{ "id": "937aefa3-716e-434d-aea2-de9f07af98df", "created_at": "2026-04-06T00:08:55.431846Z", "updated_at": "2026-04-10T03:37:32.655711Z", "deleted_at": null, "sha1_hash": "f5a5067d669afa2bc5fc07dbff584aea182e6634", "title": "Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2716583, "plain_text": "Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns\r\nPublished: 2023-02-16 · Archived: 2026-04-05 17:49:11 UTC\r\nAPT \u0026 Targeted Attacks\r\nWe detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was\r\npresented in full at the JSAC 2023 in January 2023.\r\nBy: Hara Hiroaki, Yuka Higashi, Masaoki Shoji Feb 16, 2023 Read time: 12 min (3243 words)\r\n \r\nIn 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We\r\nhave since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. Our\r\nresearch points the attribution to the known campaign “Operation RestyLink” or “Enelink”.\r\nUpon investigating several incidents, we identified previously unknown malware, tactics, techniques and procedures\r\n(TTPs), and infrastructure used by Earth Yako for cyberespionage. The intrusion set introduced new tools and malware\r\nwithin a short period of time, frequently changing and expanding its attack targets. Since we observed related attacks as\r\nrecent as January 2023, we believe that Earth Yako is still active and will keep targeting more organizations soon. This\r\ninvestigation was presented at the JSAC 2023 in Tokyo, Japan.\r\nOverview of The Campaign\r\nSince January 2022, we have been observing Earth Yako as it targets researchers in the academe and research think tanks\r\nin Japan. We also observed a small number of attacks that appear to have targeted organizations in Taiwan.\r\nFigure 1. Timeline of Earth Yako campaign\r\nWhile consistently targeting researchers, the areas of interest for Earth Yako’s deployment and targeting have varied over\r\ntime. Earlier in 2022, their main targets were stakeholders related to economic security, but later expanded to target other\r\nsectors such as the energy or economic industry.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 1 of 19\n\nIn this campaign, Earth Yako uses a spearphishing link for initial access. The URL in the spearphishing mail downloads\r\nthe compressed (.zip) or disc image (.iso) file containing a malicious shortcut file (.lnk) to download another payload. We\r\nobserved several spearphishing emails masquerading as an invitation for a private or public meeting-like events, which\r\nleads to download the malware in the target system.\r\nMalware and Tools\r\nHere is a summary of the new malware and tools we observed from the different incidents:\r\nMirrorKey: An on-memory dynamic link library (DLL) loader\r\nTransBox: A backdoor abusing the Dropbox API\r\nPlugBox: A Dropbox API-based backdoor with a couple of capabilities\r\nDulload: A generic loader name\r\nPULink: A dropper of ShellBox written in C++/CLR, capable of achieving persistence\r\nShellBox: Another Dropbox API-based stager written in C#\r\nIncident Case Studies\r\nWe observed Earth Yako using spearphishing for entry, with the URL in the email body leading the target to download a\r\n.zip or .iso file when clicked. The .lnk file contained in the archive induces the target to download a malicious Word\r\ntemplate. There have been other instances reported when, after opening the URL, the routine infects the target with\r\nCobalt Strike, sideloading a .dll file. In the following sections, we introduce some of the incidents we observed in 2022\r\nwhen Earth Yako deployed new malware.\r\nIncident 1\r\nThe first case was observed in March 2022, targeting researchers in a Japanese academic institution. After intruding in\r\nthe target system, the attacker deployed MirrorKey and TransBox in the following flow.