Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

China-Linked Earth Alux Uses VARGEIT and COBEACON in Multi-Stage Cyber Intrusions

The Hacker News by The Hacker News
April 1, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Cybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions.

“The first sighting of its activity was in the second quarter of 2023; back then, it was predominantly observed in the APAC region,” Trend Micro researchers Lenart Bermejo, Ted Lee, and Theo Chen said in a technical report published Monday. “Around the middle of 2024, it was also spotted in Latin America.”

The primary targets of the adversarial collective span countries such as Thailand, the Philippines, Malaysia, Taiwan, and Brazil.

The infection chains begin with the exploitation of vulnerable services in internet-exposed web applications, using them to drop the Godzilla web shell for facilitating the deployment of additional payloads, including backdoors dubbed VARGEIT and COBEACON (aka Cobalt Strike Beacon).

Cybersecurity

VARGEIT offers the ability to load tools directly from its command-and-control (C&C) server to a newly spawned process of Microsoft Paint (“mspaint.exe”) to facilitate reconnaissance, collection, and exfiltration.

“VARGEIT is also the chief method through which Earth Alux operates supplemental tools for various tasks, such as lateral movement and network discovery in a fileless manner,” the researchers said.

A point worth mentioning here is that while VARGEIT is used as a first, second, or later-stage backdoor, COBEACON is employed as a first-stage backdoor. The latter is launched by means of a loader dubbed MASQLOADER, or via RSBINJECT, a Rust-based command-line shellcode loader.

Subsequent iterations of MASQLOADER have also been observed implementing an anti-API hooking technique that overwrites any NTDLL.dll hooks inserted by security programs to detect suspicious processes running on Windows, thereby allowing the malware and the embedded payload within it to fly under the radar.

The execution of VARGEIT results in the deployment of more tools, including a loader component codenamed RAILLOAD that’s executed using a technique known as DLL side-loading, and is used for running an encrypted payload located in a different folder.

The second payload is a persistence and timestomping module referred to as RAILSETTER that alters the timestamps associated with RAILLOAD artifacts on the compromised host, alongside creating a scheduled task to launch RAILLOAD.

VARGEIT and controller interaction

“MASQLOADER is also being used by other groups besides Earth Alux,” Trend Micro said. “Additionally, the difference in MASQLOADER’s code structure compared to other tools such as RAILSETTER and RAILLOAD suggests that MASQLOADER’s development is separate from those toolsets.”

The most distinctive aspect of VARGEIT is its ability to support 10 different channels for C&C communications over HTTP, TCP, UDP, ICMP, DNS, and Microsoft Outlook, the last of which leverages the Graph API to exchange commands in a predetermined format using the drafts folder of an attacker-managed mailbox.

Cybersecurity

Specifically, the message from the C&C server is prepended with r_, while those from the backdoor are prefixed with p_. Among its wide range of functions is the extensive data collection and command execution, which makes it a potent malware in the threat actor’s arsenal.

“Earth Alux conducts several tests with RAILLOAD and RAILSETTER,” Trend Micro said. “These include detection tests and attempts to find new hosts for DLL side-loading. DLL side-loading tests involve ZeroEye, an open source tool popular within the Chinese-speaking community, for scanning EXE files’ import tables for imported DLLs that can be abused for side-loading.”

The hacking group has also been found to utilize VirTest, another testing tool widely used by the Chinese-speaking community, to ensure that its tools are stealthy enough to maintain long-term access to target environments.

“Earth Alux represents a sophisticated and evolving cyberespionage threat, leveraging a diverse toolkit and advanced techniques to infiltrate and compromise a range of sectors, particularly in the APAC region and Latin America,” the researchers concluded. “The group’s ongoing testing and development of its tools further indicate a commitment to refining its capabilities and evading detection.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign

Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign

Recommended.

Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials

Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials

June 5, 2025
ServiceNow CEO McDermott: ‘We’re Running The Table In CRM’

ServiceNow CEO McDermott: ‘We’re Running The Table In CRM’

April 24, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio