Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan
Essential information
- Published
- 01/05/2025 20:32
- Modified
- 01/05/2025 20:57
- Tags
- 2025-05-01 anel backdoor apt10 espionage sharphide spear-phishing
- Related entities
- 36 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 others
Description
Earth Kasha, an APT group believed to be part of APT10, has launched a new campaign in March 2025 targeting government agencies and public institutions in Taiwan and Japan. The campaign uses spear-phishing to deliver an updated version of the ANEL backdoor, potentially for espionage purposes. Key updates include a new command to support BOF execution in memory and the use of SharpHide for persistence. The second-stage backdoor, NOOPDOOR, now supports DNS over HTTPS for C&C communications. The attack chain involves compromised email accounts, malicious Excel files, and various evasion techniques. This campaign demonstrates Earth Kasha's continued evolution and poses significant geopolitical implications.