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 2 of 19\n\nFigure 2. Execution flow of MirrorKey and TransBox in Incident 1\r\nMirrorKey\r\nWe found MirrorKey in the infected system under the file name OCLEAN.DLL. This DLL is loaded by OFFCLN.EXE,\r\nwhich is a legitimate Microsoft application but used for DLL sideloading to load OCLEAN.DLL in the same directory on\r\nexecution. After loading, MirrorKey looks for DWINTL.DLL in the same directory, a DLL signed by Microsoft and has\r\nno malicious code in its code section so it appears to be harmless. But the digital signature has been abused to embed an\r\nencrypted payload for vulnerability MS13-098 or CVE-2013-3900. CVE-2013-3900 is a vulnerability that does not\r\nproperly validate the executable (PE) file digest during Authenticode Signature validation, which can be abused by an\r\nattacker to embed arbitrary data at the end of a legitimate digital signature.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 3 of 19\n\nFigure 3. DWINTL.DLL’s legitimate digital signature issued by Microsoft\r\nFigure 4. Embedded data abusing CVE-2013-3900\r\nIn this case, two types of data were embedded: an encrypted payload and data for decryption. MirrorKey processes the\r\ndata embedded at the end of the file to generate a decryption key for the payload. Once successfully generated, the key is\r\nused to decrypt the embedded payload with AES128-ECB.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 4 of 19\n\nFigure 5. Key generation logic for payload decryption\r\nTransBox\r\nThe decrypted payload was a DLL internally named FILETRANDLL.dll. This DLL is dynamically loaded in the memory\r\nby MirrorKey and begins its malicious activity when the export function Start_ is called.\r\nFigure 6. Original file name embedded in DLL\r\nOur analysis revealed that this DLL is a backdoor that uses the Dropbox API and is designed primarily for file and data\r\ntheft. No similar malware has been identified in the past.\r\n1.      Check-in\r\nOn execution, TransBox generates a unique ID for the infected user (Victim ID) This is calculated as the product of the\r\nfour elements:\r\nCRC32 of the domain name of the infected terminal\r\nthe CRC32 of the username\r\nthe CRC32 of the host name, and\r\nthe first 4 bytes (DWORD) of the volume serial number\r\nNext, the system information from the infected machine is collected, such as drive-related information, host name,\r\noperating system (OS) version, and IP address. The system information is then compressed with zlib and encoded with 1-\r\nbyte XOR cipher, and uploaded to the attacker’s Dropbox account. On uploading, a destination file path in Dropbox\r\n/\u003cVictim ID decimal\u003e/\u003cVictim ID decimal\u003e.jpg was specified on uploading information to the URL\r\nhxxps://content[.]dropboxapi[.]com/2/files/upload.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 5 of 19\n\nFigure 7. HTTP request on check-in\r\n2.      Uploading files\r\nTransBox can upload files to Dropbox with specific extensions that exist under a specific directory. Target directories and\r\nfile extensions are as follows:\r\nTarget directories\r\nAll drives (except A drive and CD-ROM)\r\n%USERPROFILE%\\Desktop\r\n%USERPROFILE%\\Documents\r\nTarget extensions\r\n.7z\r\n.doc\r\n.docx\r\n.jsd\r\n.jst\r\n.jtd\r\n.odt\r\n.pdf\r\n.ppt\r\n.pptx\r\n.rar\r\n.rtf\r\n.xls\r\n.xlsx\r\n.zip\r\nBut the following directories are excluded, likely for the routine’s efficiency. Considering that TransBox’s purpose is to\r\nscan for “interesting” documents, the routine may have been designed to ignore these folders:\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 6 of 19\n\nC:\\Program Files\r\nC:\\Program Files (x86)\r\nC:\\PerfLogs\r\nC:\\Windows\r\nD:\\Program Files\r\nD:\\Program Files (x86)\r\nE:\\Program Files\r\nE:\\Program Files (x86)\r\n%APPDATA%\r\nTransBox implements another feature to record the file modification date in .ini format file to upload the target file again\r\nwhen it is updated. The .ini file is created in the file path and contains the information in the format\r\n%LOCALAPPDATA%\\sxda\u003cVictim ID % 0x2710\u003e.xso.\r\nFigure 8. .ini file used as database\r\n3.      Receiving commands\r\nTransBox can also receive backdoor commands via the Dropbox API. To receive a command, a destination file path in\r\nDropbox /\u003cVictim ID decimal\u003e/abox_.cxt was specified on sending GET request to the URL\r\nhxxps://content.dropboxapi[.]com/2/files/download.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 7 of 19\n\nFigure 9. Response format from command and control (C\u0026C) server\r\nTransBox can perform the following capabilities based on the attacker’s backdoor commands:\r\nChange file upload size limitations and chunk sizes\r\nDownload DLL and execute in memory\r\nUpload files related to credentials for browsers such as Chrome or Firefox\r\nAdd extensions to collect\r\nUpload specified files or upload files with specific extensions under specified directories\r\nDisplay a list of files and directories under the specified directory\r\nIncident 2\r\nThe next case was observed around June 2022, also targeting researchers at a Japanese academic institution. In this case,\r\nwe observed the use of the MirrorKey variant introduced in the previous case study, and PlugBox malware, which also\r\nabuses the Dropbox API. As in the previous case study, the attacker intruded the targeted system and installed these\r\nmalware.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 8 of 19\n\nFigure 10. Execution flow of MirrorKey and PlugBox in Incident 2\r\nMirrorKey (variant using Tiny Encryption Algorithm)\r\nThe MirrorKey variant observed in this case was found in an infected system with the file name GTN.dll. This DLL is\r\nloaded in a similar manner to the DLL sideloading process used in the previous case. This time, the legitimate Google\r\napplication GoogleToolbarNotifier.exe, which exists in the same directory, was abused. Similar to the previous variant of\r\nMirrorKey, it searches for espui.dll existing in the same directory, which abuses CVE-2013-3900 to embed the encrypted\r\npayload. However, this variant uses Tiny Encryption Algorithm (TEA) to decrypt the payload instead of AES.\r\nFurthermore, the code is completely different from that of the MirrorKey variant observed in March. While it can\r\ninitially be considered a different loader it partially shares common TTPs and code with the first observed variant.\r\nPlugBox\r\nThe decrypted payload is a DLL internally named LoadPlgFromRemote.dll. This DLL is dynamically loaded in memory\r\nby MirrorKey and starts executing when the export function Run is called.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 9 of 19\n\nFigure 11. Original name embedded in DLL\r\nAnalysis revealed that this DLL, like TransBox, is a backdoor based on the Dropbox API.\r\n1.      Installation\r\nOn execution, it begins an installation process by making copies of the following files:\r\n%windir%\\SysWOW64\\cttune.exe -\u003e %localappdata%\\NVIDIA\\cctune.exe\r\n\u003cCURRENT_FOLDER\u003e\\GTN.dll -\u003e %localappdata%\\NVIDIA\\DWrite.dll\r\n\u003cCURRENT_FOLDER\u003e\\espui.dll -\u003e %localappdata%\\NVIDIA\\espui.dll\r\nIn addition, it copies legitimate DLLs to the currently working directory and loads the DLLs. This process is meaningless\r\nfor the malicious activity and makes PlugBox look harmless. The legitimate DLLs copied are as follows:\r\n%windir%\\SysWOW64\\migration\\TableTextServiceMig.dll\r\n%windir%\\SysWOW64\\migration\\msctfmig.dll\r\n%windir%\\SysWOW64\\migration\\WMIMigrationPlugin.dll\r\n%windir%\\SysWOW64\\migration\\imjpmig.dll\r\n%windir%\\SysWOW64\\migration\\imkmig.dll\r\n%windir%\\SysWOW64\\migration\\tssysprep.dll\r\n%windir%\\SysWOW64\\migration\\cosetup.dll\r\n2.      Check-in\r\nNext, the attacker checks in to his Dropbox account by using a hard-coded API key. While TransBox embeds an Access\r\nToken, PlugBox does not. Instead, it embeds Auth Token and Refresh Token, and uses these values to obtain an Access\r\nToken, which is required to access to the Dropbox over API.\r\nFigure 12. Obtaining an Access Token by using Refresh and Auth Tokens\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 10 of 19\n\nThen it generates a victim ID for each infected user to identify them when the users’ data is uploaded to Dropbox\r\nfollowing the steps below:\r\n1. Get the filepath of %temp% and replace \"\\\" with \"+\"\r\n2. Get the ProcessorId of the infected machine\r\n3. Get the SerialNumber of the infected machine’s motherboard\r\n4. Concatenate the strings above with \"\\r\\n\" and calculate SHA256 hash value\r\n5. Extract the first 32 bytes of the SHA256 hash value as victim ID\r\nThen, it sends an HTTP POST request to the URL hxxps://content[.]dropboxapi[.]com/2/files/upload with specific details\r\n/\u003cVictim ID\u003e/Victim ID\u003e_\u003cUNIXTIME\u003e{1,3}.dat as the upload destination path.\r\nThen PlugBox uploads the following user information in plain text:\r\nFilepath of the %temp% (replacing \"\\\" with \"+\")\r\nProcessorId of the infected machine\r\nSerialNumber of the infected machine’s motherboard\r\n3.      Receiving commands\r\nTo receive backdoor commands, PlugBox sends an HTTP GET request to the URL\r\nhxxps://content.dropboxapi[.]com/2/files/download with /\u003cVictim ID\u003e/\u003cVictim ID\u003e.cfg as the file path to download.\r\nThe supported features of PlugBox are the following:\r\nChange the interval to receive a command\r\nDownload encrypted DLL, decrypt them with TEA, and execute it in memory\r\nExecute arbitrary command\r\nIncident 3\r\nThe next case was observed around June and July in 2022, also targeting researchers in a Japanese academic institution.\r\nIn this case, the dropper PULink and a new malware we called ShellBox were used. During our investigation, we found\r\nan ISO file containing the targeted user's name, suggesting that the attacker probably attempted to intrude in the system\r\nby having them download the ISO file in the email.\r\nFigure 13. List of the files in .iso\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 11 of 19\n\nThe ISO file contained an EXE file with a double extension, three DLLs (MSVCR100.DLL is harmless), and a decoy\r\ndocument. The EXE file was a legitimate Word application, but customized to sideload a DLL to load wwlib.dll in the\r\nsame directory. Once executed, the EXE file initiates the malicious routines.\r\nFigure 14. Execution flow if PULink and ShellBox in Incident 3\r\nDulload (Loader)\r\nThe first DLL file loaded is wwlib.dll, a simple loader written in C++/CLR, designed to load Wordcnv.dll existing in the\r\nsame directory, and invokes the exported method MS_word.release_file.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 12 of 19\n\nFigure 15. Invoking the exported method of “Wordcnv.dll”\r\nPULink (Loader)\r\nThe exported method in Wordcnv.dll was designed to install the payloads and components (which is described later in\r\nthis entry). In this method, PULink decrypts the two embedded resource data with AES128-CBC and drops them in\r\n%APPDATA%\\Microsoft\\Intel with the file names igfxxe.exe and igfx.dll.\r\nFigure 16. Invoked “release_file” method\r\nAES key and IV are generated through the following:\r\n1. Calculate MD5 hash of the hardcoded string\r\n2. Convert it to uppercase HEX string\r\n3. Encode the string generated in Step 2 in UTF-8 (-\u003e becomes AES key)\r\n4. Cut out the 16 characters after the 9th character of the string generated in Step 2 and encode it in UTF-8 (-\u003e\r\nbecomes IV)\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 13 of 19\n\nThen, the loader creates a shortcut file in the Startup folder to achieve persistence, which contains the two dropped files\r\nin the command line\r\n%appdata%\\Microsoft\\Intel\\igfxxe.exe run %appdata%\\Microsoft\\Intel\\igfx.dll 0 C:\\AppData\\Local\\Intel\\Games\\123;\r\nTo understand how this command line works, we need to look into igfxxe.exe. The igfxxe.exe was a renamed executable\r\nof the legitimate application GfxDownloadWrapper.exe shipped by Intel. Analysis of this EXE file revealed that it was\r\ndesigned to invoke the specific export function ApplyRecommendedSettings of the DLL passed as an argument. Note that\r\nthis technique had already been reported by security community researcher bohops in 2020.\r\nFigure 17. Method in igfxxe.exe invoking the specified DLL according to the argument\r\nShellBox\r\n\"igfx.dll\", specified in the command line, is a stager written in C++ abusing the Dropbox API. ShellBox is completely\r\ndifferent from the ones that we observed in the previous cases except for the use of the Dropbox API. One trick for\r\nexample, ShellBox complicates the process of obtaining an access token of Dropbox API to make security analysts’\r\ninvestigation potentially hard. ShellBox does not have an Access Token or Refresh Token, but first accesses the specific\r\nGitHub repository to obtain the URL where the Access Token for Dropbox is hosted. The hardcoded repository is\r\nhxxps://github[.]com/lettermaker/topsuggestions/blob/main/README.md.