Earth Lusca (G1006): Persistent and Evolving Threat Profile
- Suspected Origin
- China
- Motivation
- Espionage, Financial Gain
- Aliases
- TAG-22, Charcoal Typhoon, CHROMIUM, ControlX
- Target Sectors
- Government, Telecommunications, Technology, Education, News Media, Gambling, Cryptocurrency, COVID-19 Research, Religious Organizations, Human Rights Organizations, Customer Service
- Associated Malware
- Cobalt Strike, ShadowPad, Winnti, Spyder, KTLVdoor, SprySOCKS, SodaMaster, XDealer, RESHELL, Doraemon, WinDealer, FunnySwitch, BIOPASS RAT, Mimikatz
Overview
Earth Lusca, identified by MITRE ATT&CK as G1006, is a sophisticated, China-based cyber espionage group that has been actively operating since at least April 2019. This group is known by a variety of aliases, including TAG-22, Charcoal Typhoon, CHROMIUM, ControlX, FishMonger, Aquatic Panda, BountyGlad, Bronze University, Earth Krahang, RedDev10, RedHotel, and RedScylla. While Earth Lusca often employs malware and tradecraft seen in operations by other prominent Chinese threat groups like APT41 and the Winnti Group cluster, security researchers generally assess that Earth Lusca maintains its own distinct infrastructure and techniques, operating as an independent entity within this broader nexus of activity.
The primary motivations driving Earth Lusca’s operations appear to be a blend of cyberespionage, aimed at information theft and political intelligence gathering, and financial gain. Their espionage efforts frequently align with the strategic interests of the Chinese state, targeting entities of geopolitical significance. However, the group also demonstrates a clear financial incentive, evidenced by its attacks on gambling and cryptocurrency platforms. Earth Lusca exhibits a broad targeting scope, reaching organizations across the globe, including Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Their victimology spans government institutions—particularly those involved in foreign affairs, technology, and telecommunications—news media, educational institutions, COVID-19 research organizations, religious movements banned in China, pro-democracy and human rights organizations, and various financial entities.
Tactics & Techniques
Earth Lusca employs a diverse set of tactics, techniques, and procedures (TTPs) for initial access, persistence, defense evasion, and execution. Their operations typically begin with social engineering, often leveraging highly targeted spear phishing campaigns. These emails may contain malicious links or attachments, sometimes utilizing current geopolitical events as lures, such as Chinese-Taiwanese relations, to entice victims into clicking.
Another prevalent initial access vector is watering hole attacks. Earth Lusca compromises legitimate websites frequented by their targets or creates convincing fake web pages, then injects malicious JavaScript code to infect visitors. In some instances, they have directly injected malicious scripts into the human resources systems of compromised organizations to serve social engineering messages, like fake Flash update pop-ups, prompting victims to download malware.
The group also frequently exploits vulnerabilities in public-facing applications and servers. They have been observed targeting known security flaws in systems like Microsoft Exchange ProxyShell, Oracle GlassFish, Fortinet (CVE-2022-39952, CVE-2022-40684), GitLab (CVE-2021-22205), Pregress Telerik UI (CVE-2019-18935), and Zimbra (CVE-2019-9621, CVE-2019-9670), as well as exploiting Log4Shell against VMware Horizon servers. Successful exploitation often leads to the deployment of web shells or Cobalt Strike for deeper network penetration.
Once inside a network, Earth Lusca focuses on maintaining persistence and expanding its foothold. They achieve this through various methods, including registering malicious DLLs as Windows print processors, modifying registry keys for persistence (e.g., UserInitMprLogonScript), and using tools like Cobalt Strike. For defense evasion, the group uses sophisticated techniques such as strong code obfuscation, encrypted communications, and disguised binaries that masquerade as legitimate system utilities (e.g., sshd, java, bash, sqlite). They strip symbols and rename functions within their malware to random strings, making reverse engineering and detection significantly more challenging. Earth Lusca also leverages legitimate services like Cloudflare as a proxy for their command-and-control (C2) infrastructure to evade detection.
Credential access techniques include dumping LSASS process memory using tools like ProcDump and exploiting domain controllers via Mimikatz, sometimes leveraging vulnerabilities like ZeroLogon (CVE-2020-1472). For discovery, the group uses standard Windows commands and utilities such as ipconfig, netstat, Tasklist, whoami, and Nltest to gather information about network configurations, running processes, user accounts, and domain controllers. They also query RDP connection event logs to collect network intelligence. Data exfiltration often involves using Cobalt Strike and tools like megacmd to upload stolen files from victim networks to cloud storage services such as MEGA.
Notable Campaigns
Earth Lusca has been linked to numerous significant campaigns since its inception. Early activity, traced back to April 2019, included attacks targeting universities in Hong Kong by January 2020. In mid-2021, the group launched a watering hole campaign specifically targeting customer service companies in China, where they deployed their custom BIOPASS RAT malware.
