{ "id": "7861ae85-3e9b-4b81-8cb5-59b4beff3c99", "created_at": "2026-04-06T00:22:26.350689Z", "updated_at": "2026-04-10T03:36:48.120551Z", "deleted_at": null, "sha1_hash": "f439c5efd5f813750cc727cd5baf10cffae285b0", "title": "MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 725098, "plain_text": "MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling\r\nEarth Minotaur’s Multi-Platform Attacks\r\nBy By: Joseph C Chen, Daniel Lunghi Dec 05, 2024 Read time: 14 min (3756 words)\r\nPublished: 2024-12-05 · Archived: 2026-04-05 19:52:10 UTC\r\nCyber Threats\r\nTrend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth\r\nMinotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance.\r\nSummary\r\nTrend Micro researchers investigated a group named Earth Minotaur that used the MOONSHINE exploit\r\nkit in the wild. MOONSHINE, which has over 55 servers identified as of 2024, has been updated with\r\nmore exploits and functions compared to its previous version reported in 2019.\r\nMOONSHINE exploit kit targets vulnerabilities in instant messaging apps on Android devices, primarily\r\naffecting Tibetan and Uyghur communities.\r\nThey also discovered an unreported Android backdoor, DarkNimbus, that was used by Earth Minotaur.\r\nThis backdoor also has a Windows version.\r\nEarth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices,\r\ntargeting WeChat, and possibly making it a cross-platform threat.\r\nMOONSHINE exploits multiple known vulnerabilities in Chromium-based browsers and applications,\r\nrequiring users to update software regularly to prevent attacks.\r\nWe have been continuously monitoring the MOONSHINE exploit kit’s activity since 2019. During our research,\r\nwe discovered a MOONSHINE exploit kit server with improper operational security: Its server exposed\r\nMOONSHINE’s toolkits and operation logs, which revealed the information of possible victims and the attack\r\ntactics of a threat actor we have named Earth Minotaur.\r\nMOONSHINE was first discovered as part of malicious activities against the Tibetan communityopen on a new\r\ntab, and is believed to also be associated with previous malicious activities against Uyghursopen on a new tab. It’s\r\ndesigned to implant a backdoor by exploiting the vulnerabilities of instant messaging apps on Android mobile\r\ndevices. We have since discovered an upgraded version of this toolkit, which included newer vulnerabilities and\r\nmore protections to deter analysis of security researchers. By 2024, we had identified at least 55 MOONSHINE\r\nexploit kit servers in the wild. It’s still actively used by threat actors.\r\nEarth Minotaur, who mainly targets people from Tibetan and Uyghurs communities, used the MOONSHINE\r\nexploit kit to compromise their victims’ Android devices and infect them with an undisclosed Android backdoor\r\nwe called DarkNimbus. We were also able to find a Windows version of DarkNimbus, proving that it’s a cross-platform backdoor. In this blog entry, we will explain the entire attack chain, including the tactics employed by\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 1 of 15\n\nEarth Minotaur to conduct social engineering attacks, the details of the upgraded MOOSHINE exploit kit, and a\r\ncomplete analysis of the DarkNimbus backdoor.\r\nAttack vectors\r\nEarth Minotaur sends carefully crafted messages via instant messaging apps to entice victims to click an\r\nembedded malicious link. They disguise themselves as different characters on chats to increase the success of their\r\nsocial engineering attacks. The malicious links led victims to MOONSHINE exploit kit servers, which install\r\nbackdoors on the victims’ devices (Figure 1). \r\nFigure 1. Attack chain of Earth Minotaur\r\nThe attack links the attackers generated from the MOONSHINE exploit kit can masquerade as legitimate links.\r\nOnce the attack is done, the MOONSHINE server redirects the victim back to the legitimate link to prevent the\r\nvictim noticing the attack (further details will be discussed in this blog entry’s Exploitation section). Based on the\r\nexposed operation logs, we discovered that the attack links delivered in China mainly pretended to be:\r\nGovernment announcements\r\nChinese news related to COVID-19\r\nChinese news related to religions, Tibetans, or Uyghurs\r\nChinese travel information\r\nThese links were mostly accessed from IP addresses geolocated in China. We also observed another set of attack\r\nlinks in which the client IP addresses were not only from China, but from other countries (Figure 2). These attack\r\nlinks all redirected to online videos of Tibetans’ or Uyghurs’ music and dances. Because the logs show that the\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 2 of 15\n\nattack links have been accessed from multiple countries simultaneously, we suspect that these links might be sent\r\nto group chats involving multiple people, instead of targeting a single individual.\r\nFigure 2. Countries affected by Earth Minotaur’s attacks\r\nExploitation (MOONSHINE exploit kit)\r\nBefore conducting an attack, the threat actors must generate an attack link on their servers of MOONSHINE\r\nexploit kit. In MOONSHINE’s upgraded version, every generated link is embedded with pre-configured\r\ninformation, which includes a masqueraded legitimate link, a timestamp, and a tag. This information is Base64-\r\nencoded and embedded in the query string of the attack link. Below is an example of an attack link’s structure:\r\nhttp://{Hostname}/api/v1/things/web?going=wPol3ljdKj{Base64 encoded legitimate link}\r\nwPol3ljdKjW5qTvAdmgs{Base64 encoded timestamp and hash}W5qTvAdmgsLo8UTetjN l{Tag}Lo8UTetjNl\r\nWhen a victim clicks on an attack link and is redirected to the exploit kit server, it reacts based on the embedded\r\nsettings (Figure 3). The server will redirect the victim to the masqueraded legitimate link once the attack is over to\r\nkeep the victim from noticing any unusual activity. The timestamp records the lifetime set for the link. Once this\r\ntimestamp is exceeded, the server will stop returning any attack code to avoid further analysis by researchers. It’s\r\nalso worth noting that each timestamp is appended with a salted hash generated with the timestamp. The hash is\r\nused to prevent the lifetime timestamp from being manipulated. Lastly, the tag is simply used for the server to\r\nrecord and manage the attack on the backend.\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 3 of 15\n\nFigure 3. Validation flow of the MOONSHINE exploit kit\r\nBefore returning the exploit code, the MOONSHINE exploit kit also verifies the information in the HTTP request\r\nheader. The MOONSHINE exploit kit only returns the corresponding exploit code when the victim is using the\r\ntargeted apps with a browser version that is vulnerable. If the version of browser or app is not targeted, the server\r\nwon’t deliver any malicious code and will only redirect the victim to the initially set masqueraded legitimate link.\r\nMOONSHINE uses multiple Chromium exploits to attack instant messaging apps on Android. As many instant\r\nmessaging apps use Chromium as their engine of the built-in browser, it becomes vulnerable when an application\r\ndoesn’t update their Chromium and doesn’t enable the sandboxing protection feature. This gives attackers a great\r\nopportunity to exploit these vulnerabilities and install their backdoors. We found that the MOONSHINE exploit\r\nkit can attack multiple versions of Chromium and the Tencent Browser Server (TBS), which is another\r\nChromium-based browser engine.\r\nVulnerability Targeted Version\r\nCVE-2016-1646open on a\r\nnew tab\r\nChrome 39~49\r\nCVE-2016-5198open on a\r\nnew tab\r\nChrome 50\r\nCVE-2017-5030open on a\r\nnew tab\r\nChrome 51~55\r\nCVE-2017-5070open on a\r\nnew tab\r\nChrome 56~58\r\nCVE-2018-6065open on a\r\nnew tab\r\nChrome 62~63\r\nCVE-2018-17463open on a\r\nnew tab\r\nChrome 68~69\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 4 of 15\n\nCVE-2018-17480open on a\r\nnew tab\r\nChrome 70~73, TBS 44605\r\nCVE-2020-6418open on a\r\nnew tab\r\nChrome 74~80, TBS 45114, 45116, 45118, 45120, 45122, 45124, 45126,\r\n45128, 45130, 45132, 45134, 45136\r\nTable 1. Vulnerabilities and browser versions targeted by the MOONSHINE exploit kit\r\nIt’s worth noting that many of these vulnerabilities have been discovered in the first report by CitizenLab back in\r\n2019. CVE-2020-6418open on a new tab is the only newer vulnerability included in the version of MOONSHINE\r\nexploit kit we observed.