Earth Lusca

Threat Actor Profile Updated 3 days ago
Download STIX
Preview STIX
Earth Lusca is a significant threat actor that has recently expanded its malicious arsenal with the SprySOCKS Linux malware, posing an increased risk to global cybersecurity. This group is known for executing actions with harmful intent, and could be composed of individuals, private companies, or government entities. The lack of standard naming conventions in the cybersecurity industry makes it challenging to categorize such groups, but their activities are closely monitored due to their potential to cause extensive damage. In March 2024, researchers from Trend Micro discovered a complex campaign conducted by another threat actor named Earth Krahang while investigating Earth Lusca's activities. Interestingly, the initial-stage backdoors used by Earth Krahang were different from those utilized by Earth Lusca. This led Trend Micro to conclude that this was the work of a distinct group, separate from Earth Lusca, further complicating the landscape of cyber threats. Previous research by Trend Micro had already connected Earth Lusca to iSoon, a Shanghai-based hacking contractor. This connection led the company to delve deeper into a leaked repository containing spreadsheets, chat logs, and marketing materials that appeared to originate from iSoon. As such, it is clear that Earth Lusca is part of a larger network of threat actors, underscoring the need for continued vigilance and robust cybersecurity measures.
What's your take? (Question 1 of 5)
6e871680-2387-4a05-b29c-5bed63e86d0e Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
I-Soon
4
i-SOON, a threat actor believed to be operating out of China, has come into the limelight due to a significant data leak. The leaked documents provide an inside view of i-SOON's operations, revealing its role in executing cyberespionage campaigns on behalf of various Chinese government agencies. Thi
Earth Krahang
3
Earth Krahang, an Advanced Persistent Threat (APT) group, has been identified as a significant threat actor in the cybersecurity landscape. This entity, possibly linked to Chinese state hacking contractor iSoon, has been responsible for breaching numerous government organizations worldwide. Trend Mi
Bronze University
2
Bronze University, also known as Aquatic Panda, ControlX, RedHotel, and Earth Lusca, is a threat actor group believed to be a Chinese state-sponsored hacking operation. The group has been active since 2021, targeting government, aerospace, education, telecommunications, media, and research organizat
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Lateral Move...
Linux
Espionage
Web Shell
Exploit
Chinese
Windows
Loader
Vulnerability
Remote Code ...
Apt
Github
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SprysocksUnspecified
6
SprySOCKS is a malicious software, or malware, that was discovered as part of the arsenal of Earth Lusca, a China-nexus threat actor. This malware is specifically designed to exploit and damage Linux systems. It can infect these systems through suspicious downloads, emails, or websites, often withou
ShadowPadUnspecified
2
ShadowPad is a modular backdoor malware that has been utilized by multiple Chinese threat groups since 2017. It was used as the payload in a supply chain attack targeting South Asian governments, as detailed in a VB2023 paper. The malware's operations are often facilitated through legitimate utiliti
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Earth AkhlutUnspecified
3
Earth Akhlut is a recognized threat actor, originating from China, known for its malicious activities in the realm of cybersecurity. Since 2019, it has been involved in distributing the Shadowpad malware, a sophisticated tool that has caused significant concern within the cybersecurity community. Th
WinntiUnspecified
2
Winnti, also known as Starchy Taurus, APT41, Axiom, Barium, Blackfly, and HOODOO, is a prominent threat actor originating from China. The group has been active since at least 2007 and is notorious for its sophisticated cyberespionage campaigns. The group's activities have been linked to a shared Chi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-40684Unspecified
2
CVE-2022-40684 is a significant software vulnerability identified in Fortinet devices, specifically relating to an authentication bypass flaw. This flaw in the software design or implementation allows threat actors to exploit the vulnerability, compromising network security and providing unauthorize
CVE-2022-39952Unspecified
2
CVE-2022-39952 is a critical vulnerability in Fortinet's network access control suite, FortiNAC. This flaw, which resides in the software design or implementation, could lead to arbitrary code execution, posing a severe threat to network security. The vulnerability was identified and addressed by Fo
CVE-2019-18935Unspecified
2
CVE-2019-18935 is a .NET deserialization vulnerability in the Progress Telerik user interface (UI) for ASP.NET AJAX, located in Microsoft's Internet Information Services (IIS) web server. This flaw in software design or implementation was exploited by multiple cyber threat actors, including an Advan
Source Document References
Information about the Earth Lusca Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 months ago
Security Affairs newsletter Round 465 by Pierluigi Paganini
CERT-EU
8 months ago
Chinese hackers have unleashed a never-before-seen Linux backdoor – Ars Technica | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Securityaffairs
5 months ago
Security Affairs newsletter Round 453 by Pierluigi Paganini
DARKReading
10 months ago
RedHotel Checks in as Dominant China-Backed Cyberspy Group
InfoSecurity-magazine
2 months ago
Prolific Chinese Threat Campaign Targets 100+ Victims
Securityaffairs
6 months ago
Security Affairs newsletter Round 446 by Pierluigi Paganini
InfoSecurity-magazine
8 months ago
Chinese Group Exploiting Linux Backdoor to Target Governments
Securityaffairs
3 months ago
Security Affairs newsletter Round 461 by Pierluigi Paganini
Securityaffairs
8 months ago
Security Affairs newsletter Round 440 by Pierluigi Paganini
Securityaffairs
6 months ago
Security Affairs newsletter Round 447 by Pierluigi Paganini
Securityaffairs
6 months ago
Security Affairs newsletter Round 449 by Pierluigi Paganini
Securityaffairs
24 days ago
Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
6 months ago
Security Affairs newsletter Round 447 by Pierluigi Paganini
Securityaffairs
2 months ago
Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs
5 months ago
Security Affairs newsletter Round 452 by Pierluigi Paganini
Trend Micro
3 months ago
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Checkpoint
8 months ago
25th September – Threat Intelligence Report - Check Point Research
Securityaffairs
3 days ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
4 months ago
Security Affairs newsletter Round 456 by Pierluigi Paganini