\r\nFigure 18. Attempts to obtain the second stage URL from the hardcoded GitHub repository\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 14 of 19\n\nAfter downloading the content from the repository, ShellBox extracts the encrypted string by the regular expression and\r\ndecrypts it using the same AES decryption logic used in PULink. Around November 2022, we confirmed that the string\r\nin the following image was embedded in the specified GitHub repository. When decrypted, we found the URL\r\nhxxp://45[.]32[.]13[.]214/readme_v1.1.txt.\r\nFigure 19. File hosted in the GitHub repository (as of November 2022)\r\nUnfortunately, the decrypted second stage URL was already inaccessible during our investigation so we were unable to\r\nretrieve its contents. However, analyzing the ShellBox code, we can assume that this URL hosted a Dropbox Access\r\ntoken encrypted with Base64 and AES in a similar manner.\r\nFigure 20. Obtaining an Access Token from the second stage URL\r\nShellBox then downloads the AES-encrypted .NET assembly from Dropbox by specifying /d1/ml as the file path in\r\nDropbox, decrypts using the same logic as before, and executes in memory by using Assembly.Load method.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 15 of 19\n\nFigure 21. Download and execute the AES-encrypted .NET assembly\r\nAbused GitHub account\r\nWe investigated the GitHub account (with the username “lettermaker”) observed in this case and found that it has been\r\nactive since approximately June 2022. Since only one repository exists, we believe that it was created specifically for this\r\ncampaign. Also, an examination of previous commits to the repository where the encrypted URL was embedded in\r\nrevealed that the URL path was different as of June.\r\nFigure 22. URL possibly used in June 2022\r\nUpon checking on the commit log of this repository, we found that the attacker was working in a UTC+9 environment.\r\nHowever, it should be noted that this artifact is also easy to disguise, so it can be a false flag.\r\nFigure 23. Commit log in UTC+9\r\nPossible Attribution\r\nThe following image summarizes the characteristics of Earth Yako as of January 2023.\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 16 of 19\n\nFigure 24. Diamond model of Earth Yako\r\nTechnical perspectives\r\nBased on the arsenals and TTPs, we believe Earth Yako may be related to a number of existing groups. However, since\r\nwe could only observe partial technical overlaps between Earth Yako and the following groups, we note that this is not\r\nour final attribution. We found the overlaps similar with the following groups:\r\n1.      Darkhotel\r\nDarkhotel (a.k.a. DUBNIUM) is a threat actor observed to frequently target Japanese organizations in the past. Earth\r\nYako’s method for initial access is similar to the procedure used by Darkhotel, which has been confirmed in other reports.\r\n2.      APT10\r\nAPT10 (also known as menuPass, Stone Panda, Potassium, Red Apollo, CVNX, and ChessMaster) is a threat actor that\r\nhas been actively attacking organizations in Japan, especially from 2016 to 2018. Trend Micro's analysis has confirmed\r\nthat Earth Yako’s MirrorKey malware uses the same encryption routine as the one used by APT10 malware families\r\nRedLeaves and ChChes in the past. However, there is no strong evidence that APT10 originally developed this routine, or\r\nthat they possibly just reused a code from a publicly available library.\r\n3.      APT29\r\nAPT29 (also known as IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM,\r\nUNC2452, YTTRIUM, The Dukes, Cozy Bear, and CozyDuke) is a threat actor known to target Western government\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 17 of 19\n\norganizations. In 2022, APT29 used ISO and LNK files for initial access, similar to the TTPs of Earth Yako. It has also\r\nbeen reported to abuse Dropbox API as a C\u0026C server for malware. However, we confirmed that the codes of the\r\nmalware from APT29 is itself different from those of Earth Yako-related malware (TransBox, PlugBox, and ShellBox).