\r\nCisco Talos Intelligence Group recently publishedopen on a new tab details on CVE-2023-3420open on a new tab\r\nvulnerability that targets WeChat. We believe the related exploit is part of the MOONSHINE framework.\r\nAlthough we only saw the threat actor leveraging WeChat to successfully compromise a target, the MOONSHINE\r\nframework has code to target multiple Android applications that embed their own version of Chrome or TBS.\r\nApplication\r\nname\r\nDescription\r\nTargeted\r\ncomponent(s)\r\nChrome Browser Chrome\r\nFacebook Social network application Chrome\r\nLazada E-commerce application popular in South East Asia Chrome\r\nLine\r\nInstant messaging application mainly popular in Indonesia,\r\nTaiwan and Thailand\r\nChrome\r\nMessenger Instant messaging application Chrome\r\nNaver Search engine/web portal popular in South Korea Chrome\r\nQQ Instant messaging application popular in China Chrome TBS\r\nWeChat Instant messaging application popular in China Chrome TBS\r\nZalo Instant messaging application popular in Vietnam Chrome\r\nTable 2. Apps targeted by the MOONSHINE exploit kit\r\nWe also found that the MOONSHINE exploit kit supports an interesting phishing technique meant to downgrade\r\nan app’s browser engine: When the server detects a version of TBS that is not vulnerable to the exploits supported\r\nin MOONSHINE, it doesn’t deliver the exploit code. Instead, the server returns a phishing page informing the\r\nvictim that the version of browser engine used in the app is outdated and needs to be upgraded with a provided\r\ndownload link (Figure 4). However, the actual download browser engine is older and contains vulnerabilities. The\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 5 of 15\n\nMOONSHINE exploit kit uses this technique to downgrade the engine of the built-in browser and then launch the\r\nattack again.\r\nFigure 4. A Chinese phishing page of the MOONSHINE exploit kit (Translation: “The version of\r\nWeChat Viewer is too old, please update it to view. Version update.”)\r\nLanding approach\r\nWhen an attack of a vulnerability is successful, the malicious code will execute a prepared shellcode to implant\r\ntheir backdoor on the targeted device. The landing approach is different from the previously discoveredopen on a\r\nnew tab attack chain that leveraged an ELF loader. The shellcode (Figure 5) we discovered has been changed: It\r\ndirectly implants a trojanized XWalk browser core to replace the original one inside WeChat (XWalk is a closed\r\nsource project of WeChat likely extended from the Crosswalkopen on a new tab framework). Multiple versions of\r\nthe XWalk APK files, all with backdoors implanted, have been prepared on the attacker’s server. From different\r\nexploits, the embedded shellcode will download the corresponding trojanized APK to replace the original XWalk\r\nin WeChat. The behavior of the shellcode includes:\r\nDownloads the trojanized XWalk APK from the remote server and renames it as “base_bk.apk”\r\nReplaces the original “base.apk” with the downloaded file “base_bk.apk”\r\nEmpties the contents of the “filelist.config” and “reslist.config” files which include the MD5 hash value of\r\noriginal files to verify file integrity\r\nModifies the permissions of the folder “app_xwalkconfig”\r\nDownloads an empty file to overwrite “base_bk.apk”\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 6 of 15\n\nFigure 5. Decoded shellcode executed after exploitations\r\nThe replaced XWalk core has the function “startBrowserProcess” that’s been modified (Figure 6), and added the\r\nbackdoor’s entry point. Before the backdoor is executed, a function called “stuber” is first executed to prepare the\r\nenvironment for the backdoor’s execution (Figure 7). The initialization steps include:\r\n1. Clearing the “filelist.config” file\r\n2. Downloading the “libwcdb.so” file from a remote server for the backdoor to use (wcdb is a lightweight\r\ndatabase for mobile)\r\n3. Checking whether the MD5 hash value of the XWalk APK is the trojanized version. If not, it downloads\r\nand replaces it again.