Earth Preta

Threat Actor updated 2 months ago (2024-10-03T12:01:01.934Z)

Download STIX

Preview STIX

Earth Preta, also known as Mustang Panda or Stately Taurus, is a high-profile threat actor group that has been actively executing cyberattacks with malicious intent. Their activities have been particularly prevalent in the Asia Pacific (APAC) region and Europe. The group employs a variety of tools and malware for command and control (C&C) stages, including backdoor functionalities inferred from internal strings and APIs used by the group. Previous research disclosed a new campaign initiated by Earth Preta that targeted governments worldwide through spear-phishing techniques. The group's attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration. They focus on specific countries and sectors within the APAC region, suggesting an execution of highly targeted operations. A notable strategy employed by Earth Preta involves the use of malware-loaded USB drives, a method that saw a resurgence during and post the COVID-19 pandemic. Additionally, the group has been linked to the Fireant group and has been observed using a variant of the DOPLUGS malware to target Asian countries. Despite attempts to attribute some of the activities of CeranaKeeper to Mustang Panda, it was decided to track this activity cluster as the work of CeranaKeeper. However, similarities among the Tactics, Techniques, and Procedures (TTPs), the malware used, and the timeline of the campaigns allowed for attribution of some activities to Earth Preta. Given their continued activity, especially in the APAC region, it is likely that Earth Preta will remain a significant threat in the foreseeable future.

Description last updated: 2024-10-03T11:15:51.335Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Mustang Panda is a possible alias for Earth Preta. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif	4
Stately Taurus is a possible alias for Earth Preta. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's	3
Camaro Dragon is a possible alias for Earth Preta. Camaro Dragon, a Chinese state-sponsored threat actor also known as Mustang Panda, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Stately Taurus, has been identified as a significant cybersecurity concern. The group has been active since at least 2012 and is known for its sophisticated	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Phishing

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Doplugs Malware is associated with Earth Preta. DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U	Unspecified	2

Source Document References

Information about the Earth Preta Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	2 months ago	Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
Securityaffairs	2 months ago	Security Affairs newsletter Round 489 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	2 months ago	Mustang Panda Feeds Worm-Driven USB Attack Strategy
Securityaffairs	5 months ago	China-linked spies target Asian Telcos since at least 2021
CERT-EU	9 months ago	Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware
Trend Micro	9 months ago	Earth Preta Campaign Uses DOPLUGS to Target Asia
Unit42	a year ago	Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific
CERT-EU	a year ago	Cybersecurity Threat 1H 2023 Brief with Generative AI
Unit42	a year ago	Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
Unit42	a year ago	Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government
CERT-EU	2 years ago	Earth Preta’s Cyberespionage Campaign Hits Over 200 \| IT Security News
Trend Micro	2 years ago	Earth Preta Updated Stealthy Strategies
Trend Micro	2 years ago	Earth Preta’s Cyberespionage Campaign Hits Over 200