Earth Estries

Earth Estries is a Chinese advanced persistent threat (APT) group tracked by Trend Micro. The group has been observed actively targeting critical sectors such as telecommunications, government entities, and various industries across the US, Asia-Pacific, Middle East, and South Africa since 2023.

Earth Estries employs sophisticated techniques and multiple backdoors, including GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, to conduct prolonged espionage operations. They exploit public-facing server vulnerabilities for initial access and use living-off-the-land binaries for lateral movement within networks. The group's tradecraft shows overlaps in TTPs (tactics, techniques and procedures) with other known Chinese APT groups, indicating possible use of shared tools from malware-as-a-service providers.

The group's activities have compromised over 20 organizations, targeting sectors such as technology, consulting, chemical, and transportation, as well as government agencies and NGOs. Earth Estries maintains persistence through customized malware and complex command-and-control (C2) infrastructure managed by different teams. Their operations involve continuous tool updates and lateral movement to deploy malware and conduct long-term espionage. The group's sophisticated and persistent approach poses a significant threat to targeted sectors, highlighting the need for robust cybersecurity measures.

www.trendmicro.com

https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

www.trendmicro.com

https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

www.trendmicro.com

https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html