Listen to this Post
Introduction
A newly identified advanced persistent threat (APT) group known as Earth Kurma is conducting a stealthy and highly targeted cyberespionage campaign across Southeast Asia. Government agencies and telecom infrastructure in countries such as the Philippines, Vietnam, Thailand, and Malaysia are in the crosshairs. Utilizing a powerful combination of custom-built malware, rootkits, and legitimate cloud platforms like Dropbox and OneDrive, Earth Kurma is carving deep, persistent footholds inside critical networks, allowing long-term data theft without immediate detection.
Trend Micro’s recent research exposes the depth of this campaign, highlighting advanced malware families such as TESDAT, SIMPOBOXSPY, MORIYA, and KRNRAT. The attackers have shown incredible sophistication in their tactics, maintaining stealth by leveraging trusted IT systems and exploiting native Windows components to blend in with regular network activity. While Earth Kurma shares some DNA with known APT groups like ToddyCat and Operation TunnelSnake, the distinct techniques and toolsets suggest it is a standalone operation with its own goals and strategies.
This article provides a detailed overview of the attack infrastructure, malware arsenal, infection tactics, and potential ramifications of this campaign for national security and private sector resilience in Southeast Asia.
Key Highlights from the Investigation
- Highly Targeted Campaign: Earth Kurma focuses on cyberespionage, specifically targeting government entities and telecoms in Southeast Asia, with a significant presence in the Philippines, Vietnam, Thailand, and Malaysia.
Advanced Toolsets: Attackers deployed custom malware including TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA. These are tailored to avoid detection, maintain persistence, and enable deep system penetration.
Cloud-Based Exfiltration: Exfiltrated data is hidden and transported via trusted cloud platforms like Dropbox and OneDrive, bypassing traditional network monitoring solutions.
Stealthy Rootkits: Rootkits like MORIYA and KRNRAT manipulate kernel-level processes and hide communications, providing attackers with invisible access to compromised systems.
Long-Term Persistence: Earth Kurma implants multiple loaders such as DUNLOADER, DMLOADER, and TESDAT that help maintain prolonged access to victim systems while minimizing detection risk.
Lateral Movement & Credential Theft: The campaign uses sophisticated techniques like WMIHACKER and ICMPinger for network reconnaissance, along with a keylogger (KMLOG) to capture user credentials.
Use of Living-Off-the-Land Binaries (LOLBins): The attackers employ legitimate Windows tools to execute malicious commands, making detection more difficult.
Data Exfiltration via DFSR: Stolen files are collected, archived, and then replicated across domain controllers using Windows’ Distributed File System Replication feature—making exfiltration seamless and resilient.
Attribution Remains Unclear: Although toolset similarities point to ToddyCat and Operation TunnelSnake, Earth Kurma’s distinct operational behaviors set it apart as a unique APT.
Proactive Threat Detection: Trend Vision One™ detects and blocks Earth Kurma components and provides hunting queries, threat insights, and ongoing intelligence to aid in defense.
– Security Recommendations:
– Implement strict driver and software installation policies.
– Audit and secure AD and DFSR services.
- Restrict SMB traffic to limit lateral movement opportunities.
What Undercode Say:
The emergence of Earth Kurma signals a new evolution in the world of cyberespionage, where stealth, persistence, and adaptability are the pillars of long-term intrusion. What sets Earth Kurma apart is not just its technical acumen, but its deep understanding of Southeast Asian digital infrastructures and governmental operations.
From a threat intelligence perspective, this campaign exemplifies the modern APT strategy—disguise malicious traffic using trusted platforms (Dropbox, OneDrive), abuse legitimate Windows features (WMI, SMB, DFSR), and execute payloads with refined stealth (fiber switching instead of standard threading). Their payloads such as KRNRAT and MORIYA are no ordinary malware—they are weapons built to integrate invisibly into target systems.
Earth Kurma’s playbook reflects military-grade cyber capabilities. Its use of kernel-level rootkits indicates that attackers aim not only to steal information but to stay deeply embedded in the target networks for as long as possible. Rootkits like KRNRAT aren’t just hiding files—they’re controlling ports, injecting shellcode directly into processes, and masking network footprints entirely. That’s not opportunistic hacking—that’s nation-state sophistication.
By utilizing DFSR for data replication and eventual exfiltration, the group cleverly hijacks an essential infrastructure feature, transforming it into a stealth channel for data theft. This shows how Earth Kurma exploits the very mechanisms designed for redundancy and efficiency.
Their targeted sectors—government and telecom—suggest their objectives go beyond financial gain. We’re looking at long-term intelligence collection, possibly laying groundwork for geopolitical leverage, surveillance, or even sabotage. The compromised telecom systems could be used for mass interception or disruption, while access to government data might influence policy or expose diplomatic secrets.
Additionally, Earth Kurma’s apparent reuse of code and partial overlap with other known APTs opens up the discussion around collaboration or code-leak dynamics in the cyber underground. It’s increasingly common for groups to borrow from each other’s playbooks or share modular components. But Earth Kurma’s deviation in post-exploitation behavior suggests either a splinter group or an entirely separate entity drawing inspiration from known actors.
Their precision and patience reflect a commitment to long-term operations—something only seen in top-tier APTs. These aren’t smash-and-grab attacks. These are ghost operations, thriving in the shadows, feeding off stolen intelligence, and always staying one step ahead of conventional defenses.
To mitigate such threats, organizations need to move beyond reactive measures. Proactive detection, behavioral analysis, and threat hunting are no longer optional—they’re critical. Platforms like Trend Vision One™ play a vital role in preempting these sophisticated campaigns by contextualizing threats and enabling pre-breach intervention.
In the grand scope of cyber conflict, Earth Kurma is a warning shot—an indication that regional cyberwars are already in motion. Their campaign raises pressing questions about cybersecurity readiness, national defense strategy, and the privatization of cyber defense technologies. Southeast Asian governments and their partners need to treat this as more than just another malware outbreak—it’s an incursion into their sovereignty.
Fact Checker Results
- Earth Kurma’s campaign is confirmed by independent analysis from Trend Micro.
- Tool overlaps with ToddyCat and Operation TunnelSnake are real but not definitive for attribution.
- Cloud services like Dropbox and OneDrive are being actively abused for stealthy exfiltration, confirmed by file path logs and tool behavior.
References:
Reported By: www.trendmicro.com
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
