Earth Hundun
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | China |
| Directly Linked Intrusion Sets | BlackTech |
| Associated MITRE ATT&CK Group | BlackTech (G0098) |
Earth Hundun is a cyber espionage intrusion set tracked by researchers at TrendMicro. The group is believed to be based in China and has been linked to BlackTech and Palmerworm.
Targeting is focused on East Asia, particularly Taiwan and Japan across multiple industry sectors including government, technology, telecoms, academia, defense and manufacturing.
TrendMicro analysts not that attribution of the group is complex and may not be a monolithic / static group with potential sharing of tools and TTPs across different threat actors.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Earth Hundun Threat Reports
Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
This blog post from researchers at Trend Micro discusses the cyberespionage group Earth Hundun and its malware, Waterbear and Deuterbear, which ...
References
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1005 | Data from Local System | Collection |
| T1016.001 | Internet Connection Discovery | Discovery |
| T1057 | Process Discovery | Discovery |
| T1480 | Execution Guardrails | Defense Evasion |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1071.001 | Web Protocols | Command and Control |
| T1083 | File and Directory Discovery | Discovery |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1129 | Shared Modules | Execution |
| T1049 | System Network Connections Discovery | Discovery |
| T1027.001 | Binary Padding | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1082 | System Information Discovery | Discovery |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1497.003 | Time Based Evasion | Defense Evasion, Discovery |
| T1012 | Query Registry | Discovery |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1106 | Native API | Execution |