\r\nOther considerations\r\nIn addition to the technical similarities identified, we also look at the context surrounding the incidents. In attacking the\r\nacademic and research sectors in Japan, and the fact that they target various industries based on the international affairs is\r\nsimilar to APT10. We observed lures using themes or discussions on economic security, energy, the Russia-Ukraine\r\nconflict, or other significant events surrounding East Asia. The threat actor has been conducting attacks using the\r\nLODEINFO malware in recent years. In particular, the attacks by Earth Yako and the attacks using LODEINFO are\r\nsimilar, and it has been reported that the organizations Earth Yako targeted were also the institutions involved in\r\ncompromises using LODEINFO malware. However, as with the limitations identified in the \"Technical Perspectives”\r\nsection, we believe this is insufficient to connect Earth Yako with APT10.\r\nConclusion\r\nSince 2022, Earth Yako has been actively attacking with new arsenal and TTPs. Although the targets of the compromise\r\nvary from time to time, it is believed that it commonly targets the academic and research sectors in Japan, both\r\nindividuals belonging to these organizations and institutions as a whole. In November 2022, the National Police Agency\r\nand the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) issued a warning about these\r\nattacks. One of the characteristics of the recent targeted attacks is that they shifted to targeting the individuals considered\r\nto have relatively weak security measures compared to companies and other organizations. This shift to targeting\r\nindividuals over enterprises is highlighted by the targeting and abuse of Dropbox as it is considered a popular service in\r\nthe region among users for personal use, but not for organizations.\r\nIt should also be noted that Earth Yako has been actively changing their targets and methods based on the significant\r\ntopics concerning the targeted countries. For the targeted attacks, in addition to the groups continuously targeting the\r\nspecific regions and industries, we identified several groups changing their targets and methods based on the current\r\ncircumstances, including Earth Yako.\r\nTo mitigate the risks and impact of compromise from targeted compromise, it is necessary to not only focus on specific\r\nmethods, malware, and threat actors, but also to collect a wider range of information, implement continuous monitoring\r\nand countermeasures, and inspect attack surfaces in organizations. We believe that attacks by Earth Yako are still\r\nongoing, and therefore we believe that continued vigilance is necessary.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection\r\nf38c367e6e4e7f6e20fa7a3ce0d8501277f5027f93e46761e72c36ec709f4304 Trojan.Win32.MIRRORKEY.ZJJH\r\nbdc15b09b78093a1a5503a1a7bfb487f7ef4ca2cb8b4d1d1bdf9a54cdc87fae4 TrojanSpy.Win32.TRANSBOX.ZJJH.enc\r\nDomains/IP addresses\r\ndriveshoster[.]com\r\ndisknxt[.]com\r\n45[.]32[.]13[.]214\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 18 of 19\n\nhxxps://github[.]com/lettermaker/topsuggestions/blob/main/README.md\r\nSee the applicable Yara rule here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nhttps://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html" ], "report_names": [ "invitation-to-secret-event-uncovering-earth-yako-campaigns.html" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "46818902-c96d-445c-afdb-075ef6b4afab", "created_at": "2023-02-18T02:04:24.443028Z", "updated_at": "2026-04-10T02:00:04.828275Z", "deleted_at": null, "main_name": "Operation RestyLink", "aliases": [ "Earth Yako", "Operation Enelink" ], "source_name": "ETDA:Operation RestyLink", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "65e1eee1-bc35-4093-9554-1a668e1bc30a", "created_at": "2024-02-08T02:00:04.320426Z", "updated_at": "2026-04-10T02:00:03.583546Z", "deleted_at": null, "main_name": "Earth Yako", "aliases": [ "Operation RestyLink", "Enelink" ], "source_name": "MISPGALAXY:Earth Yako", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434135, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f5a5067d669afa2bc5fc07dbff584aea182e6634.pdf", "text": "https://archive.orkl.eu/f5a5067d669afa2bc5fc07dbff584aea182e6634.txt", "img": "https://archive.orkl.eu/f5a5067d669afa2bc5fc07dbff584aea182e6634.jpg" } }