Listen to this Post
Cybersecurity researchers have recently uncovered a new, China-linked cyber threat actor named Earth Alux, which has been targeting key sectors across the Asia-Pacific (APAC) and Latin American (LATAM) regions. This adversarial group has been active since mid-2023, and its operations are becoming increasingly sophisticated and far-reaching. Earth Alux has focused its efforts on sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail. Here’s a deep dive into the group’s tactics, techniques, and evolving strategies as they continue to evolve.
the Threat
Earth Alux, first identified in the second quarter of 2023, initially focused its attacks in the APAC region, with countries like Thailand, the Philippines, Malaysia, and Taiwan being primary targets. By 2024, the threat actor expanded its reach to Latin America, particularly targeting Brazil.
The
VARGEIT, a significant backdoor, enables the deployment of additional tools for reconnaissance, exfiltration, and lateral movement within compromised networks. It operates in a fileless manner, making it more difficult to detect. COBEACON, on the other hand, is employed as a first-stage backdoor and is loaded using a tool called MASQLOADER or RSBINJECT, a Rust-based command-line shellcode loader. The use of MASQLOADER has been found to incorporate an anti-detection technique that bypasses security software, further helping Earth Alux maintain stealth.
The attack cycle involves further deployment of tools such as RAILLOAD, a loader executed via DLL side-loading. RAILSETTER, another tool in the attacker’s arsenal, is used for persistence and timestomping, allowing the group to maintain control over compromised systems.
A striking feature of VARGEIT is its ability to communicate with its command-and-control (C&C) server through ten different channels, including HTTP, TCP, UDP, DNS, and even Microsoft Outlook using the Graph API. This diverse communication makes it harder for defenders to track and block the malware’s actions.
Additionally, Earth Alux tests its tools rigorously, using specialized tools like ZeroEye and VirTest, which are popular within the Chinese-speaking hacking community. These tools help the group maintain stealth and evade detection, enhancing the effectiveness of its long-term operations.
What Undercode Says:
Earth Alux presents a sophisticated and evolving threat landscape for organizations in APAC and LATAM regions. The group’s persistent use of advanced malware and complex tactics highlights its capabilities and determination to maintain a foothold in targeted networks for long-term espionage operations. Unlike many typical cybercriminal groups, Earth Alux doesn’t just deploy tools but also tests and refines them to ensure that they evade detection and are effective across a range of targets.
The use of fileless malware like VARGEIT allows Earth Alux to bypass traditional detection methods that rely on scanning for malware stored on disk. This makes it much harder for defenders to spot the malware through conventional means, which explains why the group has managed to operate undetected for extended periods.
The adaptability of the
Moreover, the fact that Earth Alux is leveraging communication methods like Microsoft Outlook’s Graph API to relay commands further demonstrates its ability to use legitimate infrastructure for malicious purposes. This technique could easily go unnoticed by many security systems, which are typically not set up to detect unusual behavior in common enterprise tools like Outlook.
The ongoing testing of these tools, such as ZeroEye and VirTest, indicates that Earth Alux is actively refining its strategies and adapting to the defenses it encounters. This commitment to improving their toolkit makes Earth Alux a particularly dangerous threat actor, as they are likely to continue finding new ways to exploit vulnerabilities and evade detection.
Given the sophisticated nature of Earth
Fact Checker Results:
– Verification of Sources: Trend
- Confirmed Tactics: The use of MASQLOADER, VARGEIT, and COBEACON has been corroborated by multiple cybersecurity researchers as part of Earth Alux’s toolkit.
- Tools and Techniques: The described malware behavior, such as fileless operation and DLL side-loading, matches techniques observed in other high-level cyberespionage campaigns, confirming the advanced nature of Earth Alux’s operations.
References:
Reported By: https://thehackernews.com/2025/04/china-linked-earth-alux-uses-vargeit.html
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





