Earth Kasha

Threat Actor updated 6 months ago (2024-11-29T13:57:50.732Z)

Download STIX

Preview STIX

Earth Kasha, a recognized threat actor in the cybersecurity landscape, has been notorious for its malicious activities primarily targeting individuals and organizations in Japan. Utilizing spear-phishing emails as the primary intrusion vector, Earth Kasha conducted campaigns until early 2023, primarily exploiting vulnerabilities against edge devices. In 2019, Earth Kasha started using LODEINFO, a backdoor that served as their primary tool for illicit activities. This continued until recently when we noticed a shift in their tactics, techniques, and procedures (TTPs). In June 2024, a new campaign by Earth Kasha was unveiled, characterized by the return of ANEL in their spear-phishing operations. Our analysis indicates that this campaign is part of a fresh operation by Earth Kasha, with ANEL serving as an additional payload for high-value targets. The reuse of ANEL further strengthens the connection between the former APT10 and the current Earth Kasha. Additionally, an in-depth analysis revealed the use of NOOPDOOR and other malware, indicating an evolution in Earth Kasha's arsenal. Despite the changes in TTPs, there are still correlations between Earth Kasha's new LODEINFO campaign and the APT10 umbrella. Their campaigns continue to evolve, with updates to their tools and TTPs becoming more evident. Based on these findings, it is expected that Earth Kasha will continue to pose significant threats, necessitating continuous monitoring and proactive defense measures. The cybersecurity community must remain vigilant to counteract the evolving strategies of threat actors like Earth Kasha.

Description last updated: 2024-11-28T11:49:43.699Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Mirrorface is a possible alias for Earth Kasha. MirrorFace is a threat actor group known for its focus on Japanese hackers. The group has been particularly active in the cybersecurity landscape, with a history of malicious activities aimed at compromising systems and stealing valuable information. However, over the summer, Eset researchers discov	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vpn

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Earth Kasha Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	a month ago	Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan
ESET	2 months ago	Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor
Securityaffairs	6 months ago	Security Affairs newsletter Round 501 by Pierluigi Paganini – INTERNATIONAL EDITION
Trend Micro	6 months ago	Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024
Trend Micro	6 months ago	Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
BankInfoSecurity	7 months ago	Breach Roundup: Chinese Cyberespionage Using Open Source VPN