Earth Kasha

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to intrusion sets

· Published 21/12/2025 07:59 · Modified 21/12/2025 07:59 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 21/12/2025 07:59
Modified: 21/12/2025 07:59
Updated at: 21/12/2025 07:59
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 3 reports, 38 attack patterns (mitre), 8 malware, 4 sectors, 4 countries, 41 indicators, 7 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (3)

Earth Kasha Updates TTPs in Latest Campaign Targeting …

11 MITREs 36 Observables 1 APT
Guess Who’s Back - The Return of ANEL …

13 MITREs 5 Malwares 6 Observables 1 APT
Spot the Difference: New LODEINFO Campaign And The …

7 CVEs 19 MITREs 4 Malwares 7 Observables 1 APT

Attack patterns (MITRE) (38)

T1053.005 uses

Scheduled Task MITRE
T1078 uses

Valid Accounts MITRE
T1134 uses

Access Token Manipulation MITRE
T1140 uses

Deobfuscate/Decode Files or Information MITRE
T1132 uses

Data Encoding MITRE
T1543.003 uses

Windows Service MITRE
T1190 uses

Exploit Public-Facing Application MITRE
T1053 uses

Scheduled Task/Job MITRE
T1027 uses

Obfuscated Files or Information MITRE
T1573.002 uses

Asymmetric Cryptography MITRE
T1566.002 uses

Spearphishing Link MITRE
T1021.002 uses

SMB/Windows Admin Shares MITRE

← Previous

Page / 4

13–24 of 38

NOOPDOOR uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ANELLDR uses

Family
UPPERCUT uses
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UPPERCUT - S0275 uses

Family
LODEINFO uses

Family
ROAMINGMOUSE uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorStealer uses

AlienVault Confidence 100

[MirrorStealer](https://attack.mitre.org/software/S9022) is a credential stealer that has been used by [MirrorFace](https://attack.mitre.org/groups/G1054) since at least 2022 to steal credentials from various applications, including browsers and email clients. [MirrorStealer](https://attack.mitre.org/software/S9022) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Sectors (4)

Technology targets
Defense targets
Manufacturing targets
Government targets

Countries (4)

Japan targets
Taiwan targets
British Indian Ocean Territory targets
India targets

Indicators (41)

6edf72495e03ca757fa55beb2ea02492f2e7a4b85ca287a9d08bbe60e390c618 indicates
517ef26be8b9fb1af0e9780b244827af4937ad2fa4778a0bd2d9c65502ce54e1 indicates
a12a34d329ccc305dca2306e2d698945f1413c013fe99d4bb069db2127f47806 indicates
7fb4c9f041d4411311437e12427aaf09d369bc384faa2de4b5bc8ae36a42190e indicates
9c24b60574f39b0565442a79a629a2944672f56acca555e81275e5079382d98b indicates
earth.hopto.org indicates

stix 100/100 Revoked

· Valid until 24/10/2025 · Source: AlienVault
9569c4044f8cf32bc9a0513ed7c4497bb6ab71b701c53e58719ef259b3716751 indicates
b56aa48721cd1119a9e06ed9c2f923a1dda5f9aa079dc0e4fd66ab37e33649e8 indicates
69e2a259e0136b61a3acad3f8fad2c012c75c9d8e26e66a3f0af1e7c23506b5c indicates
e5b99572581df7a5116511be3f03b9f1a90611235b8288d9f59141876adb1ef1 indicates
srmbr.com indicates

stix 100/100 Revoked

· Valid until 15/09/2025 · Source: AlienVault
e123fa2abf1a2f12af9f1828b317d486d1df63aff801d591c5e939eb06eb4cfc indicates

← Previous

Page / 4

1–12 of 41

Vulnerabilities (CVE) (7)

CVE-2023-3466 targets

8.3 High

Reflected Cross-Site Scripting (XSS)

Attack vector: NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2023-45727 KEV targets

7.5 High

North Grid Proself Enterprise/Standard, Gateway, and Mail Sanitize contain an improper restriction of XML External Entity (XXE) reference vulnerability, which could allow …

Attack vector: Network
Published: 03/12/2024
Modified: 21/12/2025

CVE-2023-27997 KEV targets

9.8 Critical

Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …

Attack vector: Network
Published: 13/06/2023
Modified: 21/12/2025

CVE-2023-28461 KEV targets

9.8 Critical

Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files …

Attack vector: Network
Published: 25/11/2024
Modified: 21/12/2025

CVE-2023-3467 targets

8.0 High

Privilege Escalation to root administrator (nsroot)

Attack vector: ADJACENT_NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2013-3900 KEV targets

5.5 Medium

A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.

Attack vector: LOCAL
Complexity: LOW
Published: 11/12/2013
Modified: 22/04/2026

CWE-347

CVE-2023-3519 KEV targets

9.8 Critical

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Attack vector: Network
Published: 19/07/2023
Modified: 27/05/2026

Contact About Legal notice Privacy policy Terms of use

Earth Kasha

Essential information

Description

Marking (TLP)

Related entities

Reports (3)

Attack patterns (MITRE) (38)

Malware (8)

Sectors (4)

Countries (4)

Indicators (41)

Vulnerabilities (CVE) (7)