analyst @ nohacky :~/threat-actors $
cat / threat-actors / earth-lusca
analyst@nohacky:~/earth-lusca.html
active threat profile
type Nation-State / APT
threat_level HIGH
status ACTIVE
origin China (Chengdu, Sichuan)
last_updated 2026-03-13
EL
earth-lusca

Earth Lusca

also known as: Charcoal Typhoon TAG-22 RedHotel Aquatic Panda CHROMIUM ControlX BRONZE UNIVERSITY FISHMONGER Red Dev 10 Red Scylla

Earth Lusca is a China-linked advanced persistent threat group active since at least April 2019, conducting both cyber espionage against government, academic, and civil society organizations worldwide and financially motivated operations targeting cryptocurrency and gambling platforms. The group is believed to operate from Chengdu, Sichuan province, and has been linked to the Chinese contractor i-Soon (Anxun Information Technology), carrying out operations on behalf of China's Ministry of State Security (MSS) and Ministry of Public Security (MPS).

attributed origin China (Chengdu, Sichuan)
suspected sponsor Chinese MSS / MPS via i-Soon
first observed 2019
primary motivation Espionage / Financial
primary targets Government, Telecom, Academia, Media
known campaigns 6+ confirmed
mitre att&ck group G1006
target regions Asia-Pacific, Europe, N. America, Africa
threat level HIGH

Overview

Earth Lusca is a suspected China-based advanced persistent threat (APT) group that has been active since at least April 2019. Tracked by Trend Micro under the Earth Lusca designation, the group is also identified as TAG-22 by Recorded Future, Charcoal Typhoon (formerly CHROMIUM) by Microsoft, RedHotel by Insikt Group, and Aquatic Panda by CrowdStrike. The group operates under the broader Winnti umbrella of Chinese threat actors but maintains its own distinct infrastructure and tooling.

Earth Lusca conducts dual-purpose operations: strategic cyber espionage targeting entities aligned with Chinese government interests, and financially motivated attacks against cryptocurrency platforms and gambling companies. Targets have spanned at least 17 countries across Asia, Europe, North America, and Africa, including government institutions, educational organizations, telecommunications providers, news media, pro-democracy movements, religious groups, and COVID-19 research bodies.

In March 2025, the U.S. Department of Justice charged 12 Chinese nationals in connection with state-backed hacking operations linked to i-Soon (Anxun Information Technology), the Chengdu-based private contractor believed to manage Earth Lusca's penetration teams. The FBI confirmed that activities associated with i-Soon are tracked under the Earth Lusca, Aquatic Panda, Charcoal Typhoon, BRONZE UNIVERSITY, and RedHotel designations. Leaked i-Soon documents revealed victim overlap, shared malware arsenals (including ShadowPad and Winnti), and geographic co-location in Chengdu between i-Soon and Earth Lusca operators. The company reportedly carried out intrusions on behalf of both China's Ministry of State Security (MSS) and Ministry of Public Security (MPS), generating tens of millions of dollars in revenue.

A related but operationally separate intrusion set, Earth Krahang, has been identified by Trend Micro as potentially another penetration team operating under the same i-Soon umbrella. Earth Krahang focused on compromising government infrastructure across 45 countries and using that access to attack additional government entities, sharing limited infrastructure with Earth Lusca.

Target Profile

Earth Lusca targets organizations that align with Chinese strategic intelligence priorities, while also conducting financially motivated operations for profit. Targeting has been confirmed across Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, Japan, and the United States.

  • Government institutions: Primary target sector, with focus on foreign affairs, technology, and telecommunications ministries. Confirmed victims in Taiwan, Thailand, Philippines, Vietnam, UAE, Mongolia, Nigeria, and a U.S. state legislature (2022).
  • Academic and research: Educational institutions in Taiwan, Hong Kong, Japan, and France. COVID-19 research organizations in the United States were targeted during the pandemic period.
  • Media and civil society: News media outlets in Taiwan, Hong Kong, Australia, Germany, and France. Pro-democracy and human rights organizations in Hong Kong, as well as religious movements banned in mainland China.
  • Telecommunications: Telecom companies across the Asia-Pacific region, likely for intelligence collection and communications surveillance capabilities.
  • Financial and cryptocurrency: Gambling companies in China and various cryptocurrency trading platforms have been hit in attacks that appear purely financially motivated, distinguishing Earth Lusca from strictly espionage-focused APTs.

