Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan

May 1, 2025, 8:57 p.m.

Description

Earth Kasha, an APT group believed to be part of APT10, has launched a new campaign in March 2025 targeting government agencies and public institutions in Taiwan and Japan. The campaign uses spear-phishing to deliver an updated version of the ANEL backdoor, potentially for espionage purposes. Key updates include a new command to support BOF execution in memory and the use of SharpHide for persistence. The second-stage backdoor, NOOPDOOR, now supports DNS over HTTPS for C&C communications. The attack chain involves compromised email accounts, malicious Excel files, and various evasion techniques. This campaign demonstrates Earth Kasha's continued evolution and poses significant geopolitical implications.

External References

https://documents.trendmicro.com/images/TEx/Earth-Kasha-Blog-IoCshFxTmpo.txt
https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html
https://otx.alienvault.com/pulse/6813da43537c3d86e6ba3ca2
Tags
espionage
spear-phishing
apt10
2025-05-01
sharphide
anel backdoor

Date

  • Created: May 1, 2025, 8:32 p.m.
  • Published: May 1, 2025, 8:32 p.m.
  • Modified: May 1, 2025, 8:57 p.m.

Indicators

  • fc8c574088af4f74cf84c5c04d522bb1665f548cb17c6192552eb9b783401009
  • f502102c5c598d5b9e24f689a3b09b1d2f6702226049a573c421b765867391b3
  • eeec3a94500ecd025ecdd559e15e4679e26c1347e534944721abe416b49f3871
  • e5b99572581df7a5116511be3f03b9f1a90611235b8288d9f59141876adb1ef1
  • e123fa2abf1a2f12af9f1828b317d486d1df63aff801d591c5e939eb06eb4cfc
  • cf6ed83d7dcc13f500486044d1af606ceb12c387568ccbb498e01cc7d8005dbd
  • cb0848d79d2eef76e1d4ff602e0844d03b614d4c25a1b5e3f0ae5c33ea5500b9
  • b56aa48721cd1119a9e06ed9c2f923a1dda5f9aa079dc0e4fd66ab37e33649e8
  • ad050545b65ecbb2178f678c654d84d14986a77051897927e56b5c2893c33608
  • ac8c36075ac0085c7d1e96b3fc08c15a151373186e564486dd91d2e49b2dd287
  • a347e1efbfca3722c9e8cc86eba3b288f7e4fae9d386f2a8969faffb125a74c5
  • a14c9ae22ca8bdb4971a03f61b2bcc5f140abb51c6922ab7c92ea09ee14dd3bd
  • a12a34d329ccc305dca2306e2d698945f1413c013fe99d4bb069db2127f47806
  • 9e4c155f4d096d9a0529e83fd21197f3dba20cc4eef48045fd018334384dd513
  • 9c24b60574f39b0565442a79a629a2944672f56acca555e81275e5079382d98b
  • 9569c4044f8cf32bc9a0513ed7c4497bb6ab71b701c53e58719ef259b3716751
  • 8cdcd674a0269945dd4c526b5868efb6df8854a127fd5449e57e89905511391d
  • 7fb4c9f041d4411311437e12427aaf09d369bc384faa2de4b5bc8ae36a42190e
  • 7b61ed1049ba5f5b8d9725f32cff1ef1e72ef46e2a1dd87bd2b33e73e7333f44
  • 78f7b98b1e6f089f5789019dab23ac38f77c662fd651ee212d8451ee61b2fc0c
  • 75d6f82962f380f7726142490068879240c3c507427f477cf25268b524c30339
  • 72ece359a3c6f286d174b9cccc7c963577749e38e28f5ecf00dd4c267478a693
  • 712b81f1a82b9ea9a304220ed87c47c329392c2ce040ed3bff936fe33456acff
  • 705e5f1245e59566895b1d456aee32d4bff672a6a00f2cd390d7d50c12316dee
  • 6edf72495e03ca757fa55beb2ea02492f2e7a4b85ca287a9d08bbe60e390c618
  • 69e2a259e0136b61a3acad3f8fad2c012c75c9d8e26e66a3f0af1e7c23506b5c
  • 63e813b5bf94bdec9ce35c9d7311f76c3a35728d158ade0a6487fc99c73dcf31
  • 4f3ec89d5ea0a513afa3f49434f67b7e1540a4a8a93d078def950bd94d444723
  • 517ef26be8b9fb1af0e9780b244827af4937ad2fa4778a0bd2d9c65502ce54e1
  • 488201c08219f5cbd79d16702fb909d4e8ad8fa76819a21e0f262e2935e58dd2
  • 362b0959b639ab720b007110a1032320970dd252aa07fc8825bb48e8fdd14332
  • 2110b9a4c74d1c8be1aed6ebcff2351cad3d16574026fe4697a9c70810fb1d9e
  • 1e0a7737a484699d035c0568771c4834c0ff3fb9ba87aded3c86705e10e9bb0e
  • 192.46.215.56
  • 172.105.62.188
  • 139.162.38.102
Download all indicators here!

Attack Patterns

  • Earth Kasha

Additional Informations

  • Taiwan
  • Japan