Chinese APT Group 'Earth Krahang' Breaches 70 Organizations in 23 Countries

A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat (APT) group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries. The campaign, ongoing since early 2022, primarily targets government organizations

Attack Overview:

The hackers exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for cyberespionage. They abuse breached government infrastructure to attack other governments, build VPN servers on compromised systems, and crack passwords for valuable email accounts through brute-forcing.

Tools and Techniques:

The threat actors employ open-source tools to scan public-facing servers for specific vulnerabilities, such as CVE-2023-32315 (Openfire) and CVE-2022-21587 (Oracle Web Apps). They deploy webshells to gain unauthorized access and establish persistence within victim networks. Spear-phishing emails, themed around geopolitical topics, serve as initial access vectors.

Attack Chain:

Once inside the network, Earth Krahang hosts malicious payloads, proxies attack traffic, and uses compromised government email accounts for further spear-phishing. Malicious attachments drop backdoors, spreading infection and ensuring redundancy in case of detection. The attackers brute force Exchange credentials and exfiltrate emails from Zimbra servers.

Tools Used:

The threat group utilizes various tools such as Cobalt Strike, RESHELL, and XDealer, which provide command execution and data collection capabilities. XDealer is particularly sophisticated, supporting both Linux and Windows systems, and can capture screenshots, log keystrokes, and intercept clipboard data.


Initially tied to the China-nexus actor Earth Lusca, Earth Krahang is now considered a separate cluster. There are potential links to the Chinese entity I-Soon, indicating a dedicated task force for cyberespionage on government entities. Tools associated with other threat groups, like RESHELL and XDealer, are likely shared among multiple actors, each with distinct encryption keys.


As a fellow security researcher and ethical hacker, it's crucial to acknowledge the severity of threats like the Earth Krahang campaign. These sophisticated attacks underscore the importance of continuous vigilance and proactive defense strategies. By leveraging our expertise and collaborating with the cybersecurity community, we can effectively combat such threats and bolster defenses against future attacks. Let's remain committed to staying informed, adaptive, and proactive in our efforts to safeguard organizations and individuals from cyber threats like Earth Krahang.

Next Post Previous Post
No Comment
Add Comment
comment url