MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur's Multi-Platform Attacks

Description

Earth Minotaur, a threat actor targeting Tibetan and Uyghur communities, utilizes the MOONSHINE exploit kit to compromise Android devices and install the DarkNimbus backdoor. The exploit kit targets vulnerabilities in instant messaging apps, particularly WeChat, and has been updated with new exploits since 2019. DarkNimbus, an unreported Android backdoor with a Windows version, allows for comprehensive surveillance. The attack chain involves social engineering tactics, exploiting Chromium-based vulnerabilities, and implanting a trojanized XWalk browser core. The backdoor supports various data collection and device control features. Earth Minotaur appears to be a distinct intrusion set from previously reported groups, though connections to other Chinese operations are noted.