Tactics, Techniques & Procedures

Documented TTPs based on observed campaigns and public threat intelligence. Earth Lusca uses three primary initial access vectors: exploitation of public-facing server vulnerabilities, spearphishing emails with malicious links or attachments, and watering hole attacks using compromised legitimate websites injected with malicious JavaScript. Post-compromise activity typically involves deploying Cobalt Strike for lateral movement, followed by advanced backdoors for long-term persistence.

mitre id technique description
T1190 Exploit Public-Facing Application Exploits N-day vulnerabilities in public-facing servers including Microsoft Exchange (ProxyShell), Fortinet (CVE-2022-40684, CVE-2022-39952), GitLab (CVE-2021-22205), Oracle GlassFish, Zimbra (CVE-2019-9670, CVE-2019-9621), and Telerik UI (CVE-2019-18935).
T1566.002 Phishing: Spearphishing Link Sends spearphishing emails containing malicious links to targets. Emails are tailored to the victim's interests and may contain geopolitically themed lure documents (e.g., China-Taiwan relations content).
T1189 Drive-by Compromise Conducts watering hole attacks by compromising legitimate websites and injecting malicious JavaScript to redirect visitors to attacker-controlled infrastructure.
T1574.001 Hijack Execution Flow: DLL Side-Loading Uses DLL side-loading extensively, including placing malicious payloads in system paths (e.g., MSDTC service via oci.dll) and abusing legitimate code-signed executables from vendors like Qihoo.
T1059.001 Command and Scripting Interpreter: PowerShell Uses PowerShell for command execution, network reconnaissance (reading RDP event logs), and lateral movement within compromised environments.
T1003.001 OS Credential Dumping: LSASS Memory Uses ProcDump and Mimikatz to dump LSASS process memory for credential harvesting. Also performs DCSync attacks against domain controllers using the ZeroLogon exploit (CVE-2020-1472).
T1027.003 Obfuscated Files or Information: Steganography Hides shellcode within BMP image files to evade detection during payload delivery.
T1567.002 Exfiltration Over Web Service: Cloud Storage Uses the megacmd tool to upload stolen files from victim networks to MEGA cloud storage for exfiltration.
T1053.005 Scheduled Task/Job: Scheduled Task Creates scheduled tasks for persistence using commands like schtasks /Create with ONLogon triggers and SYSTEM-level execution.
T1547.012 Boot or Logon Autostart Execution: Print Processors Registers malicious DLLs as Windows print processors via registry modification, loading malware through the Print Spooler service.

Known Campaigns

Confirmed or highly attributed operations linked to this threat actor.

Hong Kong Pro-Democracy & Media Targeting 2019-2021

Multi-year espionage campaign targeting pro-democracy and human rights organizations in Hong Kong, news media outlets across Taiwan, Hong Kong, Australia, Germany, and France, and educational institutions. Initial access primarily via spearphishing and watering hole attacks, deploying Cobalt Strike and ShadowPad for persistence.

Government & Crypto Financial Operations 2021-2022

Simultaneous espionage and financially motivated operations exposed by Trend Micro in January 2022. Government targets across seven countries were hit alongside gambling companies in China and cryptocurrency platforms. Attackers exploited ProxyShell and Oracle GlassFish vulnerabilities, deploying Cobalt Strike, ShadowPad, Winnti, and Doraemon backdoors. Cryptominers were also deployed, possibly as cover for espionage activity.

Southeast Asia & Balkans Server Exploitation 2023

Aggressive exploitation of public-facing servers targeting government departments in Southeast Asia, Central Asia, and the Balkans. The group deployed the newly discovered SprySOCKS Linux backdoor alongside Cobalt Strike, ShadowPad, and Winnti for Linux. Targeted vulnerabilities included Fortinet, GitLab, Microsoft Exchange, Telerik UI, and Zimbra.

Taiwan Election Geopolitical Lure 2023-2024

Social engineering campaign timed to coincide with Taiwanese national elections in January 2024. Used a stolen document from a Taiwanese geopolitical expert discussing China's gray zone warfare as a lure. Delivered via 7-Zip archive containing malicious LNK files with obfuscated JavaScript loaders, ultimately deploying Cobalt Strike. Used DLL hijacking via an abused Qihoo executable.