Between 2021 and 2023, Earth Lusca conducted sustained espionage operations across at least 17 countries spanning Asia, Europe, and North America, demonstrating their broad operational reach. This period also saw significant targeting of Asian government entities and intergovernmental organizations. In December 2021, the group exploited the critical Log4Shell vulnerability against a large academic institution’s VMware Horizon server, though the intrusion was reportedly disrupted.
More recently, Earth Lusca has shown increasing aggression in targeting public-facing servers by exploiting n-day vulnerabilities. A campaign observed between December 2023 and January 2024 specifically leveraged Chinese-Taiwanese geopolitical relations as a social engineering lure to compromise selected targets, including a Taiwan-based academic think tank focused on international political and economic situations. This highlights their adaptability and willingness to tailor lures to current events.
Associated Malware & Tools
Earth Lusca maintains a comprehensive and evolving arsenal of malware and hacking tools, ranging from widely available penetration testing frameworks to custom-developed backdoors.
Among their most frequently used tools is Cobalt Strike, which serves as a versatile post-exploitation framework for command and control, lateral movement, and data exfiltration. They often deploy Cobalt Strike loaders, sometimes encoded via XOR, as an initial payload.
Other established malware families commonly employed by Earth Lusca include ShadowPad, Winnti, and Spyder. While these tools are also associated with other Chinese threat groups, Earth Lusca’s independent infrastructure distinguishes their operations. The group also utilizes Mimikatz for credential harvesting, especially in conjunction with exploits like ZeroLogon. Other off-the-shelf tools such as Acunetix and ProcDump have been observed in their operations.
Earth Lusca continuously develops and incorporates new custom malware into its operations. Notable custom tools include:
- KTLVdoor: A highly obfuscated, multi-platform backdoor written in Go. It can masquerade as legitimate system utilities (e.g.,
sshd,java,bash,sqlite) on both Windows and Linux systems, enabling remote command execution, port scanning, and file manipulation. KTLVdoor has been observed communicating with over 50 C2 servers, primarily hosted by Chinese ISP Alibaba. - SprySOCKS: A new Linux backdoor identified in recent campaigns. SprySOCKS appears to be a hybrid malware, originating from the open-source Windows malware “Trochilus” but integrating features reminiscent of “RedLeaves” (for C2 communication) and “Derusbi” (for its interactive shell implementation). It is loaded by an ELF injector component known as “mandibule” and operates under disguised process names like “kworker/0:22.” SprySOCKS provides capabilities for system information gathering, interactive shells, SOCKS proxy creation, and file operations, and is believed to be under active development.
- BIOPASS RAT: A custom remote access Trojan deployed in earlier watering hole campaigns, particularly against customer service companies in China.
- Doraemon: A backdoor with flexible C2 settings, including primary IP/DNS and public website URLs containing encrypted or clear text C2 addresses for persistence.
- WinDealer: A custom backdoor used in espionage campaigns for sustained access and data exfiltration from high-value targets.
- SodaMaster, XDealer (also known as DinodasRAT), RESHELL, and FunnySwitch are additional malware families attributed to Earth Lusca.
Their C2 infrastructure is extensive and dynamic, often utilizing virtual private servers (VPS) rented from providers and compromised web servers, with Cloudflare frequently employed as a proxy to obscure their true origins.
Current Status
Earth Lusca remains an active and adaptable threat actor, consistently evolving its TTPs and malware arsenal. Reports as recent as March 2026 highlight their continued focus on government, telecommunications, and technology sectors, particularly within the Asia-Pacific region. The group continues to introduce new tools, such as KTLVdoor, while simultaneously relying on its established espionage toolsets.
Evidence from February 2024 indicates a campaign leveraging geopolitical themes to target Taiwan-based entities, underscoring their ongoing cyberespionage motivations and strategic targeting. The development and deployment of new Linux backdoors like SprySOCKS, first observed in the first half of 2023, demonstrate their commitment to expanding capabilities across different operating systems and aggressively exploiting known vulnerabilities in public-facing servers. Earth Lusca’s operations indicate a long-term intelligence-gathering strategy, characterized by stealthy persistence and regular updates to their toolset to ensure prolonged espionage and continuous data collection. The identified overlaps in tooling and location with the I-Soon leak further suggest potential connections within the broader Chinese state-sponsored cyber ecosystem. Organizations should maintain a high level of vigilance against this group’s persistent and sophisticated threats.
Related content
Aquatic Panda (G0143) Threat Profile: Persistent Cyber Espionage Operations
Adversary ProfileAPT17 (Deputy Dog): A Persistent Chinese Cyber Espionage Threat
Adversary ProfileCarbanak Threat Profile: Financial Apex Predators
Adversary ProfileFIN6: From POS Skimming to Ransomware and Enterprise Infiltration
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call