Earth Estries
· Published 21/12/2025 01:18 · Modified 21/12/2025 01:18
· Source: AlienVault
Essential information
- Confidence
- 100/100
- Published
- 21/12/2025 01:18
- Modified
- 21/12/2025 01:18
- Updated at
- 21/12/2025 01:18
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 44 attack patterns (mitre), 9 malware, 6 sectors, 14 countries, 76 indicators, 9 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
1 CVE 10 MITREs 3 Malwares 10 Observables 1 APTPublished 28/10/2025 03:04 · Modified 28/10/2025 10:00
-
8 CVEs 20 MITREs 6 Malwares 57 Observables 1 APTPublished 03/12/2024 15:34 · Modified 03/12/2024 16:24
Attack patterns (MITRE) (44)
-
T1036.004 usesMasquerade Task or Service
-
T1574.002 uses
-
T1133 usesExternal Remote Services
-
T1134.001 usesToken Impersonation/Theft
-
T1053.006 usesSystemd Timers
-
T1573.002 usesAsymmetric Cryptography
-
T1567.002 usesExfiltration to Cloud Storage
-
T1082 usesSystem Information Discovery
-
T1056.001 usesKeylogging
-
T1027.002 usesSoftware Packing
-
T1547.001 usesRegistry Run Keys / Startup Folder
-
T1070 usesIndicator Removal
-
T1071.004 usesDNS
-
T1070.004 usesFile Deletion
-
T1047 usesWindows Management Instrumentation
-
T1132.001 usesStandard Encoding
-
T1140 usesDeobfuscate/Decode Files or Information
-
T1112 usesModify Registry
-
T1190 usesExploit Public-Facing Application
-
T1078 usesValid Accounts
-
T1021 usesRemote Services
-
T1053 usesScheduled Task/Job
-
T1204.002 usesMalicious File
-
T1027 usesObfuscated Files or Information
-
T1016 usesSystem Network Configuration Discovery
-
T1059.002 usesAppleScript
-
T1055 usesProcess Injection
-
T1021.002 usesSMB/Windows Admin Shares
-
T1102.002 usesBidirectional Communication
-
T1083 usesFile and Directory Discovery
-
T1003 usesOS Credential Dumping
-
T1113 usesScreen Capture
-
T1071.001 usesWeb Protocols
-
T1543.003 usesWindows Service
-
T1053.005 usesScheduled Task
-
T1573.001 usesSymmetric Cryptography
-
Space after Filename usesT1036.006
-
T1059.001 usesPowerShell
-
T1553.002 usesCode Signing
-
T1505.003 usesWeb Shell
-
T1059.003 usesWindows Command Shell
-
T1482 usesDomain Trust Discovery
-
T1068 usesExploitation for Privilege Escalation
-
T1087 usesAccount Discovery
Malware (9)
-
GHOSTSPIDER usesFamilyPublished 03/12/2024 15:34 · Modified 03/12/2024 15:34
-
SNAPPYBEE usesFamilyPublished 05/05/2026 14:07 · Modified 05/05/2026 14:07
-
DEMODEX usesFamilyPublished 03/12/2024 15:34 · Modified 03/12/2024 15:34
-
SparrowDoor usesFamilyPublished 26/03/2025 20:15 · Modified 26/03/2025 20:15
-
CrowDoor usesFamilyPublished 05/03/2026 20:13 · Modified 05/03/2026 20:13
-
MASOL RAT usesFamilyPublished 26/04/2025 01:52 · Modified 26/04/2025 01:52
-
ShadowPad - S0596 usesFamilyPublished 30/04/2026 19:11 · Modified 30/04/2026 19:11
-
TrojanSpy usesFamilyPublished 25/03/2025 21:10 · Modified 25/03/2025 21:10
-
POISONPLUG.SHADOW usesFamilyPublished 30/04/2026 19:11 · Modified 30/04/2026 19:11
Sectors (6)
- Technology targets