KTLVdoor Multiplatform Backdoor Deployment 2024

Deployed a previously unknown Golang-based cross-platform backdoor called KTLVdoor against a China-based trading company. The backdoor supports both Windows and Linux, masquerades as system utilities (sshd, Java, bash), and communicates with over 50 C2 servers hosted on Alibaba infrastructure. The extensive infrastructure suggests the tool may be shared with other Chinese-speaking threat actors or be in early-stage testing.

Earth Krahang Government Infrastructure Abuse 2022-2024

Related intrusion set (Earth Krahang) with strong operational links to Earth Lusca, assessed as a separate penetration team under the same i-Soon umbrella. Compromised government infrastructure in 23 countries across 45 target nations, using that access to attack additional government entities. Deployed PlugX, ShadowPad, and unique backdoors while sharing limited infrastructure with Earth Lusca.

Tools & Malware

Known custom and commodity tools associated with this actor. Earth Lusca maintains a diverse arsenal spanning both custom-developed malware and widely shared Chinese APT tooling.

  • Cobalt Strike: Commercial adversary simulation framework heavily abused by Earth Lusca as a primary post-exploitation tool. Deployed after initial access via spearphishing, watering holes, or server exploitation. Used for command execution, lateral movement, and as a staging platform for additional payloads.
  • ShadowPad: Modular backdoor shared across multiple Chinese APT groups. Supports plug-in-based functionality including keylogging, screenshot capture, file retrieval, and surveillance. Earth Lusca was among the first groups observed using a new obfuscation method for ShadowPad in late 2020. Remains encrypted on disk and decodes only in memory.
  • SprySOCKS: Custom Linux backdoor discovered by Trend Micro in September 2023. Based on the open-source Windows backdoor Trochilus, with functions rewritten for Linux. Named for its swift behavior and SOCKS implementation. C2 protocol resembles RedLeaves, and the interactive shell is similar to the Linux variant of Derusbi. Still under active development at time of discovery.
  • KTLVdoor: Cross-platform Golang backdoor discovered in September 2024. Supports both Windows (.dll) and Linux (.so) and masquerades as system utilities (sshd, Java, SQLite, bash, edr-agent). Features file manipulation, command execution, remote port scanning, and highly obfuscated configuration using a "KTLV" marker. Over 50 C2 servers on Alibaba infrastructure were identified.
  • Winnti (Linux variant): Linux version of the Winnti backdoor, a signature tool of the broader Winnti collective. Used for long-term persistent access in espionage operations. Supports traffic signaling and encrypted communications.
  • Doraemon: Older backdoor first encountered around 2016 in incidents involving Korean and Taiwanese gaming companies. Named for its original DLL filename (Doraemon.dll). Rarely discussed publicly but deployed by Earth Lusca in later operations.
  • Mimikatz: Open-source credential harvesting tool used for LSASS memory dumping, DCSync attacks, and exploitation of the ZeroLogon vulnerability (CVE-2020-1472) against domain controllers.
  • PowerSploit: Open-source PowerShell post-exploitation framework used for reconnaissance, privilege escalation, and credential access within compromised environments.
  • NBTscan: Network scanner used for NetBIOS name resolution and host discovery during lateral movement.
  • Cobalt Strike Aggressor Scripts: Custom CNA scripts that send notifications (via messaging APIs) when a new beacon initializes, enabling rapid operator response to successful infections.
  • BIOPASS RAT: Previously unreported remote access trojan discovered during Earth Lusca monitoring, used in watering hole attacks targeting Chinese gambling companies.

