Listen to this Post
In March 2025, a sophisticated new cyber campaign emerged from the shadows, orchestrated by the advanced persistent threat (APT) group Earth Kasha — a group widely believed to be part of the infamous Chinese-linked APT10. The campaign zeroes in on government agencies and public institutions across Taiwan and Japan, rekindling concerns about cyber-espionage in the Asia-Pacific region.
Leveraging spear-phishing as its primary entry point, Earth Kasha introduced a modified version of the ANEL backdoor, coupled with a refined malware delivery chain that includes the ROAMINGMOUSE dropper and the stealthy NOOPDOOR second-stage implant. The attack bears all the hallmarks of strategic intelligence gathering, indicating a high-level operation intended to breach critical infrastructure and exfiltrate sensitive data.
Targeted Breakdown of Earth Kasha’s 2025 Campaign
- Main Focus: Earth Kasha launched a new spear-phishing campaign in March 2025, targeting Taiwanese and Japanese government sectors.
- Delivery Vector: Emails impersonating legitimate communications contained malicious OneDrive links leading to weaponized Excel files.
- Initial Payload: The Excel files used ROAMINGMOUSE, a macro-enabled dropper, which activated upon a click event rather than mouse movement — a notable evolution from previous campaigns.
- Post-Execution Behavior: ROAMINGMOUSE deployed various components including a malicious loader (ANELLDR) and an encrypted ANEL payload.
- Persistence Tactics: The malware adjusted its execution methods when encountering endpoint protection software like McAfee.
– First-Stage Backdoor (ANEL):
– Encrypted payloads and versioning.
- Newly added command for executing Beacon Object Files (BOFs) in memory.
- Continued use of obfuscation via ChaCha20, XOR, and LZO encryption methods.
- Victim Profiling: The attackers gathered screenshots and system data to assess if their targets were viable before initiating the second stage.
– Second-Stage Payload (NOOPDOOR):
– Used for long-term surveillance and data exfiltration.
- Incorporated DNS over HTTPS (DoH) for stealthier communications.
- Employed domain generation algorithms (DGA) to obscure C2 traffic.
- SharpHide Utility: Enabled stealthy persistence via Hidden Start and avoided user interface detection.
- Cleanup Routine: ANEL working directories were deleted post-exploitation to minimize forensic traceability.
– Organizational Defense Recommendations:
– Implement zero-trust on external OneDrive links.
– Monitor for misuse of DoH traffic.
– Disable macros in downloaded documents.
- Utilize EDR tools to flag unusual system activity.
- Platform Integration: Trend Vision One™ detects and neutralizes all observed Indicators of Compromise (IoCs), providing real-time threat intelligence and hunting capabilities.
What Undercode Say:
Earth Kasha’s latest campaign is a stark reminder that nation-state cyberattacks continue to evolve in stealth and sophistication. By adjusting technical tactics — switching from Word to Excel files, altering event triggers, and embedding BOF execution — this APT group shows clear signs of professional operational adaptation. This isn’t mere experimentation; it’s strategic innovation.
The spear-phishing element isn’t new, but the way it’s being weaponized speaks volumes. By using legitimate compromised email accounts and masking downloads with convincing filenames such as “Revised Resume” or diplomatic reports, Earth Kasha maximizes the psychological manipulation behind their technical attack vector. It’s a blend of social engineering finesse and malware engineering.
ROAMINGMOUSE stands out not just as a dropper, but as a stage manager — unzipping, decoding, and deploying payloads that transition the attack from initial access to post-exploitation reconnaissance. The decision to switch to click-based activation reflects an understanding of behavioral analytics and how to evade common sandbox triggers.
The ANEL backdoor continues to serve as Earth Kasha’s digital skeleton key. Despite its consistency across campaigns, it’s far from static. The addition of BOF support shows a shift toward modular in-memory execution, aligning with techniques used by other elite APTs like Cobalt Strike. These upgrades allow for quick adaptation without dropping additional files — a direct challenge to traditional detection mechanisms.
NOOPDOOR’s evolution is even more alarming. The use of DNS over HTTPS not only bypasses most network-level detection systems but also mimics legitimate encrypted web traffic. By embedding public DoH servers like Google and Cloudflare, the malware camouflages its traffic in the noise of daily internet activity.
SharpHide’s integration adds an additional layer of stealth — hiding UI elements, evading user detection, and leveraging known system binaries like msiexec.exe to execute hidden payloads. It’s not just persistence — it’s a nearly invisible occupation of the victim system.
Beyond the technical, the geopolitical implications are immense. Earth Kasha’s continued interest in Taiwan and Japan suggests a concerted effort to undermine regional stability or gain leverage in diplomatic affairs. The intelligence collected could influence foreign policy, defense planning, and international negotiations.
For defenders, the lesson here is clear: signature-based detection is no longer enough. Behavioral analytics, memory scanning, and anomaly detection are critical. Also, user education should not be underestimated — many breaches still hinge on a single click.
Trend Vision One’s ability to detect these specific threats reinforces the importance of integrated security platforms that combine EDR, threat intel, and response automation. Without such systems, organizations remain blind to slow, persistent threats like Earth Kasha.
Fact Checker Results:
- Earth Kasha is indeed linked to APT10 and has a history of espionage-focused cyberattacks.
– The
- The addition of DNS over HTTPS and BOF execution reflects real, observable trends in modern cyber threat tactics.
References:
Reported By: www.trendmicro.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
