Ktlvdoor

KTLVdoor is a sophisticated malware linked to the China-backed cyber-espionage group Earth Lusca, also known as RedHotel or TAG-22. This group has been active since 2019 and uses KTLVdoor, a tool more complex than their usual arsenal, as per Trend Micro's report. The malware disguises itself as various system utilities, such as sshd, java, sqlite, bash, edr-agent, and others, enabling attackers to gain full control over the targeted environment. Despite the connection between certain samples of KTLVdoor and Earth Lusca, there are other samples that could not be definitively linked to this threat actor. The distribution method for KTLVdoor remains unclear. KTLVdoor is part of an extensive campaign with a vast back-end infrastructure that suggests imminent or ongoing attacks by multiple actors. Although it has only been observed in one attack so far, researchers anticipate that other campaigns will exploit KTLVdoor due to the presence of more than 50 command-and-control (C2) servers communicating with its variants. These servers are all hosted by Chinese ISP Alibaba. The magnitude of the discovered infrastructure is highly unusual, indicating the potential for widespread cyber threats. Trend Micro's report includes a comprehensive list of indicators of compromise (IOCs) for both Earth Lusca and KTLVdoor, including IP addresses, hashes related to the campaign, and a DLL decryptor for the threat actor. The malware is written in Golang and versions have been detected for both Windows and Linux. As the campaign linked to KTLVdoor is extensive, vigilance and proactive cybersecurity measures are strongly advised.