Earth Kasha

Earth Kasha, a recognized threat actor in the cybersecurity landscape, has been notorious for its malicious activities primarily targeting individuals and organizations in Japan. Utilizing spear-phishing emails as the primary intrusion vector, Earth Kasha conducted campaigns until early 2023, primarily exploiting vulnerabilities against edge devices. In 2019, Earth Kasha started using LODEINFO, a backdoor that served as their primary tool for illicit activities. This continued until recently when we noticed a shift in their tactics, techniques, and procedures (TTPs). In June 2024, a new campaign by Earth Kasha was unveiled, characterized by the return of ANEL in their spear-phishing operations. Our analysis indicates that this campaign is part of a fresh operation by Earth Kasha, with ANEL serving as an additional payload for high-value targets. The reuse of ANEL further strengthens the connection between the former APT10 and the current Earth Kasha. Additionally, an in-depth analysis revealed the use of NOOPDOOR and other malware, indicating an evolution in Earth Kasha's arsenal. Despite the changes in TTPs, there are still correlations between Earth Kasha's new LODEINFO campaign and the APT10 umbrella. Their campaigns continue to evolve, with updates to their tools and TTPs becoming more evident. Based on these findings, it is expected that Earth Kasha will continue to pose significant threats, necessitating continuous monitoring and proactive defense measures. The cybersecurity community must remain vigilant to counteract the evolving strategies of threat actors like Earth Kasha.