ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Earth Lusca

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Earth Lusca

NamesEarth Lusca (Trend Micro)
Bronze University (SecureWorks)
Chromium (Microsoft)
Charcoal Typhoon (Microsoft)
Red Dev 10 (PWC)
Red Scylla (PWC)
CountryChina China
MotivationInformation theft and espionage, Financial gain
First seen2019
Description(Trend Micro) In this tech brief, we are going to expose a threat actor originating from China. Since the malware being used by the group, such as ShadowPad and Winnti, overlapped with other threat actors, its activities were attributed to other groups such as APT 41, Earth Baku, Sparkling Goblin, and the “Winnti” cluster in different reports. Our research reveals the different TTPs and the independent set of infrastructure that made us consider it a separate threat actor from the other known actors mentioned. Some reports named this threat actor “RedHotel, TAG-22” or “Fishmonger.” We decided to separate it from the Winnti umbrella and track this threat actor under the name “Earth Lusca.”
Our investigation of Earth Lusca started in mid-2021, when we discovered a campaign targeting customer service companies in China via a watering hole attack. Eventually, our monitoring and research lead to the publication of a blog post on a previously-unreported malware known as BIOPASS RAT. We continued monitoring the threat actor, eventually discovering a few more targeted operations against various targets worldwide. In this research, we will expose all of the groups TTPs and its current operations.
During our investigation, we also managed to reach some of the victims and gather interesting information from compromised servers that were used as watering holes. We were able to learn Earth Lusca’s reconnaissance and lateral movement techniques while working with our local incident response service team via our XDR system.
ObservedSectors: Casinos and Gambling, Education, Government, Media, Telecommunications and Covid-19 research organizations, religious movements that are banned in Mainland China, pro-democracy and human rights political organizations and various cryptocurrency trading platforms.
Countries: Australia, China, France, Germany, Hong Kong, Japan, Mongolia, Nepal, Nigeria, Philippines, Taiwan, Thailand, UAE, USA, Vietnam.
Tools usedAntSword, BadPotato, Behinder, BIOPASS RAT, Cobalt Strike, Doraemon, EarthWorm, FRP, fscan, FunnySwitch, HUC Port Banner Scanner, lcx, Mimikatz, nbtscan, PipeMon, ShadowPad Winnti, SprySOCKS, Winnti, WinRAR.
Operations performedEarly 2023Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
Dec 2023Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]