Earth Baxia is a China-linked APT group that has recently become a significant threat to organizations across the Asia-Pacific (APAC) region. They exploit a critical vulnerability in OSGeo GeoServer (CVE-2024-36401) and targeted spear-phishing campaigns to breach government agencies, telecom companies, and energy organizations.
Tactics and Techniques
Earth Baxia sends well-crafted spear-phishing emails with malicious attachments to initiate the attack chain. By exploiting the GeoServer flaw, they gain initial access through remote code execution and then set the stage for a more complex operation. Their methods are designed to bypass traditional defenses and trick victims into running harmful payloads.
Malware and Payload Delivery
Once inside the target network, Earth Baxia uses a customized Cobalt Strike to drop additional malware. One of their tools is the new backdoor EAGLEDOOR, which supports DNS, HTTP, TCP, and even Telegram. This multi-protocol support allows data exfiltration and maintains persistence and stealthy control over compromised systems.
Infrastructure and Attribution
They use public cloud services with most of their infrastructure hosted on Alibaba Cloud to hide their activities. The evidence, such as Cobalt Strike watermarks and decoy documents written in Simplified Chinese, led researchers from Trend Micro and other security firms to attribute these sophisticated attacks to Earth Baxia. Their targets are clearly in the APAC region.
Apply the vendor’s GeoServer security updates immediately (upgrade to versions 2.22.6, 2.23.6, 2.24.4, or 2.25.2) or remove the vulnerable library as an interim measure to address CVE‑2024‑36401.
Enforce phishing-resistant email hygiene and user training to detect tailored spear‑phishing attachments such as MSC or ZIP payloads.
Deploy detection rules (e.g., Sigma/EDR) for GeoServer exploitation patterns and indicators of Cobalt Strike or EAGLEDOOR activation.
Monitor outbound DNS, HTTP, TCP, or Telegram communications from servers to detect multi‑protocol backdoor activity and isolate anomalous channels