Earth Estries is a cyberespionage group, or threat actor, that has targeted government entities and tech firms across the globe, including in the US, Germany, South Africa, Asia, Malaysia, the Philippines, and Taiwan. While the exact origin of Earth Estries remains unclear, there are indications suggesting possible links to China. The group's arsenal includes three unique malware tools: Zingdoor, TrillClient, and HemiGate - the latter being a backdoor tool. Their command and control (C&C) infrastructure relies on the Fastly CDN service, which was previously abused by threat actors related to the Chinese group APT41.
The activities of Earth Estries have been widely reported, with notable coverage by Security Week and SC Magazine. A significant disclosure about their activities came to light on September 1, 2023, when it was revealed that they were involved in strategic intrusions targeting telecommunication, finance, and government sectors in Africa. This coincided with a parallel report from SentinelOne detailing similar activities by Chinese threat actors in Africa, as part of activity clusters dubbed BackdoorDiplomacy and Operation Tainted Love.
Trend Micro, a cybersecurity firm, has noted overlaps in tactics, techniques, and procedures (TTPs) between Earth Estries and an advanced persistent threat (APT) group called FamousSparrow. FamousSparrow, which was active in 2021 and targeted governments and hotels, may be connected to the China-linked threat actors SparklingGoblin and DRBControl. These connections and overlaps suggest a potential wider network of threat actors with shared objectives and methods, further emphasizing the global security risks posed by groups like Earth Estries.
Description last updated: 2024-05-04T16:37:33.534Z