- Transportation targets
- Telecommunications targets
- Chemical targets
- Consulting targets
- Government targets
Countries (14)
- Philippines targets
- Eswatini targets
- Malaysia targets
- Afghanistan targets
- British Indian Ocean Territory targets
- South Africa targets
- India targets
- Indonesia targets
- Pakistan targets
- Thailand targets
- Germany targets
- United States of America targets
- Brazil targets
- Taiwan targets
Indicators (76)
-
mimosa.gleeze.comindicates -
8476ad68ce54b458217ab165d66a899d764eae3ad30196f35d2ff20d3f398523indicates -
vpn114240349.softether.netindicates -
c59e17806e3a58792f07662b4985119252c8221688084d20b599699bfdb272d8indicates -
9ba31dc1e701ce8039a9a272ef3d55aa6df66984a322e0d309614a5655e7a85cindicates -
f8c119bfc057dc027e6c54b966d168ee1ef38c790e581fb44cf965ca0408db1dindicates -
e1a7e5f27362aaf0d12b58b96a816ef61a2a498def9805297aa81f6f83729230indicates -
1a38303fb392ccc5a88d236b4f97ed404a89c1617f34b96ed826e7bb7257e296indicates -
4b014891df3348a76750563ae10b70721e028381f3964930d2dd49b9597ffac3indicates -
25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409bindicates -
cdn-7a3d.vultr-dns.comindicates -
64ca55137ba9fc5d005304bea5adf804b045ec10c940f6c633ffde43bc36ff3findicates -
42d4eb7f04111631891379c5cce55480d2d9d2ef8feaf1075e1aed0c52df4bb9indicates -
49a0349dfa79b211fc2c5753a9b87f8cd2e9a42e55eca6f350f30c60de2866ceindicates -
16c8afd3b35c76a476851f4994be180f0cd72c7b250e493d3eb8c58619587266indicates -
b2b617e62353a672626c13cc7ad81b27f23f91282aad7a3a0db471d84852a9acindicates -
cdadad8d7ced1370baa5d1ffe435bed78c2d58ed4cda364b8a7484e3c7cdac98indicates -
web9a78bc52.trhammer.comindicates -
b1bc10fa25a4fd5ae7948c6523eb975be8d0f52d1572c57a7ef736134b996586indicates -
eeb3d2e87d343b2acf6bc8e4e4122d76a9ad200ae52340c61e537a80666705edindicates -
3c84a5255e0c08e96278dea9021e52c276b4a6c73af9fa81520aefb4a8040a8bindicates -
imap.dateupdata.comindicates -
http://103.159.133.205/lib3.cabindicates -
fba149eb5ef063bc6a2b15bd67132ea798919ed36c5acda46ee9b1118b823098indicates -
helpdesk.stnekpro.comindicates -
www.infraredsen.comindicates -
5e062fee5b8ff41b7dd0824f0b93467359ad849ecf47312e62c9501b4096ccdaindicates -
45b9204ccbad92e4e5fb9e31aab683eb5221eb5f5688b1aae98d9c0f1c920227indicates -
6d64643c044fe534dbb2c1158409138fcded757e550c6f79eada15e69a7865bcindicates -
deaa3143814c6fe9279e8bc0706df22d63ef197af980d8feae9a8468f441efecindicates -
http://141.255.164.98:2096indicates -
jasmine.lhousewares.comindicates -
efb98b8f882ac84332e7dfdc996a081d1c5e6189ad726f8f8afec5d36a20a730indicates -
b6481e0edc36a0472ab0ce7d0817f1773c4af9307ae60890a667930558a762ffindicates -
api.solveblemten.comindicates -
415e0893ce227464fb29d76e0500c518935d11379d17fb14effaef82e962ff76indicates -
b63c82fc37f0e9c586d07b96d70ff802d4b707ffb2d59146cf7d7bb922c52e7eindicates -
esh.hoovernamosong.comindicates -
dff1d282e754f378ef00fb6ebe9944fee6607d9ee24ec3ca643da27f27520ac3indicates -
fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5indicates -
vpn305783366.softether.netindicates -
98e250bc06de38050fdeab9b1e2ef7e4d8c401b33fd5478f3b85197112858f4eindicates -
05840de7fa648c41c60844c4e5d53dbb3bc2a5250dcb158a95b77bc0f68fa870indicates -
ca6713bedbd19c2ad560700b41774825615b0fe80bf61751177ffbc26c77aa30indicates -
access.trhammer.comindicates -
3b47df790abb4eb3ac570b50bf96bb1943d4b46851430ebf3fc36f645061491bindicates -
private.royalnas.comindicates -
2fd4a49338d79f4caee4a60024bcd5ecb5008f1d5219263655ef49c54d9acdecindicates -
2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31indicates -
nx2.microware-help.comindicates -
82f3384723b21f9a928029bb3ee116f9adbc4f7ec66d5a856e817c3dc16d149dindicates -
pulseathermakf.comindicates -
71a503b5b6ec8321346bee3f6129af0b8ad490a36092488d085085cdc0fc6b9dindicates -
east.smartpisang.comindicates -
3822207529127eb7bdf2abc41073f6bbe4cd6e9b95d78b6d7dd04f42d643d2c3indicates -
materialplies.comindicates -
28109c650df5481c3997b720bf8ce09e7472d9cdb3f02dd844783fd2b1400c72indicates -
6c6af015e0bfec69f7867f8c957958aa25a13443df1de26fa88d56a240bdd5adindicates -
e6f9756613345fd01bbcf28eba15d52705ef4d144c275b8cfe868a5d28c24140indicates -
94aa6619c61d434e96ca8d128731eb7ee81e399a59a17f751a31b564a7f3a722indicates -
0eaa67fe81cec0a41cd42866df1223cb7d2b5659ab295dffe64fe9c3b76720aaindicates -
44ea2e85ea6cffba66f5928768c1ee401f3a6d6cd2a04e0d681d695f93cc5a1findicates -
palloaltonetworks.comindicates -
news.colourtinctem.comindicates -
cdn-6dd0035.oxcdntech.comindicates -
vpn943823465.softether.netindicates -
1a9e0c7c88e7a8b065ec88809187f67d920e7845350d94098645e592ec5534f6indicates -
vpn487875652.softether.netindicates -
2531891691ef674345f098ef18b274091acdf3f2808cca753674599c043ccd7dindicates -
cdn728a66b0.smartlinkcorp.netindicates -
ms101.cloudshappen.comindicates -
f6223d956df81dcb6135c6ce00ee14d0efede9fb399b56d2ee95b7b0538fe12cindicates -
c7023183e815b9aff68d3eba6c2ca105dbe0a9b05cd209908dcee907a64ce80bindicates -
a8dd0ca6151000de33335f48a832d24412de13ce05ea6f279bf4aaaa2e5aaecbindicates -
billing.clothworls.comindicates -
cd2b703e1b7cfd6c552406f44ec05480209003789ad4fbba4d4cffd4f104b0a0indicates
Vulnerabilities (CVE) (9)
CVE-2021-26857
KEV
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
CVE-2021-26855
KEV
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
CVE-2025-8088
KEV
8.8
High
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 12/08/2025
- Modified
- 27/05/2026
CVE-2021-27065
KEV
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
CVE-2023-46805
KEV
8.2
High
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
CVE-2024-21887
KEV
9.1
Critical
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
CVE-2021-26858
KEV
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
CVE-2022-3236
KEV
9.8
Critical
A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.
- Attack vector
- Network
- Published
- 23/09/2022
- Modified
- 27/05/2026
CVE-2023-48788
KEV
9.8
Critical
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025