.webp)
Earth Baku utilizes malware families such as DodgeBox (DUSTPAN) and MoonWalk (DUSTTRAP), rebranded by Trend Micro as StealthReacher and SneakCross
The China-backed cyber threat actor Earth Baku has broadened its attack operations to encompass Europe, the Middle East, and Africa since late 2022. This expansion marks a significant shift from its previous focus on the Indo-Pacific region. Recent targets include Italy, Germany, the U.A.E., and Qatar, with potential incursions in Georgia and Romania. Key sectors affected by these cyber intrusions include government, media, telecommunications, technology, healthcare, and education.
According to a recent Trend Micro analysis, Earth Baku has refined its techniques, now exploiting public-facing applications like IIS servers as initial attack vectors. The group deploys advanced malware toolsets once inside the victim's network. Notably, Earth Baku utilizes malware families such as DodgeBox (DUSTPAN) and MoonWalk (DUSTTRAP), rebranded by Trend Micro as StealthReacher and SneakCross. Previously associated with APT41, Earth Baku has been using the StealthVector backdoor since October 2020. The attack chain typically involves compromising public-facing applications to deploy the Godzilla web shell, which facilitates the delivery of subsequent payloads. StealthReacher is a more sophisticated version of StealthVector that uses Google services for command-and-control communication to launch SneakCross, a modular implant that is most likely the replacement for ScrambleCross.
In addition to these tools, Earth Baku’s operations feature post-exploitation tools like iox, Rakshasa, and the Tailscale VPN service. Data exfiltration is performed using MEGAcmd, a command-line utility that transfers sensitive information to MEGA cloud storage. This expansion underscores the growing sophistication and reach of Earth Baku's cyber capabilities.
.webp)
.webp)
