Earth Krahang APT Targets Organizations Worldwide


The Earth Krahang APT group has been found using a lesser-known RESHELL backdoor, alongside the XDealer backdoor, to infect organizations across the globe. The malware are dropped via spear-phishing emails related to geopolitical affairs.

Modus operandi

As part of the campaign, the attackers use compromised email addresses to send malicious attachments to users in the same organization. 

  • The emails are sent under the pretext of geopolitical topics, such as “Malaysian Ministry of Defense Circular,” “ICJ public hearings- Guyana vs. Venezuela,” or “Malaysian defense minister visits Hungary,” to lure users.
  • The malicious attachment includes a RAR archive containing an LNK file that executes the installers for backdoor malware onto the victims’ system. 
  • In some cases, the backdoors were found being delivered via web shell on compromised servers.
  • Researchers highlighted that the threat actor compromised a government web server and leveraged it to scan vulnerabilities in other government targets.

Read more…