Cyber Security News

Earth Lusca Using Multiplatform Backdoor to Attack Windows & Linux Machines

Earth Lusca is a suspected China-based cyber espionage group active since at least April 2019.

Besides this, hackers often target Windows and Linux machines primarily due to their widespread use and potential for financial gain.

Trend Micro security experts recently uncovered a sophisticated new Golang-based backdoor named “KTLVdoor,” deployed by the Chinese threat actor Earth Lusca. 

This highly obfuscated, multiplatform malware family infects Windows and Linux systems, often disguising itself as standard system utilities to evade detection. 

Earth Lusca Using Multiplatform Backdoor

KTLVdoor provides threat actors with extensive remote control capabilities, such as executing commands, file manipulation, information gathering, proxy usage, and port scanning. 

The operation is large in scale, with over 50 command-and-control servers hosted on Alibaba’s infrastructure in China, communicating with several malware variants. 

Though it’s primarily tied to Earth Lusca, the shared infrastructure also suggests the potential involvement of other Chinese threat groups.

This campaign’s samples are heavily obfuscated, reinserting random base64-like encoded strings and function names in embedded strings.

Obfuscated function names (Source - Trend Micro)Obfuscated function names (Source - Trend Micro)

The agent’s settings are hidden and contain XOR-encoded agent configuration parameters. Base64 features a proprietary form resembling a TLV-like format.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Trend Micro said that the configuration is implemented by restoring the internal structure corresponding to the machine and keeping the addresses of C&C servers encrypted in AES-GCM-encrypted values.

After the start-up, the agent communicates with the C&C server through GZIP-compressed and AES-GCM-encrypted messages.

Besides this, the PortScan implements the following scanning methods:-

  • ScanTCP
  • ScanRDP
  • ScanWinRM
  • ScanSmb2
  • RdpWithNTLM
  • DialTLS
  • DialTCP
  • ScanPing
  • ScanPing
  • ScanMssql
  • ScanBanner
  • ScanWeb

Communication can be unidirectional or bidirectional, consisting of a header and message data.

The agent has been assigned task-processing handlers for the threat actor Earth Lusca; however, the campaign details are unknown.

The atypical infrastructure with all C&C servers on Alibaba’s IP addresses suggests that this is the current environment of Earth Lusca or some other Chinese-speaking threat actors arming themselves and playing around with the new tools that have yet to be released.

Cybersecurity researchers urged that it remains important to ensure the ongoing monitoring of this activity.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Vite Development Server Flaw Allows Attackers Bypass Path Restrictions

A critical security vulnerability, CVE-2025-31125, has been identified in the Vite development server. Due to improper…

25 minutes ago

New Android Spyware Tricks Users by Demanding Passwords for Uninstallation

A newly identified Android spyware app is elevating its tactics to remain hidden and unremovable…

57 minutes ago

Malicious PDFs Responsible for 22% of All Email-Based Cyber Threats

Malicious PDF files have emerged as a dominant threat vector in email-based cyberattacks, accounting for…

1 hour ago

Ex-ASML Russian Employee Smuggled Trade Secrets to Moscow via USB

A former employee of Dutch semiconductor firm ASML, identified as German A. (43), stands accused…

3 hours ago

Critical Apache Parquet Vulnerability Allows Remote Code Execution

A severe vulnerability has been identified in the Apache Parquet Java library, specifically within its parquet-avro module.…

4 hours ago

Halo ITSM Vulnerability Lets Attackers Inject Malicious SQL Code

A critical security flaw has been discovered in Halo ITSM, an IT support management software widely…

6 hours ago