Threat Research

APT Profile – Earth Lusca

Cyfirma
APT Profile – Earth Lusca
Earth Lusca (aka FishMonger) is a China-linked threat actor active since 2019 that conducts long‑term cyber-espionage against government, media, telecommunications, academic, and religious organizations while also running financially motivated campaigns against cryptocurrency platforms. Recent campaigns show expanded tooling and tradecraft — including the new Go-based, multi-platform backdoor KTLVdoor, extensive use of ShadowPad/Winnti toolsets, and a large, cloud-hosted, rotating C2 infrastructure to maintain stealth. #EarthLusca #KTLVdoor

Keypoints

  • Earth Lusca is a China-linked actor active since 2019 that targets government, media, telecommunications, academic, religious organizations and cryptocurrency platforms for espionage and financial gain.
  • The group expanded its arsenal with KTLVdoor, a highly obfuscated Go-based, multi-platform backdoor that can masquerade as sshd, java, bash, or sqlite and operate on Windows and Linux.
  • Earth Lusca continues to rely on established toolsets such as ShadowPad, Winnti families, Spyder, and Cobalt Strike for access, reconnaissance, and data exfiltration.
  • Operations concentrate on strategic sectors in the Asia‑Pacific region but also include victims in Europe, the Middle East, South Asia, and the United States.
  • The actor uses a large, dynamic, cloud-hosted C2 infrastructure and rapid infrastructure rotation to evade detection and sustain long-term persistence.
  • Campaigns leverage strong code obfuscation, encrypted communications, symbol stripping and function renaming, and exploit multiple public vulnerabilities (e.g., Jenkins and Linux CVEs) via drive-by, spear-phishing, and public-facing exploits.

MITRE Techniques

  • [T1595.002 ] Active Scanning: Vulnerability Scanning – Used to identify vulnerable targets for exploitation; quote: ‘Active Scanning: Vulnerability Scanning’
  • [T1608.001 ] Stage Capabilities: Upload Malware – Uploading tools and payloads to compromised hosts as part of operations; quote: ‘Stage Capabilities: Upload Malware’
  • [T1583.001 ] Acquire Infrastructure: Domains – Acquisition of domains to host tooling or C2 infrastructure; quote: ‘Acquire Infrastructure: Domains’
  • [T1583.004 ] Acquire Infrastructure: Server – Provisioning or acquiring servers to run C2 and payloads; quote: ‘Acquire Infrastructure: Server’
  • [T1583.006 ] Acquire Infrastructure: Web Services – Use of web services as part of operational infrastructure; quote: ‘Acquire Infrastructure: Web Services’
  • [T1584.004 ] Compromise Infrastructure: Server – Compromising third-party servers to support operations; quote: ‘Compromise Infrastructure: Server’
  • [T1584.006 ] Compromise Infrastructure: Web Services – Compromising web services to host or relay malicious activity; quote: ‘Compromise Infrastructure: Web Services’
  • [T1588.002 ] Obtain Capabilities: Tool – Procuring or reusing offensive tools like Cobalt Strike; quote: ‘Obtain Capabilities: Tool’
  • [T1588.001 ] Obtain Capabilities: Malware – Acquiring or developing malware families used in campaigns; quote: ‘Obtain Capabilities: Malware’
  • [T1189 ] Drive-by Compromise – Leveraging drive-by downloads or compromised websites for initial access; quote: ‘Drive-by Compromise’
  • [T1566.002 ] Phishing: Spear Phishing Link – Use of spear-phishing links to gain initial access in targeted campaigns; quote: ‘Phishing: Spear Phishing Link’
  • [T1190 ] Exploit Public-Facing Application – Exploitation of exposed services (multiple CVEs listed) to gain access; quote: ‘Exploit Public-Facing Application’
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Use of PowerShell for execution and post-exploitation tasks; quote: ‘Command and Scripting Interpreter: PowerShell’
  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – Use of JavaScript interpreters in execution chains; quote: ‘Command and Scripting Interpreter: JavaScript’
  • [T1047 ] Windows Management Instrumentation – Use of WMI for execution or remote management; quote: ‘Windows Management Instrumentation’
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Use of scheduled tasks for persistence and privilege escalation; quote: ‘Scheduled Task/Job: Scheduled Task’
  • [T1204.002 ] User Execution: Malicious File – Relying on user execution of malicious files to infect hosts; quote: ‘User Execution: Malicious File’
  • [T1204.001 ] User Execution: Malicious Link – Use of malicious links delivered to users for initial access; quote: ‘User Execution: Malicious Link’
  • [T1059.005 ] Command and Scripting Interpreter: Visual Basic – Use of Visual Basic scripting for execution where applicable; quote: ‘Command and Scripting Interpreter: Visual Basic’
  • [T1059.006 ] Command and Scripting Interpreter: Python – Use of Python for multi-platform tooling or scripts; quote: ‘Command and Scripting Interpreter: Python’
  • [T1547.012 ] Boot or Logon Autostart Execution: Print Processors – Persistence via autostart mechanisms such as print processors; quote: ‘Boot or Logon Autostart Execution: Print Processors’
  • [T1543.003 ] Create or Modify System Process: Windows Service – Creating or modifying Windows services for persistence and execution; quote: ‘Create or Modify System Process: Windows Service’
  • [T1574.001 ] Hijack Execution Flow: DLL – DLL hijacking or manipulation to persist or evade detection; quote: ‘Hijack Execution Flow: DLL’
  • [T1112 ] Modify Registry – Use of registry modifications to maintain persistence or configuration; quote: ‘Modify Registry’
  • [T1098.004 ] Account Manipulation: SSH Authorized Keys – Persisting access via SSH authorized keys on Linux systems; quote: ‘Account Manipulation: SSH Authorized Keys’
  • [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – Techniques to bypass UAC for privilege escalation; quote: ‘Abuse Elevation Control Mechanism: Bypass User Account Control’
  • [T1140 ] Deobfuscate/Decode Files or Information – Use of deobfuscation or decode routines during execution and analysis evasion; quote: ‘Deobfuscate/Decode Files or Information’
  • [T1027 ] Obfuscated Files or Information – Strong code obfuscation and symbol stripping to hinder analysis; quote: ‘strong code obfuscation, encrypted communications, and disguised binaries’
  • [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – Malware disguises itself as system utilities like sshd, java, bash, or sqlite; quote: ‘masquerade as legitimate system utilities such as sshd, java, bash, or sqlite’
  • [T1027.003 ] Obfuscated Files or Information: Steganography – Use of steganography as one obfuscation technique (listed in TTPs); quote: ‘Obfuscated Files or Information: Steganography’
  • [T1218.005 ] System Binary Proxy Execution: Mshta – Use of trusted system binaries (e.g., mshta) to proxy execution and evade controls; quote: ‘System Binary Proxy Execution: Mshta’
  • [T1003.001 ] OS Credential Dumping: LSASS Memory – Credential dumping from LSASS memory for lateral movement and persistence; quote: ‘OS Credential Dumping: LSASS Memory’
  • [T1003.006 ] OS Credential Dumping: DCSync – Use of DCSync techniques to obtain domain credentials from Active Directory; quote: ‘OS Credential Dumping: DCSync’
  • [T1482 ] Domain Trust Discovery – Discovery of domain trust relationships to support targeting and lateral movement; quote: ‘Domain Trust Discovery’
  • [T1057 ] Process Discovery – Enumerating running processes for reconnaissance and targeting; quote: ‘Process Discovery’
  • [T1049 ] System Network Connections Discovery – Mapping network connections on compromised hosts for discovery; quote: ‘System Network Connections Discovery’
  • [T1007 ] System Service Discovery – Discovering system services to identify persistence and defensive components; quote: ‘System Service Discovery’
  • [T1018 ] Remote System Discovery – Identifying remote systems for lateral movement and targeting; quote: ‘Remote System Discovery’
  • [T1016 ] System Network Configuration Discovery – Collecting network configuration to inform lateral movement; quote: ‘System Network Configuration Discovery’
  • [T1033 ] System Owner/User Discovery – Identifying system owners and users to prioritize targets and credential harvesting; quote: ‘System Owner/User Discovery’
  • [T1210 ] Exploitation of Remote Services – Exploiting remote services to move laterally across environments; quote: ‘Exploitation of Remote Services’
  • [T1056.001 ] Input Capture: Keylogging – Use of input capture/keylogging for credential and data theft; quote: ‘Input Capture: Keylogging’
  • [T1090 ] Proxy – Use of proxying and relays in C2 operations to obscure origin and traffic; quote: ‘large and dynamic command-and-control (C2) infrastructure’
  • [T1567.002 ] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Use of web/cloud services to exfiltrate collected data; quote: ‘Exfiltration Over Web Service: Exfiltration to Cloud Storage’

Indicators of Compromise

  • [Malware ] Malware families used in campaigns – KTLVdoor, ShadowPad, and other families including Spyder, SodaMaster, XDealer (DinodasRAT), RESHELL (and 3 more).
  • [CVE IDs ] Exploited/publicly referenced vulnerabilities used for initial access or privilege escalation – CVE-2024-23897 (Jenkins), CVE-2016-5195 (Linux Dirty COW), and other CVEs listed (and 4 more CVEs).
  • [C2 infrastructure ] Command-and-control infrastructure context – dozens of cloud-hosted servers used to manage infected systems and rotate infrastructure (no specific IPs/domains provided in article).
  • [Masqueraded filenames/binaries ] Binaries used to disguise backdoors – masquerade names such as sshd, java, bash, sqlite used by KTLVdoor as observed artifacts.
  • [Exploit links / references ] Public exploit links referenced for vetted CVEs – e.g., exploit links labeled for CVE-2016-5195 (link1..link6) and CVE-2024-23897 (Link1, Link2) as listed in the article.

Read more: https://www.cyfirma.com/research/apt-profile-earth-lusca/