Earth Lusca

Threat Actor updated a month ago (2024-11-29T14:46:33.205Z)
Download STIX
Preview STIX
Earth Lusca, a threat actor believed to be part of the China-backed Winnti collective, has been active since at least 2019 and is known for its cyber-espionage activities. The group primarily targets government organizations in Asia, Latin America, and other regions. Recently, it has expanded its arsenal with a new Linux malware called SprySOCKS, as reported by securityaffairs.com. Researchers from Trend Micro have also discovered Earth Lusca using a multiplatform backdoor named KTLVdoor, which is more complex than tools typically used by this group. It's worth noting that the full extent of infrastructure use by Earth Lusca remains uncertain. In September, researchers revealed an attack on a China-based trading company, attributing it to Earth Lusca. This was based on their ability to tie samples of KTLVdoor to the threat actor with high confidence. However, several other samples of this malware family could not be definitively linked to Earth Lusca. The report also highlighted the unusually large size of the discovered infrastructure, indicating a potentially broad scope of operations. Despite these findings, the exact method of distribution for the new KTLVdoor backdoor by Earth Lusca remains unclear. The cybersecurity community has provided comprehensive lists of indicators of compromise (IOCs) for both Earth Lusca and KTLVdoor, including IP addresses and hashes connected to the campaign. Given the careful measures taken by the malware creators to evade analysis and detection, organizations are advised to stay alert for any signs of compromise by unidentified malware.
Description last updated: 2024-10-17T11:46:51.011Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
I-Soon is a possible alias for Earth Lusca. i-Soon, also known as Anxun, is a threat actor identified as a private industry contractor for the Chinese Ministry of Public Security (MPS). The company has recently been implicated in a massive data leak that surfaced on Github. As elaborated by Tom Uren and Catalin Cimpanu, i-Soon frequently init
4
Earth Krahang is a possible alias for Earth Lusca. Earth Krahang is a threat actor, a term used in cybersecurity to describe an entity responsible for malicious activities. This could be an individual, a private company, or even a government organization. In the world of cybersecurity, unique names are often given to these actors to differentiate th
3
Winnti is a possible alias for Earth Lusca. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such
3
Bronze University is a possible alias for Earth Lusca. Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizat
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Lateral Move...
Linux
Espionage
Web Shell
Exploit
Chinese
Loader
Vulnerability
Remote Code ...
Apt
Github
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sprysocks Malware is associated with Earth Lusca. SprySOCKS is a new strain of malware that has recently been added to the arsenal of Earth Lusca, an advanced persistent threat (APT) group known for its sophisticated cyberattacks. Malware, short for malicious software, is designed to exploit and damage computers or devices without the user's knowleUnspecified
6
The KTLVdoor Malware is associated with Earth Lusca. KTLVdoor is a sophisticated malware linked to the China-backed cyber-espionage group Earth Lusca, also known as RedHotel or TAG-22. This group has been active since 2019 and uses KTLVdoor, a tool more complex than their usual arsenal, as per Trend Micro's report. The malware disguises itself as variUnspecified
3
The ShadowPad Malware is associated with Earth Lusca. ShadowPad is a sophisticated malware, known for its use in supply chain attacks, particularly against government entities in South Asia. This modular backdoor, which has been active for approximately seven years, is popular among Chinese threat actors. It was notably used as the payload in an attackUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Earth Akhlut Threat Actor is associated with Earth Lusca. Earth Akhlut is a recognized threat actor, originating from China, known for its malicious activities in the realm of cybersecurity. Since 2019, it has been involved in distributing the Shadowpad malware, a sophisticated tool that has caused significant concern within the cybersecurity community. ThUnspecified
3
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2022-40684 Vulnerability is associated with Earth Lusca. CVE-2022-40684 is a significant software vulnerability identified in Fortinet devices, specifically relating to an authentication bypass flaw. This flaw in the software design or implementation allows threat actors to exploit the vulnerability, compromising network security and providing unauthorizeUnspecified
2
The CVE-2022-39952 Vulnerability is associated with Earth Lusca. CVE-2022-39952 is a critical vulnerability in Fortinet's network access control suite, FortiNAC. This flaw, which resides in the software design or implementation, could lead to arbitrary code execution, posing a severe threat to network security. The vulnerability was identified and addressed by FoUnspecified
2
The CVE-2019-18935 Vulnerability is associated with Earth Lusca. CVE-2019-18935 is a .NET deserialization vulnerability in the Progress Telerik user interface (UI) for ASP.NET AJAX, located in Microsoft's Internet Information Services (IIS) web server. This flaw in software design or implementation was exploited by multiple cyber threat actors, including an AdvanUnspecified
2
Source Document References
Information about the Earth Lusca Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Trend Micro
2 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago