Full Report
A Trend Micro analysis of Earth Estries found that the Chinese threat actor is using new backdoors to avoid detection during espionage operations
Analysis Summary
# Threat Actor: Earth Estries
## Attribution & Identity
* **Identification:** Chinese state-sponsored threat actor.
* **Aliases:** None explicitly confirmed in the text, though TTPs overlap with Salt Typhoon.
* **Associated Groups:** TTPs overlap with APT actor **Salt Typhoon**, but conclusive evidence linking Earth Estries to Salt Typhoon incidents is not established.
## Activity Summary
Earth Estries is described as "one of the most aggressive Chinese APT groups" currently active. Since 2023, they have compromised over 20 organizations globally for espionage purposes. The group appears well-organized with a clear division of labor, suggesting different actors may handle attacks targeting specific regions or industries, and different infrastructure teams manage C2 infrastructure.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploits public-facing server vulnerabilities.
- **Lateral Movement:** Uses living-off-the-land binaries (LOLBAS).
- **Evasion/Persistence:** Deploys the **Demodex rootkit** on vendor machines to hide malware presence within victim networks. The Demodex rootkit is a Windows Kernel rootkit designed to conceal activity from security teams.
- **Communication:** Uses custom protocols protected by Transport Layer Security (TLS) for secure C2 communication.
- **Modular Operations:** Employs multi-modular backdoors allowing independent deployment or updating of capabilities.
## Targeting
* **Sectors:** Government agencies, telecommunications, technology, consulting, chemical, transportation industries, and non-profit organizations (NGOs).
* **Geography:** United States (US), Asia-Pacific, Middle East, and South Africa.
* **Victims:** Telecommunications companies (especially in Southeast Asia) and government entities.
## Tools & Infrastructure
* **Malware Families Used:**
* **GhostSpider:** A new, multi-modular backdoor communicating via custom, TLS-protected protocols.
* **Masol RAT:** A cross-platform backdoor observed targeting Linux servers.
* **Snappybee:** A widely available shared backdoor, suggesting potential reliance on malware-as-a-service providers.
* **Demodex:** A Windows Kernel rootkit used for stealth.
* **Infrastructure:** C2 infrastructure for its various backdoors appears to be managed by different infrastructure teams, indicating high organizational complexity. (No specific defanged IPs/URLs were provided in the text).
## Implications
Earth Estries poses a significant and aggressive threat due to its sophisticated and layered tooling (including kernel-level rootkits and TLS-protected custom protocols) designed for prolonged espionage. Their use of shared/commodity tools alongside custom malware suggests a pragmatic approach to operations. The targeting of critical infrastructure like telecommunications and government sectors highlights a focus on high-value geopolitical intelligence gathering.
## Mitigations
- Harden and monitor public-facing server vulnerabilities aggressively to counter initial access vectors.
- Implement robust endpoint detection and response (EDR) capabilities specifically tuned to detect rootkit activity (like Demodex) attempting kernel-level manipulation.
- Monitor for the use of known commodity malware like Snappybee in conjunction with custom tools.
- Scrutinize TLS traffic for C2 communications utilizing non-standard or custom protocols established by GhostSpider.