Cyber Security News

Earth Lusca Using Multiplatform Backdoor to Attack Windows & Linux Machines

Earth Lusca is a suspected China-based cyber espionage group active since at least April 2019.

Besides this, hackers often target Windows and Linux machines primarily due to their widespread use and potential for financial gain.

Trend Micro security experts recently uncovered a sophisticated new Golang-based backdoor named “KTLVdoor,” deployed by the Chinese threat actor Earth Lusca. 

This highly obfuscated, multiplatform malware family infects Windows and Linux systems, often disguising itself as standard system utilities to evade detection. 

Earth Lusca Using Multiplatform Backdoor

KTLVdoor provides threat actors with extensive remote control capabilities, such as executing commands, file manipulation, information gathering, proxy usage, and port scanning. 

The operation is large in scale, with over 50 command-and-control servers hosted on Alibaba’s infrastructure in China, communicating with several malware variants. 

Though it’s primarily tied to Earth Lusca, the shared infrastructure also suggests the potential involvement of other Chinese threat groups.

This campaign’s samples are heavily obfuscated, reinserting random base64-like encoded strings and function names in embedded strings.

The agent’s settings are hidden and contain XOR-encoded agent configuration parameters. Base64 features a proprietary form resembling a TLV-like format.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Trend Micro said that the configuration is implemented by restoring the internal structure corresponding to the machine and keeping the addresses of C&C servers encrypted in AES-GCM-encrypted values.

After the start-up, the agent communicates with the C&C server through GZIP-compressed and AES-GCM-encrypted messages.

Besides this, the PortScan implements the following scanning methods:-

  • ScanTCP
  • ScanRDP
  • ScanWinRM
  • ScanSmb2
  • RdpWithNTLM
  • DialTLS
  • DialTCP
  • ScanPing
  • ScanPing
  • ScanMssql
  • ScanBanner
  • ScanWeb

Communication can be unidirectional or bidirectional, consisting of a header and message data.

The agent has been assigned task-processing handlers for the threat actor Earth Lusca; however, the campaign details are unknown.

The atypical infrastructure with all C&C servers on Alibaba’s IP addresses suggests that this is the current environment of Earth Lusca or some other Chinese-speaking threat actors arming themselves and playing around with the new tools that have yet to be released.

Cybersecurity researchers urged that it remains important to ensure the ongoing monitoring of this activity.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Hack The box “Ghost” Challenge Cracked – A Detailed Technical Exploit

Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a premier…

4 hours ago

Sec-Gemini v1 – Google’s New AI Model for Cybersecurity Threat Intelligence

Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by empowering…

4 hours ago

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…

10 hours ago

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

2 days ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

2 days ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

2 days ago