Earth Alux, a recently identified threat actor linked to China, is actively targeting various critical sectors in the Asia-Pacific and Latin American regions. Their operations began appearing in mid-2023, initially concentrated in APAC and expanding to LATAM by mid-2024. The group exploits vulnerabilities in internet-exposed web applications to deploy the Godzilla web shell alongside backdoors like VARGEIT and COBEACON. These tools enable reconnaissance, lateral movement, and data exfiltration, utilizing sophisticated techniques such as anti-API hooking to evade detection from security systems.
VARGEIT offers the ability to load tools directly from its command-and-control (C&C) server to a newly spawned process of Microsoft Paint ('mspaint.exe') to facilitate reconnaissance, collection, and exfiltration.
Earth Alux primarily targets key sectors across APAC and LATAM regions, leveraging vulnerable internet-exposed web applications to gain initial access.
Collection
[
|
...
]