\r\n4. Executing the main backdoor function\r\nFigure 6. The function “startBrowserProcess” injected to run backdoor\r\nFigure 7. The “stuber” function to initialize and execute backdoor\r\nBackdoor (DarkNimbus)\r\nAndroid platform\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 7 of 15\n\nThe main backdoor implanted in XWalk is a comprehensive Android surveillance tool. We managed to find an\r\nindependent version of the backdoor and discovered that it has been developed and actively updated since 2018. \r\nIn some versions, we noticed that the backdoor uses the string “DKNS” in their functions. Since then, we named\r\nthe backdoor as DarkNimbus.\r\nDarkNimbus uses the XMPP protocol to communicate with a C\u0026C server. The XMPP communication handlers of\r\nthe backdoor are implemented with the open-source project “Smack”. In addition, it communicates to another\r\nserver via HTTPS; this server is used mainly for file transfers.\r\nThe features supported by DarkNimbus include collecting basic information of the infected device, installed apps,\r\nand geolocation (GPS). The backdoor steals personal information including the contact list, phone call records,\r\nSMS, clipboard content, browser bookmarks, and conversations from multiple instant messaging apps. It also\r\nsupports call recording, taking photos, screenshotting, file operations, and command execution. Each supported\r\nbackdoor feature is represented with a command ID with the ”cmd” prefix, followed by five digits.\r\nCommand\r\nID\r\nFunction\r\ncmd_10001\r\nCollect mobile device information (including IMEI, IMSI, serial number, device brand, device\r\nmodel, OS version, memory size, SD card size, power, MAC address, WIFI MAC address,\r\nroot permission, IP address, accessibility enabled, device manager enabled, NET type, client\r\nversion, camera enabled, Bluetooth MAC address, camera information, plugin version, phone\r\nnumber, OS ID, microphone enabled)\r\ncmd_10002\r\nCollect installed APPs information (including APP name, package name, version, installed\r\ntime, installed path, size, system app or not)\r\ncmd_10003 Collect contacts information\r\ncmd_10004 Collect content of SMS (Short Message Service)\r\ncmd_10005 Record phone call\r\ncmd_10006 Take a picture from front-facing camara\r\ncmd_10008 Collect geolocation information from GPS and CDMA\r\ncmd_10009 Collect phone call history\r\ncmd_10010 Collect WIFI information (from local settings or by WIFI scanner)\r\ncmd_10011 Collect directory information (including SD card, Pictures, DCIM, Downloads folders)\r\ncmd_10012 Collect directory information from a specified folder\r\ncmd_10013 Collect a file content from the device\r\ncmd_10014 Collect browser bookmarks\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 8 of 15\n\ncmd_10015 Collect a specified APP database\r\ncmd_10016 Collect WeChat’s resource information\r\ncmd_10018 Take a screenshot\r\ncmd_10019 Record at a scheduled time\r\ncmd_10021\r\nA collective execution of cmd10005, cmd10006, cmd10008, cmd10011, cmd10015,\r\ncmd10016, and cmd10018\r\ncmd_10024 Collect clipboard data\r\ncmd_10025 Collect input method information\r\ncmd_10026 Collect messages from WeChat via Accessibility\r\ncmd_10027 Collect messages from QQ via Accessibility\r\ncmd_10028 Archive a file or a folder\r\ncmd_10029 Collect messages from Skype via Accessibility\r\ncmd_10030 Collect messages from WhatsApp via Accessibility\r\ncmd_10031 Collect messages from DingTalk via Accessibility\r\ncmd_10037 Collect messages from MOMO via Accessibility\r\ncmd_10038 Collect messages from TalkBox via Accessibility\r\ncmd_10039 Collect messages from Voxer via Accessibility\r\ncmd_10043 Collect a specified APP resource information\r\ncmd_10044 Collect messages from Telegram via Accessibility\r\ncmd_20001 Download a URL\r\ncmd_20002 Record phone call\r\ncmd_20003 Collect WeChat’s resource information\r\ncmd_20004 Execute a shell command\r\ncmd_20005 Collect