Today > 1 Critical | 2 High | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions

Dec. 3, 2024, 4:24 p.m.

Tags
government
telecommunications
demodex
crowdoor
2024-12-03
chinese apt
masol rat
sparrowdoor
snappybee
External References
Description

Earth Estries, a Chinese APT group, has been aggressively targeting critical sectors globally since 2023. The group employs advanced techniques and multiple backdoors, including GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, to compromise organizations in telecommunications, government, and other industries across various countries. Their sophisticated attacks exploit server vulnerabilities for initial access and use living-off-the-land binaries for lateral movement. Earth Estries has successfully infiltrated over 20 organizations, demonstrating a complex C&C infrastructure and possible shared tools with other Chinese APT groups. The group's operations involve long-term espionage activities, targeting not only critical services but also vendor networks to facilitate broader access.

Date

Published: Dec. 3, 2024, 3:34 p.m.

Created: Dec. 3, 2024, 3:34 p.m.

Modified: Dec. 3, 2024, 4:24 p.m.

Indicators

fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5

fba149eb5ef063bc6a2b15bd67132ea798919ed36c5acda46ee9b1118b823098

b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9ac

9ba31dc1e701ce8039a9a272ef3d55aa6df66984a322e0d309614a5655e7a85c

2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdec

1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296

16c8afd3b35c76a476851f4994be180f0cd72c7b250e493d3eb8c58619587266

05840de7fa648c41c60844c4e5d53dbb3bc2a5250dcb158a95b77bc0f68fa870

b63c82fc37f0e9c586d07b96d70ff802d4b707ffb2d59146cf7d7bb922c52e7e

6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bc

44ea2e85ea6cffba66f5928768c1ee401f3a6d6cd2a04e0d681d695f93cc5a1f

2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31

25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b

96.9.211.27

91.245.253.27

45.125.67.144

43.226.126.165

43.226.126.164

205.189.160.3

185.105.1.243

172.93.165.14

172.93.165.10

146.70.79.18

146.70.79.105

143.198.92.175

139.59.236.31

104.194.153.65

103.75.190.73

139.99.114.108

139.59.108.43

27.102.113.240

23.81.41.166

165.154.227.192

103.159.133.251

103.159.133.205

141.255.164.98

103.91.64.214

158.247.222.165

193.239.86.168

www.infraredsen.com

http://141.255.164.98:2096

http://103.159.133.205/lib3.cab

vpn943823465.softether.net

vpn487875652.softether.net

vpn305783366.softether.net

private.royalnas.com

news.colourtinctem.com

jasmine.lhousewares.com

helpdesk.stnekpro.com

billing.clothworls.com

materialplies.com

vpn114240349.softether.net

esh.hoovernamosong.com

api.solveblemten.com

pulseathermakf.com

palloaltonetworks.com

imap.dateupdata.com

Download all indicators here!

Attack Patterns

SparrowDoor

MASOL RAT

SNAPPYBEE

GHOSTSPIDER

CrowDoor

DEMODEX

Earth Estries

T1021.002

T1505.003

T1102.002

T1132.001

T1573.002

T1059.001

T1071.001

T1016

T1082

T1083

T1055

T1140

T1027

T1053

T1112

T1190

T1133

T1078

T1068

T1003

CVE-2021-26858

CVE-2021-26857

CVE-2021-27065

CVE-2022-3236

CVE-2023-48788

CVE-2024-21887

CVE-2023-46805

CVE-2021-26855

Additional Informations

Consulting

Chemical

Technology

Transportation

Telecommunications

Government

Eswatini

British Indian Ocean Territory

South Africa

Afghanistan

India

Taiwan

Thailand

Malaysia

Indonesia

Philippines

Pakistan

Brazil