Earth Baxia

Earth Baxia is a China-linked APT group that has recently become a significant threat to organizations across the Asia-Pacific (APAC) region. They exploit a critical vulnerability in OSGeo GeoServer (CVE-2024-36401) and targeted spear-phishing campaigns to breach government agencies, telecom companies, and energy organizations.

Key Insights

Tactics and Techniques

Earth Baxia sends well-crafted spear-phishing emails with malicious attachments to initiate the attack chain. By exploiting the GeoServer flaw, they gain initial access through remote code execution and then set the stage for a more complex operation. Their methods are designed to bypass traditional defenses and trick victims into running harmful payloads.

Malware and Payload Delivery

Once inside the target network, Earth Baxia uses a customized Cobalt Strike to drop additional malware. One of their tools is the new backdoor EAGLEDOOR, which supports DNS, HTTP, TCP, and even Telegram. This multi-protocol support allows data exfiltration and maintains persistence and stealthy control over compromised systems.

Infrastructure and Attribution

They use public cloud services with most of their infrastructure hosted on Alibaba Cloud to hide their activities. The evidence, such as Cobalt Strike watermarks and decoy documents written in Simplified Chinese, led researchers from Trend Micro and other security firms to attribute these sophisticated attacks to Earth Baxia. Their targets are clearly in the APAC region.

Known Variants

No specific variants have been found for Earth Baxia. Instead, most of the text is written in simple, compound, and complex sentences.

Mitigation Strategies

Apply the vendor’s GeoServer security updates immediately (upgrade to versions 2.22.6, 2.23.6, 2.24.4, or 2.25.2) or remove the vulnerable library as an interim measure to address CVE‑2024‑36401.
Enforce phishing-resistant email hygiene and user training to detect tailored spear‑phishing attachments such as MSC or ZIP payloads.
Deploy detection rules (e.g., Sigma/EDR) for GeoServer exploitation patterns and indicators of Cobalt Strike or EAGLEDOOR activation.
Monitor outbound DNS, HTTP, TCP, or Telegram communications from servers to detect multi‑protocol backdoor activity and isolate anomalous channels

Targeted Industries or Sectors

Earth Baxia’s campaigns have primarily targeted government agencies, telecommunications providers, and energy organizations across the Asia‑Pacific region, notably in Taiwan, the Philippines, South Korea, Vietnam, and Thailand, using spear‑phishing and exploitation of GeoServer (CVE‑2024‑36401) as initial attack vectors to deploy custom backdoors like EAGLEDOOR or modified Cobalt Strike payload

Associated Threat Actors

Earth Baxia is a distinct China-linked APT group, believed to operate independently rather than as a sub‑group of known actors, though some tools and infrastructure overlap modestly with groups such as APT41 (Wicked Panda / Brass Typhoon). Its operations appear to originate from infrastructure hosted in China or Hong Kong, with malware samples and watermarks traced back to that region