messages from WeChat via local database “EnMicroMsg.db”\r\ncmd_99999 Uninstall backdoor\r\nTable 3. List of DarkNimbus commands (Android version)\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 9 of 15\n\nDarkNimbus abuses Android’s Accessibility Serviceopen on a new tab, which was originally designed to assist\r\nindividuals with disabilities, to monitor and pilfer conversations from instant messaging apps. When a targeted\r\napp is running on the foreground, it uses the Accessibility Service’s screen text recognition feature to read the text\r\non the instant messaging app and steal the conversations. The instant messaging apps that were targeted include:\r\nDingTalk\r\nMOMO\r\nQQ\r\nSkype\r\nTalkBox\r\nVoxer\r\nWeChat\r\nWhatsApp\r\nHowever, the version of DarkNimbus that’s delivered via the MOONSHINE exploit kit only targets WeChat. The\r\nimplementations targeting the other instant messaging apps are removed in this version.\r\nWindows platform\r\nWe found a version of this malware designed to run on Windows. Based on a hardcoded string and the\r\ncompilation timestamp, it seems it was developed between July and October 2019. However, it was probably used\r\nin December 2020, based on our telemetry and as shown in another hardcoded string in the binary.\r\nTwo strings in the sample suggest a different version for this malware family: The first is the string “..Start..\r\n0.0.9a” written in the log file. The second one is the JSON key “mm_version” with the hardcoded value “2.0.1”\r\nsent along with information about the compromised host in the cmd_10001 command, as shown in Table 4.\r\nWe found multiple samples, but two different C\u0026C communication protocols:\r\nOne “standard” connection to the IP address 117.175.185[.]81 on port 8001 to post the retrieved data and\r\nwait for commands\r\nAnother protocol where the malware sends “DKGETMMHOST” to the CloudFlare IP address 1.1.1.1 on\r\nport 8005, and searches for DKMMHOST and DKFESN strings in the answer to set the final IP address of\r\nthe C\u0026C. We don’t believe the threat actor compromised CloudFlare, therefore it is likely that this second\r\nversion involves man-in-the-middle (MitM) capability to answer to those requests and direct the malware\r\nto the proper C\u0026C.\r\nFeatures\r\nThe malware is written in C++ and launches threads to perform multiple features. The naming convention of such\r\nfeatures is similar to that of the Android version, while the implementation is specific to the Windows platform.\r\nThe results of the commands are sent in JSON format to the C\u0026C server. The malware uses CJsonObjectopen on a\r\nnew tab, a light C++ JSON implementation.\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 10 of 15\n\nCommand\r\nID\r\nFunction\r\ncmd_10001\r\nCollect host information: OS, computername, username, cpu, memory size, disk serial\r\nnumber, manufacturer, volume and partitions, mac address, wifi, ip address, network gateway,\r\ncamera, microphone, and “mm_version” (hardcoded to value “2.0.1” in our sample)\r\ncmd_10002\r\nCollect list of installed applications by parsing registry key\r\n'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall'\r\ncmd_10011 Collect list of files and directories\r\ncmd_10013 Read and upload file content\r\ncmd_10014 Collect browsing history\r\ncmd_10018 Screenshot grabbing\r\ncmd_10021 Set policy\r\ncmd_10026 Collect keystrokes\r\ncmd_10050 Collect clipboard data\r\ncmd_10051 Executes shell command\r\ncmd_10052 Collect browser saved credentials\r\ncmd_99999 Uninstall backdoor\r\nTable 4. List of DarkNimbus commands (Windows version)\r\nMost of the threads create files where they copy the content to be sent to the server, encoded in Base64. The\r\nfilename is the MD5 of a hardcoded string.\r\nFile Description Content\r\neb3816e69e6c007b96a09e2ecee968e5 Result of MD5 (“winhook-clientLog\"),\r\nLogs of the malware\r\nexecution\r\na461f0e556eafe386219599323c3bc7c MD5 of “register.json”,\r\nC\u0026C configuration\r\ndetails\r\n38b2c93bc282cfda172f89148d576f1a\r\nResult of the MD5 computation of\r\n\"BrowseHistory::BrowseHistory”,\r\nA JSON file with some\r\nIDs related to the\r\nbrowsing history of the\r\nvictim\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 11 of 15\n\nbf8b3f43b18d02f7c15b3c6d4d2feb36\r\nResult of the MD5 computation of\r\n\"UserAccHistory::UserAccHistory\",\r\nA JSON file with some\r\nIDs related to the\r\nbrowser credentials\r\nstolen from the victim\r\n98ce6a50def985ec0b91bcb66d3673f1 MD5 of \"CSoftInfo::CSoftInfo\"\r\nA JSON file with some\r\nIDs related to the\r\ninstalled applications\r\n880103ad832e14aa4bd6fb2be3591694 MD5 of “task_config.json”\r\nA JSON file with IDs\r\nof tasks to be executed\r\nby the malware\r\na3de05ec828ee0077b81ade538005443 MD5 of “do_scanfs_config”\r\nConfiguration of the\r\nfile browsing feature\r\n8ff32fac8af1e67e2be678bdad1ebce8 MD5 of “policypush.json”\r\nShould contain policy\r\nof file submission\r\nTable 5. Examples of created files with copied content\r\nAttribution\r\nWe believe that Earth Minotaur is an intrusion set which hasn’t been publicly reported. In the first report of\r\nMOONSHINE exploit kit in 2019, the threat actor using the toolkit was named POISON CARPopen on a new tab.\r\nWhile both used the MOONSHINE exploit kit and had similar targets, we did not find further connections\r\nbetween Earth Minotaur and POISON CARP. The backdoor DarkNimbus had been developed in 2018 but was not\r\nfound in any of POISON CARP’s previous activity. Therefore, we categorized them as two different intrusion sets.\r\nIn 2020, we publishedopen on a new tab a research report about Earth Empusa, which we believed is associated\r\nwith POISON CARP. Meta releasedopen on a new tab a report which distinguished Earth Empusa as independent\r\nfrom POISON CARP in their research; we found no evidence to connect Earth Minotaur to Earth Empusa, either.\r\nIt's worth mentioning that we noticed a new MOONSHINE exploit kit server activated with the domain\r\ninfo[.]symantke[.]com that was used in November 2023 (Figure 8). Interestingly, the domain symantke[.]com was\r\nfound to be used by UNC5221open on a new tab in an Ivanti zero-day attack incident in December 2023. This\r\nsuggests that UNC5221 is also one of the groups using the MOONSHINE exploit kit. However, we didn’t find\r\nany further evidence that proves a connection between UNC5221 and Earth Minotaur.\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 12 of 15\n\nFigure 8. Error page from a MOONSHINE exploit kit server with the “info[.]symantke[.]com”\r\ndomain\r\nIn October 2020, Dr. Web also published a paperopen on a new tab on the similarities between Shadowpad and\r\nPlugX, in which they mentioned a Shadowpad sample detected as “Backdoor.Shadowpad.4” that was embedded in\r\nan SFX archive containing three files:\r\nTosBtKbd.exe - a legitimate executable signed by Toshiba vulnerable to DLL side-loading\r\nTosBtKbd.dll - a Shadowpad sample side-loaded by TosBtKbd.exe\r\nTosBtKbdLayer.dll - a DarkNimbus sample loaded by TosBtKbd.dll, detected as\r\n“BackDoor.Siggen2.3243”\r\nDr. Web states they came across the sample while researching Shadowpad and PlugX, and they don’t attribute it to\r\nany specific threat actor or campaign. This particular DarkNimbus sample seems to have been developed between\r\nJuly and October 2019. Shadowpad was discovered in 2017 and was exclusively used by APT41 at the time.\r\nHowever, since it started being shared among multiple Chinese threat actors in 2019, direct attribution based on\r\nthe usage of Shadowpad would be incorrect.\r\nThe algorithm used to pack the payload here is the same one as used in the ESET’s reportopen on a new tab in\r\nJanuary 2020 about Winnti targeting Hong Kong universities (Figure 9). \r\nFigure 9. Shadowpad payload unpacking algorithm for our sample (left) versus ESET’s sample\r\n(right)\r\nHowever, the algorithm that decrypts the strings uses a different constant. We found another Shadowpad sample\r\ncommunicating with the same C\u0026C that has also the same string encryption algorithm (Figure 10).