Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Dec. 3, 2024, 4:24 p.m.
Description
Earth Estries, a Chinese APT group, has been aggressively targeting critical sectors globally since 2023. The group employs advanced techniques and multiple backdoors, including GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, to compromise organizations in telecommunications, government, and other industries across various countries. Their sophisticated attacks exploit server vulnerabilities for initial access and use living-off-the-land binaries for lateral movement. Earth Estries has successfully infiltrated over 20 organizations, demonstrating a complex C&C infrastructure and possible shared tools with other Chinese APT groups. The group's operations involve long-term espionage activities, targeting not only critical services but also vendor networks to facilitate broader access.
Tags
Date
- Created: Dec. 3, 2024, 3:34 p.m.
- Published: Dec. 3, 2024, 3:34 p.m.
- Modified: Dec. 3, 2024, 4:24 p.m.
Indicators
- fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5
- fba149eb5ef063bc6a2b15bd67132ea798919ed36c5acda46ee9b1118b823098
- b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac
- 9ba31dc1e701ce8039a9a272ef3d55aa6df66984a322e0d309614a5655e7a85c
- 2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdec
- 1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296
- 16c8afd3b35c76a476851f4994be180f0cd72c7b250e493d3eb8c58619587266
- 05840de7fa648c41c60844c4e5d53dbb3bc2a5250dcb158a95b77bc0f68fa870
- b63c82fc37f0e9c586d07b96d70ff802d4b707ffb2d59146cf7d7bb922c52e7e
- 6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc
- 44ea2e85ea6cffba66f5928768c1ee401f3a6d6cd2a04e0d681d695f93cc5a1f
- 2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31
- 25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b
- 96.9.211.27
- 91.245.253.27
- 45.125.67.144
- 43.226.126.165
- 43.226.126.164
- 205.189.160.3
- 185.105.1.243
- 172.93.165.14
- 172.93.165.10
- 146.70.79.18
- 146.70.79.105
- 143.198.92.175
- 139.59.236.31
- 104.194.153.65
- 103.75.190.73
- 139.99.114.108
- 139.59.108.43
- 27.102.113.240
- 23.81.41.166
- 165.154.227.192
- 103.159.133.251
- 103.159.133.205
- 141.255.164.98
- 103.91.64.214
- 158.247.222.165
- 193.239.86.168
- www.infraredsen.com
- http://141.255.164.98:2096
- http://103.159.133.205/lib3.cab
- vpn943823465.softether.net
- vpn487875652.softether.net
- vpn305783366.softether.net
- private.royalnas.com
- news.colourtinctem.com
- jasmine.lhousewares.com
- helpdesk.stnekpro.com
- billing.clothworls.com
- materialplies.com
- vpn114240349.softether.net
- esh.hoovernamosong.com
- api.solveblemten.com
- pulseathermakf.com
- palloaltonetworks.com
- imap.dateupdata.com
Attack Patterns
- SparrowDoor
- MASOL RAT
- SNAPPYBEE
- GHOSTSPIDER
- CrowDoor
- DEMODEX
- Earth Estries
- T1021.002
- T1505.003
- T1102.002
- T1132.001
- T1573.002
- T1059.001
- T1071.001
- T1016
- T1082
- T1083
- T1055
- T1140
- T1027
- T1053
- T1112
- T1190
- T1133
- T1078
- T1068
- T1003
Additional Informations
- Consulting
- Chemical
- Technology
- Transportation
- Telecommunications
- Government
- Eswatini
- British Indian Ocean Territory
- South Africa
- Afghanistan
- India
- Taiwan
- Thailand
- Malaysia
- Indonesia
- Philippines
- Pakistan
- Brazil