KTLVdoor

Malware updated 7 days ago (2024-11-29T13:55:10.766Z)
Download STIX
Preview STIX
KTLVdoor is a sophisticated malware linked to the China-backed cyber-espionage group Earth Lusca, also known as RedHotel or TAG-22. This group has been active since 2019 and uses KTLVdoor, a tool more complex than their usual arsenal, as per Trend Micro's report. The malware disguises itself as various system utilities, such as sshd, java, sqlite, bash, edr-agent, and others, enabling attackers to gain full control over the targeted environment. Despite the connection between certain samples of KTLVdoor and Earth Lusca, there are other samples that could not be definitively linked to this threat actor. The distribution method for KTLVdoor remains unclear. KTLVdoor is part of an extensive campaign with a vast back-end infrastructure that suggests imminent or ongoing attacks by multiple actors. Although it has only been observed in one attack so far, researchers anticipate that other campaigns will exploit KTLVdoor due to the presence of more than 50 command-and-control (C2) servers communicating with its variants. These servers are all hosted by Chinese ISP Alibaba. The magnitude of the discovered infrastructure is highly unusual, indicating the potential for widespread cyber threats. Trend Micro's report includes a comprehensive list of indicators of compromise (IOCs) for both Earth Lusca and KTLVdoor, including IP addresses, hashes related to the campaign, and a DLL decryptor for the threat actor. The malware is written in Golang and versions have been detected for both Windows and Linux. As the campaign linked to KTLVdoor is extensive, vigilance and proactive cybersecurity measures are strongly advised.
Description last updated: 2024-10-17T12:16:03.083Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Sqlite
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Earth Lusca Threat Actor is associated with KTLVdoor. Earth Lusca, a threat actor believed to be part of the China-backed Winnti collective, has been active since at least 2019 and is known for its cyber-espionage activities. The group primarily targets government organizations in Asia, Latin America, and other regions. Recently, it has expanded its arUnspecified
3
Source Document References
Information about the KTLVdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more