\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 13 of 15\n\nFigure 10. Shadowpad string encryption algorithm for sample with similar C\u0026C (left) versus\r\nESET’s sample (right)\r\nOther samples that have the same payload and string encryption algorithm as our DarkNimbus loader have been\r\nlistedopen on a new tab by SecureWorks as targeting Vietnamese entities, but have not been attributed to a known\r\ngroup.\r\nWe also found an unreported Shadowpad sample from 2019 that shares those characteristics and connects to\r\nnews[.]tibetonline[.]info as its C\u0026C, suggesting that Tibet is being targeted. This domain has been reported\r\nmultiple times in campaigns related to China back in 2013open on a new tab, 2015open on a new tab, and\r\n2017open on a new tab.\r\nThese findings are not strong enough for attribution to a known threat actor; however, they highlight the\r\nconnections that exist between multiple campaigns attributed to Chinese operations, and their sharing of malware\r\nfamilies. It also adds another group to the long list of Chinese threat actors that are using Shadowpad.\r\nConclusion\r\nEarth Minotaur is a capable threat actor that leverages an advanced exploit kit called MOONSHINE to target\r\nTibetans and the Uyghurs. Based on our research, we believe that MOONSHINE is a toolkit that is still under\r\ndevelopment and has been shared with multiple threat actors including Earth Minotaur, POISON CARP,\r\nUNC5221, and others. We examine how Earth Minotaur customized the exploit kit to use in their attack chain\r\nagainst the WeChat application. We also shared a detailed analysis of the Android backdoor DarkNimbus that\r\nEarth Minotaur implanted in their victims’ devices as part of long-term surveillance operations.\r\nTo prevent this type of attack, we suggest that people exercise caution when clicking on links embedded on\r\nsuspicious messages, as these may lead to malicious servers like those of MOONSHINE compromising their\r\ndevices. We also recommend regularly updating applications to the latest versions; these updates offer essential\r\nsecurity improvements to protect against known vulnerabilities.\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive\r\nsteps to protect their environments, mitigate risks, and respond effectively to threats. \r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 14 of 15\n\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping] \r\nEarth Minotaur Leverages MOONSHINE Exploit kit to Compromised Mobile Devices for Surveillance\r\nOperations \r\nTrend Micro Vision One Threat Insights App \r\nThreat Actor: Earth Minotauropen on a new tab\r\nEmerging Threats: Earth Minotaur Leverages MOONSHINE Exploit kit to Compromised Mobile\r\nDevices for Surveillance Operationsopen on a new tab\r\nHunting Queries \r\nTrend Micro Vision One Search App \r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.   \r\nDarkNimbus and Shadowpad Connections to C\u0026C IPs\r\neventId:3 AND ((dst:117.175.185.81 AND dpt:8001) OR (dst:125.65.40.163 AND dpt:46991) OR\r\n(dst:112.121.178.90 AND dpt:44444) OR (src:117.175.185.81 AND spt:8001) OR (src:125.65.40.163 AND\r\nspt:46991) OR (src:112.121.178.90 AND spt:44444)) \r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a\r\nnew tab.\r\nIndicators of Compromise (IOC)\r\nDownload the list of IOCs hereopen on a new tab.\r\nAcknowledgment\r\nWe would like to thank Ashley Shen from the Cisco Talos Intelligence Group, who shared their findings of\r\nMOONSHINE exploit kit with us.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nhttps://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html" ], "report_names": [ "earth-minotaur.html" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dc813ffb-16bd-46f7-9d8f-8e93089f00c1", "created_at": "2024-12-28T02:01:54.748213Z", "updated_at": "2026-04-10T02:00:04.669444Z", "deleted_at": null, "main_name": "Earth Minotaur", "aliases": [], "source_name": "ETDA:Earth Minotaur", "tools": [ "DarkNimbus", "MOONSHINE" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434946, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f439c5efd5f813750cc727cd5baf10cffae285b0.pdf", "text": "https://archive.orkl.eu/f439c5efd5f813750cc727cd5baf10cffae285b0.txt", "img": "https://archive.orkl.eu/f439c5efd5f813750cc727cd5baf10cffae285b0.jpg" } }