Indicators of Compromise

Publicly available IOCs from Trend Micro and community reporting. Verify currency before operational use.

warning

IOCs may be stale or burned after public disclosure. Earth Lusca frequently rotates infrastructure across Alibaba-hosted VPS, G-Core Labs, and Kaopu Cloud providers. Cross-reference with live threat intel feeds before blocking.

indicators of compromise — SprySOCKS campaign (2023)
ip (c2) 207.148.75[.]122
ip (c2) 45.32.33[.]17
hash (sha256) — SprySOCKS v1.1 f8b5cf0c1c8bfb4d0e5a545aa46198a0e1e4ea4a2c2e7719d17e87e46a5438d0
hash (sha256) — SprySOCKS v1.3.6 ab3aceb22b8dab85f4b5b68fe1a5c30b9ad4a6fb38645e5c6bb8d2f23b2e3fba
indicators of compromise — Taiwan election lure (2023-2024)
filename China_s gray zone warfare against Taiwan.7z
technique Malicious LNK files with 255 space character obfuscation in arguments
technique Dean Edwards JavaScript Packer obfuscation
payload marker 4d534346 (MSCF — Microsoft Cabinet File signature)
indicators of compromise — KTLVdoor campaign (2024)
config marker KTLV (in malware configuration file)
infrastructure 50+ C2 servers hosted on Alibaba Cloud (China)
format Windows: .dll / Linux: .so (Golang cross-compiled)
note

Comprehensive IOC lists including full hash sets, IP addresses, and DLL decryptor tools are published in the Trend Micro technical briefs linked in the Sources section below. AlienVault OTX maintains a compiled collection of 46+ RedHotel/Earth Lusca IOCs including 20 domains and 26 IP addresses.

Mitigation & Defense

Recommended defensive measures for organizations in this actor's target profile. Earth Lusca relies heavily on exploiting known vulnerabilities and social engineering, making timely patching and user awareness the highest-impact defenses.

  • Patch public-facing servers immediately: Prioritize patching for Microsoft Exchange (ProxyShell, ProxyLogon), Fortinet FortiOS, GitLab, Zimbra, Oracle GlassFish, and Telerik UI. Earth Lusca actively scans for and exploits N-day vulnerabilities in internet-exposed services. Implement a centralized patch management system and track CISA's Known Exploited Vulnerabilities catalog.
  • Harden email and web gateways: Deploy advanced email filtering to detect spearphishing links and malicious archive attachments (.7z, .LNK files). Block execution of LNK files from archive downloads and monitor for obfuscated JavaScript payloads. Train users to recognize geopolitically themed social engineering lures.
  • Monitor for Cobalt Strike and ShadowPad indicators: Deploy behavioral detection rules for Cobalt Strike beacon activity, including named pipe patterns, malleable C2 profiles, and in-memory injection. Monitor for ShadowPad's characteristic DNS-based C2 and domain generation algorithms. Implement memory scanning capabilities, as ShadowPad decodes only in memory.
  • Protect credential stores: Monitor for LSASS memory access by non-standard processes (ProcDump, Mimikatz). Enable Credential Guard on Windows systems. Audit for DCSync activity and ZeroLogon exploitation attempts (CVE-2020-1472). Implement privileged access management for domain admin accounts.
  • Secure Linux infrastructure: Monitor for SprySOCKS and KTLVdoor activity on Linux servers. Audit for unexpected ELF binaries, unusual SOCKS proxy connections, and processes masquerading as system utilities (sshd, java, bash). Check /root/.ssh for unauthorized SSH keys planted for persistent access.
  • Segment and monitor lateral movement: Implement network segmentation to limit blast radius. Monitor for abnormal RDP connections, WMI execution, and PowerShell-based network discovery. Alert on WinRAR archive creation in sensitive directories and outbound connections to MEGA cloud storage (megacmd exfiltration).
  • Detect DLL side-loading and persistence: Monitor the Print Spooler service for unauthorized print processor registrations. Audit registry keys at HKLM\SYSTEM\ControlSet001\Control\Print\Environments and HKCU\Environment\UserInitMprLogonScript for malicious modifications. Watch for new Windows services created with suspicious binpath values.
  • Implement web application firewalls: Deploy WAF protection on all public-facing web servers. Monitor for vulnerability scanning activity and injection attempts. Reduce attack surface by disabling unnecessary services and enforcing the principle of least privilege on server configurations.
note

Earth Lusca infrastructure frequently overlaps with other Chinese APT groups due to shared tooling (ShadowPad, Winnti) and possible contractor relationships. Attribution to Earth Lusca specifically should be based on the convergence of infrastructure patterns, TTPs, and victimology rather than any single indicator. The i-Soon leak and subsequent U.S. DOJ indictments (March 2025) provide the strongest public attribution chain to date.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile