{ "id": "9727c7cb-afa7-4797-a24f-ebd9bf0153c9", "created_at": "2026-04-06T00:12:12.397654Z", "updated_at": "2026-04-10T03:36:48.178121Z", "deleted_at": null, "sha1_hash": "e7ac6fa4ef2f37b3401816ff8acf5fa5e667af7a", "title": "Operation Earth Kitsune: Tracking SLUB’s Current Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 748967, "plain_text": "Operation Earth Kitsune: Tracking SLUB’s Current Operations\r\nArchived: 2026-04-05 15:13:51 UTC\r\n open on a new tabDownload Operation Earth Kitsune:\r\nTracking SLUB’s Current Operations\r\nWe have already published findings on the SLUB malware’s past campaigns. In our latest research paperopen on a\r\nnew tab, we uncovered a recent watering hole campaign that involves a new variant of the malware. The threat,\r\nwhich we dubbed as such due to its abuse of Slack and GitHub in previous versions, has not abused either of the\r\nplatforms this time; instead, it employed Mattermost, an open-source online chat service that can be easily\r\ndeployed on-premise.\r\nIn an official statement regarding the issue, Mattermost denounced illicit and unethical use of their platform, as\r\nthis is a definite violation of their Conditions of Useopen on a new tab policy. They also shared how users can\r\nreport illicit use of the softwareopen on a new tab.\r\nWe found Operation Earth Kitsune using a total of five C\u0026C servers, seven samples, and four new bugs, aiming to\r\ncompromise websites to host malware. We initiated our investigation after noticing that the Korean American\r\nNational Coordinating Council (KANCC) website was redirecting visitors to the Hanseattle website. Users who\r\naccessed the said site were redirected to a weaponized version of a proof of concept (POC) for the CVE-2019-\r\n5782open on a new tab Google Chrome vulnerability published in the chromium tracking systemopen on a new\r\ntab. Digging deeper, we discovered that the attack does not only involve a weaponized version of the mentioned\r\nChrome exploit; the exploit was infecting the victim machine with three separate malware samples.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/\r\nPage 1 of 6\n\nopen on a new tab\r\nFigure 1. The campaign's infection chain\r\nCVE-2020-0674open on a new tab, a vulnerability in Internet Explorer, was also used to compromise websites.\r\nWhile a shellcode was used for the Chrome exploit, a PowerShell loader was used in the Internet Explorer exploit.\r\nBoth the samples delivered by the shellcode and PowerShell script connect to the same C\u0026C servers.\r\nBesides the aforementioned behavior, the campaign was also seen exploiting other vulnerabilities, such as CVE-2016-0189open on a new tab¸ CVE-2019-1458open on a new tab, and the vulnerabilities cited in our previous\r\nreports on SLUB.\r\nLike the aforementioned affected sites, the compromised servers are using the GNUBoard Content Management\r\nSystem (CMS), some of them on either version 4 or version 5.\r\nBesides SLUB, two new malware variants, which we dubbed dneSpy and agfSpy, are also linked to this campaign.\r\nWhile SLUB's objective in this campaign is to exfiltrate system information, the two other malware variants were\r\ndeployed to gain additional control of the affected user’s machine. We believe that the operators of SLUB also\r\nreleased these malware variants. We are currently investigating these samples and will share any pertinent\r\nfindings.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/\r\nPage 2 of 6\n\nopen on a new tab\r\nFigure 2. The attack vectors used in the campaign\r\nThe Chrome Attack Vector\r\nFor the Chrome attack vector, the exploit used CVE-2019-5782 and another vulnerability that does not have an\r\nassigned CVE. To deploy a weaponized version of this, the attacker reused a POC code. It also implemented two\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/\r\nPage 3 of 6\n\ncustomizations: the separation of the shellcode to load in from the Javascript encoded version, and the inclusion of\r\nsupport for other operating system versions.\r\nThe shellcode requests the dropper.dll from the network; after deobfuscation, it loads the DLL payload address\r\nspace of the running process.\r\nDropper.dll checks the system for installed antimalware products by comparing the current processes to a\r\npredefined list. If none are detected, the dropper will start downloading three samples, namely “1.jpg,” “2.jpg,”\r\nand “3.jpg.”\r\nThe Internet Explorer attack vector\r\nFor the infection vector that uses the Internet Explorer exploit CVE-2020-0674, the exploit runs a shellcode,\r\nwhich executes a few stages of a PowerShell loader.\r\nSimilar to the shellcode used in the Chrome exploit chain, the PowerShell version checks if the affected system\r\nhas any antimalware product installed. If none are installed, the PowerShell proceeds to download and execute\r\nthree backdoors. If instructed in the LPE (Local Privilege Escalation) column, the PowerShell loader may also\r\ninitiate the download and execution of an LPE binary exploiting CVE-2019-1458.\r\nSLUB's Use of Mattermost\r\nThe SLUB variant used in this campaign employs Mattermost to keep track of its deployment by creating a\r\nchannel for each infected machine. All communication uses HTTP in port 443.\r\nopen on a\r\nnew tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/\r\nPage 4 of 6\n\nFigure 3. Mattermost server operating on port 443.\r\nThe malware’s communication with Mattermost requires an authentication token that can grant permissions for\r\ncertain functions such as creating channels and sending posts to these channels.\r\nTo learn more about the attacker’s infrastructure, we reviewed Mattermost’s API. Eventually, we were able to\r\ncollect the following information:\r\nThe list of channels.\r\nThe dump of all posts in each channel.\r\nThe dump of all screenshots in each channel.\r\nThe list of all users associated with the channels.\r\nThe actual list of users showed that the server was first set up on March 10, 2020. It also gave us an insight into\r\nthe roles each user plays and the kind of permissions they have; “system_admin” for the admin user, and\r\n“system_user_access_token” and “system_post_all_public” for regular users.\r\nopen on a new tab\r\nFigure 4. Mattermost server users’ accounts\r\nAt the time of research, we found 15 users that are classified as follows:\r\nUser type Count\r\nBot user 1\r\nRegular user 13\r\nAdmin user 1\r\nTable 1. Type and number of users created in the Mattermost server\r\nWe have reached out to Mattermost regarding the abuse of the platform. Here is their official statement:\r\n“Mattermost’s open-source, self-managed collaboration platform is broadly used and co-created by developers and\r\nethical security researchers. As a community, we denounce illicit and unethical use, which is explicitly against\r\nMattermost’s Conditions of Useopen on a new tab policy. We are grateful to our friends at Trend Micro for their\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/\r\nPage 5 of 6\n\ncontributions on this issue. For more information on how to help, see: How do I report illicit use of Mattermost\r\nsoftware?open on a new tab”\r\nFor more information and in-depth analysis of the SLUB malware’s recent campaign, read our research paper,\r\n“Operation Earth Kitsune: Tracking SLUB’s Current Operations”open on a new tab, which aims to shed light on\r\nSLUB's recent activities by analyzing the behavior of this quickly evolving malware.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/" ], "report_names": [ "operation-earth-kitsune-tracking-slub-s-current-operations" ], "threat_actors": [ { "id": "6158a31d-091c-4a5a-a82b-938e3d0b0e87", "created_at": "2023-11-17T02:00:07.61151Z", "updated_at": "2026-04-10T02:00:03.459947Z", "deleted_at": null, "main_name": "Earth Kitsune", "aliases": [], "source_name": "MISPGALAXY:Earth Kitsune", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f6650a3-9f50-47c4-bd7a-008b63bde191", "created_at": "2022-10-25T16:07:23.949232Z", "updated_at": "2026-04-10T02:00:04.803815Z", "deleted_at": null, "main_name": "Operation Earth Kitsune", "aliases": [], "source_name": "ETDA:Operation Earth Kitsune", "tools": [ "SLUB", "WhiskerSpy", "agfSpy", "dneSpy" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434332, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7ac6fa4ef2f37b3401816ff8acf5fa5e667af7a.pdf", "text": "https://archive.orkl.eu/e7ac6fa4ef2f37b3401816ff8acf5fa5e667af7a.txt", "img": "https://archive.orkl.eu/e7ac6fa4ef2f37b3401816ff8acf5fa5e667af7a.jpg" } }