Keypoints
- Earth Estries (aka Salt Typhoon) has targeted government and tech organizations since at least 2020.
- Researchers identified two separate infection chains with different delivery and toolsets (CAB-based vs. curl-based deliveries).
- Initial access commonly abuses vulnerable external services such as Microsoft Exchange and QConvergeConsole/Tomcat.
- Lateral movement is achieved using PsExec and WMIC, and backdoors (Cobalt Strike, Crowdoor, HemiGate) for subsequent propagation.
- Credential theft is performed with TrillClient by collecting browser profiles and saved login data for further compromise.
- Data collection and exfiltration use archive utilities (RAR/tar), cURL/wget, SMTP (Gmail), and anonymized file-sharing services via proxies.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain access by exploiting vulnerable services (e.g., Microsoft Exchange, QConvergeConsole). [‘Exploits vulnerabilities in Microsoft Exchange servers to gain access.’]
- [T1021] Remote Services (PsExec/WMIC) – Employed for lateral movement to install backdoors and run batch installers on remote hosts. [‘Uses PsExec and WMIC for lateral movement across networks.’]
- [T1003] Credential Dumping – TrillClient collects credentials and browser profile data to harvest login information. [‘Employs Trillclient for credential theft from browser caches.’]
- [T1071] Application Layer Protocol – Multiple C2 domains and backdoors communicate with operators to maintain control. [‘Utilizes multiple command and control domains to maintain communication with compromised systems.’]
- [T1041] Exfiltration Over C2 Channel – Data archived and sent out using cURL/wget and SMTP to external accounts or anonymized services. [‘Exfiltrates data using cURL to send information to anonymized file-sharing services.’]
Indicators of Compromise
- [IP Address] internal target examples used in commands – 172.16.xx.xx (used in lateral-movement and wget download commands)
- [File names / packages] delivered payloads and installers – go4.cab, PsExec.exe, wget.exe (CAB files and utilities used to install backdoors)
- [Tools / Malware] malware and utilities observed – Crowdoor, TrillClient, Zingdoor, SnappyBee (primary backdoors and stealers)
- [URLs / Domains] download and exfiltration endpoints – hxxp://172.16.xx.xx/{document path}/{Hardcoded Filename}.pdf (target document download), Gmail SMTP used for data exfiltration
————
Earth Estries conducts sustained espionage operations using two distinct but related attack chains. One chain delivers tools bundled in CAB files (including Cobalt Strike, Crowdoor, TrillClient and Hemigate) and relies on PsExec/WMIC for lateral movement; the other uses curl/wget to fetch payloads like Zingdoor and SnappyBee and employs utility tools (PortScan, NinjaCopy) for reconnaissance. Both approaches exploit exposed or misconfigured services—such as Microsoft Exchange and QConvergeConsole/Tomcat—to gain initial access.
Once inside, the group focuses on persistence and wide data collection. They repeatedly update and reinstall tools, deploy backdoors that support remote shells and file operations (Crowdoor’s functionality includes persistence, remote shell and C2 communication), and use archival utilities (RAR/tar) plus simple encryption routines to prepare data for exfiltration. TrillClient is used to harvest browser profiles, cookies and login data, which are packaged and sent out via SMTP or uploaded through anonymized services.
The campaign shows operational maturity: targeted document downloads from internal web platforms, use of proxying and anonymized endpoints for C2/exfiltration, and batch-file orchestration for staged installs and large-scale collection. Organizations should prioritize patching exposed management interfaces, monitor for suspicious uses of PsExec/WMIC and archive utilities, and watch for signs of browser-profile collection and unexpected outbound SMTP/HTTP uploads.