data.\r\nMuch of the information from the exfiltrated files are saved, such as the MD5 hash, the length of the file name,\r\nthe compressed file size, the original file size, the file name, and the file’s content. To separate the file blobs, it\r\nputs a unique byte sequence at the end of each, 55 55 55 55 AA AA AA AA FF FF FF FF 99 99 99 99.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 13 of 23\n\nopen on a new tab\r\nFigure 34. Self-defined format in the file with the .z extension generated by NUPAKAGE\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 14 of 23\n\nopen on a new tab\r\nTable 5. Self-defined format description in the file with the .z extension generated by NUPAKAGE\r\nIt’s also worth mentioning that in the more recent versions of NUPAKAGE, an increasing number of obfuscations\r\nare being adopted to thwart static analysis.\r\nZPAKAGE is another example of custom malware used for packing files; it also works similarly to NUPAKAGE.\r\nIt also needs a passcode to ensure that it is being used as intended. In the example shown in Figure 36, the\r\npasscode is “start”.\r\nZPAKAGE also supports command-line arguments, but it possesses less functions than NUPAKAGE. The usage\r\nof this tool is shown as follows:\r\nmalware.exe passcode time\r\nArgument Name Format Example Value Description\r\nPasscode String start A unique code in order to execute it\r\nTime String 20221221 The start date\r\nTable 6. Arguments supported by ZPAKAGE\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 15 of 23\n\nZPAKAGE also shows similar behaviors to NUPAKAGE. For instance, it also avoids files with names starting\r\nwith “$” or “~”. In addition, it generates two files, one with a .z extension and another with a .zip extension. The\r\nfile with a .z extension is the exfiltrated data blob and the file with a .zip extension is the logging file.\r\nIn the generated file with a .z extension, the exfiltrated files will be compressed by the zlib algorithm to minimize\r\nthe file size. It also defines a Boolean field “type” for storage, whether a file is compressed or not. If a file is\r\ncompressed and its file size is less than the original one, the type will be 1. Otherwise, the type will be set to 0,\r\nand the original file content will be chosen instead of the compressed one. Regardless of whether the file content\r\nis compressed or not, it will be encrypted in XOR operations with a specific string, qwerasdf.\r\nopen on a new tab\r\nFigure 37. Self-defined format in the file with .z extension generated by ZPAKAGE\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 16 of 23\n\nopen on a new tab\r\nTable 7. Self-defined format description in the file with the .z extension generated by ZPAKAGE\r\nThreat hunting\r\nSince October 2022, the threat actors have changed their TTPs and have started using password-protected\r\narchives. For example, we found a TONEINS sample (SHA256:\r\n8b98e8669d1ba49b66c07199638ae6012adf7d5d93c1ca3bf31d6329506da58a) on VirusTotal that can’t be linked\r\nto any other file in the “Relations” tab. However, we observed two files that have been opened in the “Behaviors”\r\ntab with the file names ~$Evidence information.docx and ~$List of terrorist personnel at the border.docx. As\r\nmentioned in the arrival vectors section, the next stage payloads are normally embedded in the fake document\r\nfiles. \r\nFigure 39 shows the search results for the query “List of terrorist personnel at the border” on VirusTotal. The first\r\nfile is the TONEINS DLL sample that we mentioned earlier in this section, while the second file is a benign\r\nexecutable file originally named adobe_licensing_wf_helper.exe, which was apparently uploaded to VirusTotal\r\nwith the file name List of terrorist personnel at the border.exe.\r\nopen on a new tab\r\nFigure 39. Search result for the string List of terrorist personnel at the border on VirusTotal\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 17 of 23\n\nThe third file is a password-protected archive, which has the exact same file name, List of terrorist personnel at\r\nthe border[1].rar. Unfortunately, we didn’t have the password, so we were unable to decompress it. But it has an\r\ninteresting execution parent in the “Relations” tab, which is a document file named Letter Head.docx.\r\nopen on a new tab\r\nFigure 41. Execution parent of List of terrorist personnel at the border[1].rar\r\nInside the document Letter Head.docx, there is a Google Drive link and a password. The content itself is related to\r\nthe Government of the Republic of the Union of Myanmar, and is written in Burmese.\r\nUpon checking the download link, we discovered that it was the same password-protected archive file that we\r\nfound on VirusTotal earlier.\r\nThe new arrival vector flow is similar to the one we introduced in the arrival vector section: Victims will receive\r\nand interact with a decoy document containing a Google Drive link and a corresponding password instead of an\r\narchive download link embedded in the email.\r\nAs for why the password-protected archive has the execution parent, upon checking the sandbox execution\r\nbehaviors of Letter Head.docx on VirusTotal, we discovered that the VirusTotal sandbox will select any link\r\nembedded in the document. This leads to the opening of an Internet Explorer window with the file download\r\nprompt.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 18 of 23\n\nopen on a new tab\r\nFigure 44. Sandbox screenshot of the file Letter Head.docx on VirusTotal\r\nWhen the download prompt is shown, Internet Explorer will silently download this file in the background even\r\nbefore the user selects the “Save” button.\r\nAs a result, the file will be saved to the cache folder named “INetCache,” after which we see a dropped RAR file:\r\nC:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\I\r\nNetCache\\IE\\R0IAZP7Z\\List%20of%20terrorist\r\n%20personnel%20at%20the%20border[1].rar.\r\nSince the RAR file is downloaded automatically by Internet Explorer, Letter Head.docx will be treated as its\r\nexecution parent. This sample can then be used for hunting this campaign.\r\nTo find additional password-protected archives and documents embedded with a Google Drive link, we tried to\r\nuse the following query:\r\ntag:rar tag:encrypted name:INetCache size:500kb+\r\nThe query finds any encrypted RAR archive with a large enough file size containing the folder name “INetCache”\r\nin its path. Fortunately, we found another RAR file with the document execution parent “Notic(20221010)\r\n(final).docx” that turned out to be a TONESHELL archive.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 19 of 23\n\nIt’s interesting to note that the threat actors use date and time strings written in the same format (DD-MM-YYYY)\r\nas the extracting passwords in all the cases we’ve collected so far.\r\nConnecting the dots\r\nDuring our investigation, we observed some data points that connect to the same personnel. For example, we\r\nfound a specific name “TaoZongjie” among the different malware samples we collected. In addition, the GitHub\r\nrepository named “YanNaingOo0072022,” mentioned in Avast’s December 2022 report, hosted multiple pieces of\r\nmalware, including TONESHELL. We also observed that the obfuscation methods have similarities among the\r\ndifferent malwares.\r\nWe found some samples sharing the same special string/name “TaoZongjie,” including the Cobalt Strike malware,\r\na Windows user on a TONESHELL C\u0026C server, and the displayed message in the pop-up dialog box of\r\nTONESHELL.\r\nOur investigation started with the TONESHELL C\u0026C server 38[.]54[.]33[.]228 that had the remote desktop\r\nservice enabled. Here, we found that one of the Windows users was called “TaoZongjie.”\r\nWhile hunting samples related to this campaign, we came across a tweet about Cobalt Strike posted in April 2021.\r\nAt first glance, Cobalt Strike was used in a manner similar to this campaign, including the use of DLL\r\nsideloading, the use of a Google Drive link for delivery, and the creation of a schedule task.\r\nThe infection flow is as follows: The archive file is delivered through a Google Drive link, which contains a\r\nlegitimate EXE file, a malicious DLL file, and a decoy document written in Burmese. Once the malicious DLL is\r\nsideloaded, it will drop the legitimate EXE file and the malicious DLL file, which are embedded in the resource\r\nsection of the DLL file. In this sample, the string By:Taozongjie is being used as the event name.\r\nIn one TONEINS sample (SHA256:\r\n7436f75911561434153d899100916d3888500b1737ca6036e41e0f65a8a68707), we also observed the string\r\ntaozongjie, which was being used for an event name.\r\nIn another TONESHELL sample (SHA256:\r\nd950d7d9402dcf014d6e77d30ddd81f994b70f7b0c6931ff1e705abe122a481a), there are some insignificant export\r\nfunctions, which will appear via message boxes, with the strings Tao or zhang!. Even though the names of these\r\ntwo strings are not spelled exactly same way as taozongjie, their spellings are still similar.\r\nBased on what we found among the different samples, we assume that taozongjie could be one of the flags used\r\nby the threat actors.\r\nThe GitHub user “YanNaingOo0072022” was mentioned in both an Avast and an ESET report. The user’s\r\nrepositories host various malware, including the latest versions of TONEINS, TONESHELL, and a new tool,\r\nQMAGENT, which is ESET named MQsTTang”. At the time of writing, this GitHub space was still accessible,\r\nwith five repositories: “View2015,” “View2016,” “1226,” “ee,” and “14.” Among these, “View2015” and\r\n“View2016” were empty.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 20 of 23\n\nThe archive files in this repository are all the same but have different file names. We believe that these files were\r\nmeant for different victims. \r\nUpon unarchiving the compressed file, we found two files with the fake extension “.doc” containing one-byte\r\nXOR encrypted sections. Both share the same file structure (a PE payload hidden in a DOCX file) as the one we\r\nreferred to in the arrival vectors section. These files ended up being the TONEINS and TONESHELL malware. \r\nThe file Documents members of delegation diplomatic from Germany.Exe, found in the Documents.rar archive, is\r\na novel malware that communicates over the MQTT protocol. In March 2023, ESET published a detailed\r\ntechnical report on this backdoor, which it named “MQsTTang.”\r\nBeginning in January, we discovered that MQsTTang was being used as the new arrival vector in some of\r\nincidents we encountered, specifically in campaigns targeting individuals involved with government entities. This\r\nbackdoor is unique because it communicates to its C\u0026C servers over the MQTT protocolnews article, which is\r\ncommonly used in internet-of-things (IoT) devices. Malicious actors using this technique can effectively hide the\r\nreal C\u0026C server behind the protocol.\r\nThe file CVs Amb Office PASSPORT Ministry Of Foreign Affairs.exe, which is the malware QMAGENT, can be\r\nfound in the CVs Amb.rar archive. \r\nConclusion\r\nOver the past year, security researchers have been discovering and analyzing Earth Preta’s campaigns and\r\ntoolsets.  We were able to attribute some of these to Earth Preta based on similarities among the TTPs, the\r\nmalware being used, and the timeline of the campaigns. Starting October 2022, the threat actors changed the\r\narrival vector of the TONEINS, TONESHELL, and PUBLOAD malware. Instead of attaching malicious archives\r\nor Google Drive links to an email, they now embed the download link in another decoy document and add a\r\npassword to the archive.\r\nBased on our observations, Earth Preta tends to hide malicious payloads in fake files, disguising them as\r\nlegitimate ones — a technique that has been proven effective for avoiding detection. As for privilege escalation,\r\nthe threat actors tend to reuse codes copied from open-source repositories. Meanwhile, they developed customized\r\ntoolsets designed to collect confidential documents in the exfiltration stage.\r\nOverall, we believe that Earth Preta is a capable and organized threat actor that is continuously honing its TTPs,\r\nstrengthening its development capabilities, and building a versatile arsenal of tools and malware.\r\nTo help prevent potential threats such as the one posed by advanced persistent threat (APT) groups, we suggest\r\nthat organizations conduct phishing awareness training for their employees and partners to stress the importance\r\nof caution when opening emails, particularly those messages from unfamiliar senders or with unknown subjects.\r\nTo assist organizations in protecting themselves against sophisticated threats, we recommend adopting a\r\ncomprehensive security strategy that employs advanced technologies capable of identifying and halting such\r\nthreats across multiple channels, including endpointsproducts, serversproducts, networksproducts, and email\r\ncommunicationsproducts.\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 21 of 23\n\nIndicators of Compromise (IOCs)\r\nThe full list of IOCs can be found here.\r\nMITRE ATT\u0026CK\r\nTactic ID Name\r\nResource\r\nDevelopment\r\nT1583.004 Acquire Infrastructure: Server\r\nT1587.001 Develop Capabilities: Malware\r\nT1585.002 Establish Accounts: Email Accounts\r\nT1588.002 Obtain Capabilities: Tool\r\nT1608.001 Stage Capabilities: Upload Malware\r\nInitial Access T1566.002 Phishing: Spearphishing Link\r\nExecution\r\nT1204.001 User Execution: Malicious Link\r\nT1204.002 User Execution: Malicious File\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 22 of 23\n\nPrivilege Escalation\r\nT1068 Exploitation for Privilege Escalation\r\nT1134 Access Token Manipulation\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1036.005 Masquerading: Match Legitimate Name or Location\r\nLateral Movement T1091 Replication Through Removable Media\r\nCommand and Control\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1573.001 Encrypted Channel: Symmetric Cryptography\r\nT1104 Multi-Stage Channels\r\nT1095 Non-Application Layer Protocol\r\nExfiltration T1048 Exfiltration Over Alternative Protocol\r\nSource: https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\r\nPage 23 of 23\n\nMuch of the the compressed information file size, from the exfiltrated the original file files are size, the file saved, such name, and as the MD5 the file’s content. hash, the length To separate of the file the file name, blobs, it\nputs a unique byte sequence at the end of each, 55 55 55 55 AA AA AA AA FF FF FF FF 99 99 99 99.\n Page 13 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html" ], "report_names": [ "earth-preta-updated-stealthy-strategies.html" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434062, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c3f99bbc2c63b32eb9f5007406ab819545daf499.pdf", "text": "https://archive.orkl.eu/c3f99bbc2c63b32eb9f5007406ab819545daf499.txt", "img": "https://archive.orkl.eu/c3f99bbc2c63b32eb9f5007406ab819545daf499.jpg" } }