Cyber Security News

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India, Taiwan, and Japan, leveraging spear-phishing and exploiting vulnerabilities in public-facing applications like SSL-VPN and file storage services. 

The group has deployed various backdoors, including Cobalt Strike, LODEINFO, and the newly discovered NOOPDOOR, to maintain persistent access to compromised networks, which pose a significant threat to organizations in the targeted regions, particularly those in advanced technology and government sectors. 

overview of relationships of Earth Kasha

It initially compromised systems using legitimate Microsoft tools to gather system information and domain credentials, then employed custom malware, MirrorStealer, to steal stored credentials from various applications and abused VSSAdmin to dump sensitive system files from Active Directory servers.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

After gaining domain admin privileges, they deployed backdoors to facilitate lateral movement and data exfiltration, which was achieved through both backdoor channels and direct file transfers over RDP sessions.

Execution flow of GOSICLOADER

By employing a multi-pronged approach in their recent campaign, it leverages a combination of Cobalt Strike, LODEINFO, and the novel NOOPDOOR backdoor.

Cobalt Strike, likely a cracked version, was deployed via GOSICLOADER, a Go-based shellcode loader. 

LODEINFO, a long-standing tool for Earth Kasha, underwent significant updates, including new backdoor commands and a refined execution mechanism involving DLL side-loading and digital signature abuse. 

The emergence of LODEINFOLDR Type 2, similar to the loader used in the LiberalFace campaign, suggests a potential connection between the two incidents.

Watermark and its hash in CSAgent

The NOOPLDR is a backdoor delivered via two distinct loaders: an XML/C# loader executed by MSBuild and a DLL loader leveraging DLL Side-Loading. Both loaders employ similar decryption and persistence techniques, utilizing device ID-based encryption. 

The XML/C# loader stores the encrypted payload in the registry for persistence, while the DLL loader uses a combination of file-based and registry-based persistence. 

Both loaders inject the decrypted payload into legitimate processes, while the DLL loader adds an extra layer of obfuscation with control flow obfuscation and junk code.

Example of NOOPLDR

NOOPDOOR, a sophisticated backdoor, operates in active and passive modes, where in active mode, it polls a daily-changing C&C server using a DGA, while in passive mode, it listens on port 47000 for incoming commands. 

It supports various built-in functions and can load additional modules, enabling diverse malicious activities by leveraging HTTP proxies, firewall manipulation, and file-based module storage for persistence and stealth.

DGA generation using “word” as the placeholder

Earth Kasha, a state-sponsored actor, is leveraging spear-phishing and exploiting public-facing applications to compromise targets by deploying malware like MirrorStealer to steal credentials from browsers, email clients, and servers. 

Post-exploitation, they abuse scheduled tasks for persistence and use LOLBins for lateral movement. Overlaps in TTPs with other APT10-linked groups suggest resource sharing or potential 0-day vulnerability sharing within the ecosystem.

It is a China-nexus threat actor and has recently launched a new campaign leveraging updated LODEINFO malware, which shares significant similarities with previous LODEINFO and A41APT operations.

TrendMicro’s analysis indicates a broader trend of China-nexus groups potentially cooperating, sharing 0-day vulnerabilities, and utilizing sophisticated tactics to evade detection.

Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago