Earth Lusca

Introduction

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated. TrendMicro EarthLusca 2022 Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca’s techniques and infrastructure are separate. TrendMicro EarthLusca 2022

Activities and Tactics

Targeted Sectors: Gambling companies, Government Institutions, Education, Media and Entertainment, Pro-democracy and human rights political organizations, Telecommunications, Religious organization, Cryptocurrency, Medical, Covid-19 research organizations

Country of Origin: 🇨🇳 China

Suspected Victims: Australia, China, France, Germany, Hong Kong, Japan, Mongolia, Nepal, Nigeria, Philippines…

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1583.006 Web Services
• T1027.003 Steganography
• T1608.001 Upload Malware
• T1098.004 SSH Authorized Keys
• T1003.006 DCSync
• T1059.005 Visual Basic
• T1189 Drive-by Compromise
• T1018 Remote System Discovery
• T1584.006 Web Services
• T1059.007 JavaScript
• T1210 Exploitation of Remote Services
• T1036.005 Match Legitimate Resource Name or Location
• T1140 Deobfuscate/Decode Files or Information
• T1583.001 Domains
• T1033 System Owner/User Discovery
• T1547.012 Print Processors
• T1059.001 PowerShell
• T1059.006 Python
• T1057 Process Discovery
• T1053.005 Scheduled Task
• T1574.001 DLL
• T1112 Modify Registry
• T1047 Windows Management Instrumentation
• T1003.001 LSASS Memory
• T1218.005 Mshta
• T1482 Domain Trust Discovery
• T1567.002 Exfiltration to Cloud Storage
• T1548.002 Bypass User Account Control
• T1588.002 Tool
• T1007 System Service Discovery
• T1204.002 Malicious File
• T1190 Exploit Public-Facing Application
• T1090 Proxy
• T1027 Obfuscated Files or Information
• T1543.003 Windows Service
• T1566.002 Spearphishing Link
• T1560.001 Archive via Utility
• T1583.004 Server
• T1049 System Network Connections Discovery
• T1595.002 Vulnerability Scanning
• T1016 System Network Configuration Discovery
• T1588.001 Malware
• T1584.004 Server
• T1204.001 Malicious Link

ATT&CK technique IDs (denormalized)

• T1003.001
• T1003.006
• T1007
• T1016
• T1018
• T1027
• T1027.003
• T1033
• T1036.005
• T1047
• T1049
• T1053.005
• T1057
• T1059.001
• T1059.005
• T1059.006
• T1059.007
• T1090
• T1098.004
• T1112
• T1140
• T1189
• T1190
• T1204.001
• T1204.002
• T1210
• T1218.005
• T1482
• T1543.003
• T1547.012
• T1548.002
• T1560.001
• T1566.002
• T1567.002
• T1574.001
• T1583.001
• T1583.004
• T1583.006
• T1584.004
• T1584.006
• T1588.001
• T1588.002
• T1595.002
• T1608.001

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• Umbreon
• China Chopper
• Winnti

MITRE ATT&CK Software

• Mimikatz (S0002) — tool
• PowerSploit (S0194) — tool
• Tasklist (S0057) — tool
• certutil (S0160) — tool
• Cobalt Strike (S0154) — malware
• Winnti for Linux (S0430) — malware
• Nltest (S0359) — tool
• NBTscan (S0590) — tool
• ShadowPad (S0596) — malware

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [6] TrendMicro EarthLusca 2022 Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. [7] Recorded Future TAG-22 July 2021 INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024. [8] Recorded Future RedHotel August 2023 Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024. [9] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [6] TrendMicro EarthLusca 2022

Recent News

Latest articles from security news feeds mentioning this actor.

• Google publishes exploit code threatening millions of Chromium users Ars Technica - 2026-05-20T