Earth Baku

Threat Actor updated 23 days ago (2024-11-29T13:51:36.136Z)
Download STIX
Preview STIX
Earth Baku, a threat actor linked to the China-associated APT group APT41, has emerged as a significant cybersecurity threat with operations extending beyond the Indo-Pacific region. Since late 2022, Earth Baku has expanded its malicious activities into Europe, the Middle East, and Africa. The group primarily exploits public-facing applications, specifically Internet Information Services (IIS) servers, as an entry point for attacks. The recent operations of Earth Baku underscore its evolving and increasingly sophisticated threat profile, which can potentially pose significant challenges for cybersecurity defenses. The group's modus operandi involves deploying the Godzilla webshell upon gaining access, allowing them to maintain control over the compromised server. Through Godzilla, Earth Baku is then able to deploy the shellcode loader StealthVector, which is a customized backdoor loader used in stealth mode. The group has also added two new loaders to its arsenal, CobaltStrike and SneakCross (also known as MoonWalk), further enhancing its ability to launch stealthy attacks. In addition to these tools, Earth Baku utilizes several other tools for post-exploitation activities, including a customized iox tool, Rakshasa, and TailScale for persistence. The group also uses publicly available reverse tunneling tools to maintain control access in post-exploitation activities. These developments indicate that Earth Baku is continually refining its tactics, techniques, and procedures, making it a formidable threat actor in the cybersecurity landscape.
Description last updated: 2024-10-17T11:50:51.723Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT41 is a possible alias for Earth Baku. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Godzilla Malware is associated with Earth Baku. Godzilla is a malicious software (malware) that has been implicated in a series of cyberattacks, according to reports published by cybersecurity firms such as Trend Micro and CrowdStrike. The malware, once deployed, allows the perpetrators to maintain control over compromised servers through a webshUnspecified
2
The Cobaltstrike Malware is associated with Earth Baku. CobaltStrike is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It can gain access via suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or hold data for ransom. CobaltStrike has been observed in conjunctUnspecified
2
Source Document References
Information about the Earth Baku Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more