Mindmap Visual

Earth Kasha's Latest Campaign (March 2025)

Summary

New campaign targeting Taiwan and Japan

Uses spear-phishing to deliver new ANEL backdoor

Possibly for espionage (victimology)

Believed part of APT10 group

Targets government & public institutions

Potential impact: information & data theft

ANEL supports BOF execution in memory

Potentially leveraged SharpHide for NOOPDOOR

Recommendations for proactive security

Trend Vision One detects and blocks IOCs

Observed Campaign Activity

Targeting Taiwan and Japan

Detected in March 2025

Uses spear-phishing

Delivers new ANEL backdoor

Background on Earth Kasha

Believed part of APT10 umbrella

Espionage campaigns since at least 2017

Frequently shifts TTPs and toolsets

2024 activity: targeted political orgs, research, etc. (Japan)

Expanding targets in 2025 (Taiwan & Japan govt/public)

Assumed motivation: espionage and information theft

Potential origin: China (geopolitical implications)

Infection Chain (March 2025)

Initial Access

Spear-phishing email

Potentially from compromised accounts

Embeds OneDrive URL (ZIP download)

ZIP contains malicious Excel file

Filename/subject designed to capture interest

Examples:

<REDACTED>_修正済み履歴書

臺日道路交通合作與調研相關公務出國報告

應徵研究助理-<REDACTED>

Dropper (ROAMINGMOUSE)

Macro-enabled Excel dropper

Used since 2024 campaign

Drops ANEL components

Simple sandbox evasion (user manipulation)

Change from 2024: Word file to Excel

Trigger change: mousemove to click

Decodes embedded ZIP (Base64)

Drops ZIP to disk and expands

Dropped Components:

JSLNTOOL.exe / JSTIEE.exe / JSVWMNG.exe (Legit JustSystems)

JSFC.dll (ANELLDR - malicious loader)

<RANDOM> (Encrypted ANEL payload)

MSVCR100.dll (Legit DLL dependency)

Drop Locations:

%LOCALAPPDATA%\Microsoft\Windows\<RANDOM>

%LOCALAPPDATA%\Microsoft\Media Player\Transcoded Files Cache\<RANDOM>

Execution:

Launches legit EXE via explorer.exe (WMI)

EXE loads JSFC.dll (DLL sideloading)

McAfee Detection:

Changes execution method

Creates batch file in startup

Executes legit EXE via explorer.exe (no WMI)

First Stage Backdoor (ANEL)

JSFC.dll (ANELLDR - malicious loader)

Similar capabilities to previous loader

Decrypts ANEL blob (AES-256-CBC & LZO)

Executes ANEL in memory

Version Number:

Previously embedded

Encrypted since 2024

Encrypted in this campaign

C&C Communication:

No significant changes

Custom ChaCha20, XOR, and LZO

New command: BOF (Beacon Object File) execution in memory

Command Changes (Table 1 - see original article)

Post-Exploitation:

Screenshots via backdoor command

Environment examination commands:

tasklist /v

net localgroup administrators

net user

Investigating target before second stage

Second Stage Deployment (if target confirmed):

NOOPDOOR components downloaded to C:\ProgramData

Executed via MSBuild.exe & XML

Persistence (Potential SharpHide):

Launch NOOPDOOR via Hidden Start (hstart64.exe)

Hide MSBuild UI on autorun

Potential SharpHide injection in legit process (msiexec.exe)

Command example (msiexec.exe)

Removal of Working Directories:

rd /s /q "C:\Users\<REDUCTED>\AppData\Local\Microsoft\Media Player\Transcoded Files Cache\<RANDOM>"

rd /s /q "C:\Users\<REDUCTED>\AppData\Local\Microsoft\Windows\<RANDOM>"

Second Stage Backdoor (NOOPDOOR)

Sophisticated backdoor (exclusive to Earth Kasha since 2021)

Continuously evolving (minor feature changes)

New feature: Supports DNS over HTTPS (DoH)

DoH usage: hides IP lookup during C&C

Embeds public DoH DNS servers (Google, Cloudflare)

C&C Domain Generation:

Domain Generation Algorithm (DGA)

Based on current datetime

Tries to resolve IP over DoH (hide suspicious resolutions)

DNS resolution in HTTPS body

Conclusion and Security Recommendations

Earth Kasha: active APT, targeting Taiwan & Japan (Mar 2025)

Spear-phishing with modified TTPs

Excel instead of Word dropper

Click instead of mousemove trigger

ANEL version number encrypted

ANEL supports BOF execution

Potential SharpHide for NOOPDOOR persistence

Recommendations for Enterprises:

Educate on OneDrive link risks (zero-trust policy)

Monitor potential abuse of DNS over HTTPS

Disable macros from internet

Maximize endpoint detection response tools

Trend Vision One™

AI-powered enterprise cybersecurity platform

Centralizes cyber risk exposure management, security operations, layered protection

Helps predict and prevent threats

Accelerates proactive security outcomes

Eliminates security blind spots

Focus on what matters most

Elevates security to strategic partner

Trend Vision One Threat Intelligence

Intelligence Reports and Threat Insights

Helps stay ahead of cyber threats

Offers info on threat actors, activities, techniques

Enables proactive protection and risk mitigation

Trend Vision One Intelligence Reports App

[IOC Sweeping]

Still in the Game: Earth Kasha’s Continued Spear-Phishing Campaign targeting Taiwan and Japan

Trend Vision One Threat Insights App

Emerging Threats: Still in the Game: Earth Kasha’s Continued Spear-Phishing Campaign targeting Taiwan and Japan

Threat Actor: Earth Kasha

Hunting Query (Trend Vision One Search App)

eventName:MALWARE_DETECTION AND (malName:*ROAMINGMOUSE* OR malName:*ANEL* OR malName:*NOOPLDR* OR malName:*NOOPDOOR*)

eventSubId: 301 AND (hostName: *.srmbr.net OR hostName: *.kyolpon.com)

eventSubId: 204 AND (dst: 172.233.73.249 OR dst: 172.105.62.188 OR dst: 192.46.215.56 OR dst: 139.162.38.102)

Indicators of Compromise (IoC)

Download the list of IoCs here.