eBook

Modern Threat Hunting

Modern Threat Hunting

10 Practical Steps to Outsmart Adversaries

10 Practical Steps to Outsmart Adversaries

A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform

Get the Free eBook

Get the Free eBook

Earth Baxia

Earth Baxia

Earth Baxia

Earth Baxia is a China-linked APT group that has recently become a significant threat to organizations across the Asia-Pacific (APAC) region. They exploit a critical vulnerability in OSGeo GeoServer (CVE-2024-36401) and targeted spear-phishing campaigns to breach government agencies, telecom companies, and energy organizations.

Key Insights

Key Insights

Tactics and Techniques

Earth Baxia sends well-crafted spear-phishing emails with malicious attachments to initiate the attack chain. By exploiting the GeoServer flaw, they gain initial access through remote code execution and then set the stage for a more complex operation. Their methods are designed to bypass traditional defenses and trick victims into running harmful payloads.

Malware and Payload Delivery

Once inside the target network, Earth Baxia uses a customized Cobalt Strike to drop additional malware. One of their tools is the new backdoor EAGLEDOOR, which supports DNS, HTTP, TCP, and even Telegram. This multi-protocol support allows data exfiltration and maintains persistence and stealthy control over compromised systems.

Infrastructure and Attribution

They use public cloud services with most of their infrastructure hosted on Alibaba Cloud to hide their activities. The evidence, such as Cobalt Strike watermarks and decoy documents written in Simplified Chinese, led researchers from Trend Micro and other security firms to attribute these sophisticated attacks to Earth Baxia. Their targets are clearly in the APAC region.

Known Variants

Known Variants

No specific variants have been found for Earth Baxia. Instead, most of the text is written in simple, compound, and complex sentences.

No specific variants have been found for Earth Baxia. Instead, most of the text is written in simple, compound, and complex sentences.

Mitigation Strategies

Mitigation Strategies

  • Apply the vendor’s GeoServer security updates immediately (upgrade to versions 2.22.6, 2.23.6, 2.24.4, or 2.25.2) or remove the vulnerable library as an interim measure to address CVE‑2024‑36401.

  • Enforce phishing-resistant email hygiene and user training to detect tailored spear‑phishing attachments such as MSC or ZIP payloads.

  • Deploy detection rules (e.g., Sigma/EDR) for GeoServer exploitation patterns and indicators of Cobalt Strike or EAGLEDOOR activation.

  • Monitor outbound DNS, HTTP, TCP, or Telegram communications from servers to detect multi‑protocol backdoor activity and isolate anomalous channels


Targeted Industries or Sectors

Targeted Industries or Sectors

Earth Baxia’s campaigns have primarily targeted government agencies, telecommunications providers, and energy organizations across the Asia‑Pacific region, notably in Taiwan, the Philippines, South Korea, Vietnam, and Thailand, using spear‑phishing and exploitation of GeoServer (CVE‑2024‑36401) as initial attack vectors to deploy custom backdoors like EAGLEDOOR or modified Cobalt Strike payload

Earth Baxia’s campaigns have primarily targeted government agencies, telecommunications providers, and energy organizations across the Asia‑Pacific region, notably in Taiwan, the Philippines, South Korea, Vietnam, and Thailand, using spear‑phishing and exploitation of GeoServer (CVE‑2024‑36401) as initial attack vectors to deploy custom backdoors like EAGLEDOOR or modified Cobalt Strike payload

Associated Threat Actors

Associated Threat Actors

Earth Baxia is a distinct China-linked APT group, believed to operate independently rather than as a sub‑group of known actors, though some tools and infrastructure overlap modestly with groups such as APT41 (Wicked Panda / Brass Typhoon). Its operations appear to originate from infrastructure hosted in China or Hong Kong, with malware samples and watermarks traced back to that region

Earth Baxia is a distinct China-linked APT group, believed to operate independently rather than as a sub‑group of known actors, though some tools and infrastructure overlap modestly with groups such as APT41 (Wicked Panda / Brass Typhoon). Its operations appear to originate from infrastructure hosted in China or Hong Kong, with malware samples and watermarks traced back to that region

References

    Related Posts:

    Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity
    Oct 10, 2024

    Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity

    Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity
    Oct 10, 2024

    Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity

    Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity
    Oct 10, 2024

    Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity

    Unearthing New Infrastructure by Revisiting Past Threat Reports
    May 21, 2024

    Unearthing New Infrastructure by Revisiting Past Threat Reports

    Unearthing New Infrastructure by Revisiting Past Threat Reports
    May 21, 2024

    Unearthing New Infrastructure by Revisiting Past Threat Reports

    Unearthing New Infrastructure by Revisiting Past Threat Reports
    May 21, 2024

    Unearthing New Infrastructure by Revisiting Past Threat Reports

    Feb 28, 2024

    Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

    Feb 28, 2024

    Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

    Feb 28, 2024

    Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram