• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 

SAP fixed 26 flaws in August 2025 Update, including 4 Critical

 | 

August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

 | 

Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

 | 

Chrome sandbox escape nets security researcher $250,000 reward

 | 

Smart Buses flaws expose vehicles to tracking, control, and spying

 | 

MedusaLocker ransomware group is looking for pentesters

 | 

Google confirms Salesforce CRM breach, faces extortion threat

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 57

 | 

Security Affairs newsletter Round 536 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Embargo Ransomware nets $34.2M in crypto since April 2024

 | 

Germany limits police spyware use to serious crimes

 | 

Phishing attacks exploit WinRAR flaw CVE-2025-8088 to install RomCom

 | 

French firm Bouygues Telecom suffered a data breach impacting 6.4M customers

 | 

Columbia University data breach impacted 868,969 people

 | 

SonicWall dismisses zero-day fears after Ransomware probe

 | 

Air France and KLM disclosed data breaches following the hack of a third-party platform

 | 

CISA, Microsoft warn of critical Exchange hybrid flaw CVE-2025-53786

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Malware
  • Earth Krahang APT breached tens of government organizations worldwide

Earth Krahang APT breached tens of government organizations worldwide

Pierluigi Paganini March 19, 2024

Trend Micro uncovered a sophisticated campaign conducted by Earth Krahang APT group that breached 70 organizations worldwide.

Trend Micro researchers uncovered a sophisticated campaign conducted by a threat actor tracked as Earth Krahang while investigating the activity of China-linked APT Earth Lusca. 

The campaign seems active since at least early 2022 and focuses primarily on government organizations.

The APT group was spotted exploiting public-facing servers, it was observed sending spear phishing emails to deliver previously undetected backdoors.

The group often exploited access to government infrastructure to target other government entities. The threat actors used this infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets, leveraging compromised government email accounts. The APT group also established access into victims’ private networks by creating VPN servers on compromised public-facing servers and conducting brute-force attacks to obtain email credentials. Then the attackers used these credentials to steal victim emails.

earth krahang APT

The group appears to be politically motivated and acting for cyberespionage purposes.

In many attacks, the group scanned public-facing servers with open-source scanning tools.

Earth Krahang was observed exploiting the following vulnerabilities to deploy webshells on target servers and gain a foothold within victim networks:

  • CVE-2023-32315: command execution on OpenFire
  • CVE-2022-21587: command execution on Oracle Web Applications Desktop Integrator

The spear-phishing messages used by the attackers are designed to deceive victims into opening attachments or clicking on embedded URL links, which ultimately result in the deployment of a backdoor on the victim’s machine. Analysis of the backdoors uploaded on VirusTotal revealed that threat actors utilized geopolitical topics as bait.

Earth Krahang was observed retrieving hundreds of email addresses from their targets during the reconnaissance phase. In one instance, the threat actors used a compromised mailbox from a government entity to send a malicious attachment to 796 email addresses belonging to the same entity.

“Earth Krahang abuses the trust between governments to conduct their attacks. We found that the group frequently uses compromised government webservers to host their backdoors and send download links to other government entities via spear phishing emails. Since the malicious link uses a legitimate government domain of the compromised server, it will appear less suspicious to targets and may even bypass some domain blacklists.” reads the analysis published by Trend Micro.

“In addition, the actor used a compromised government email account to send email to other governments.”

Trend Micro reported that Earth Krahang carried out brute force attacks on Exchange servers through their Outlook Web Access (OWA) portals belonging to its victims. The attackers use a list of common passwords to test the email accounts on the target’s email server. The researchers also observed the APT group using a custom Python script to carry out brute-forcing activity against the ActiveSync service on the OWA server.

Trend Micro also discovered a Python script used to exfiltrate emails from Zimbra servers.

Once obtained access to the target network, Eath Krahang deployed multiple malware and tools, including the post-exploitation tool Cobalt Strike, and the custom backdoors RESHELL and XDealer.

“Since 2023, the Earth Krahang shifted to another backdoor (named XDealer by TeamT5 and DinodasRAT by ESET). Compared to RESHELL, XDealer provides more comprehensive backdoor capabilities. In addition, we found that the threat actor employed both Windows and Linux versions of XDealer to target different systems.” continues the report.

Trend Micro identified 70 victims from 23 different countries. The experts believe that the APT group compromised or targeted organizations in 45 different countries, most of them in Asia and America, but also in Europe and Africa.

“Our previous report suggests Earth Lusca might be the penetration team behind the Chinese company I-Soon, which had their information leaked on GitHub recently. Using this leaked information, we found that the company organized their penetration team into two different subgroups.” concludes the report. “This could be the possible reason why we saw two independent clusters of activities active in the wild but with limited association. Earth Krahang could be another penetration team under the same company.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)


facebook linkedin twitter

earth krahang Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini August 13, 2025
Critical FortiSIEM flaw under active exploitation, Fortinet warns
Read more
Pierluigi Paganini August 13, 2025
Charon Ransomware targets Middle East with APT attack methods
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Critical FortiSIEM flaw under active exploitation, Fortinet warns

    Hacking / August 13, 2025

    Charon Ransomware targets Middle East with APT attack methods

    Malware / August 13, 2025

    Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

    Data Breach / August 13, 2025

    SAP fixed 26 flaws in August 2025 Update, including 4 Critical

    Uncategorized / August 13, 2025

    August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

    Hacking / August 12, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT