According to security experts, a sophisticated cyberespionage campaign linked to China, known as Earth Krahang, has targeted over 70 organisations globally, predominantly government entities.
Trend Micro researchers have been monitoring the operation since early 2022, revealing that the group exploits public-facing servers and deploys phishing emails to develop two custom backdoors, RESHELL and XDealer, which it uses alongside the Cobalt Strike tool. XDealer, also known as DinodasRAT, has evolved since 2023, becoming more sophisticated with capabilities to target both Windows and Linux machines, including stealing screenshots, clipboard data, and logging keystrokes.
The cyberespionage operation utilises various tools and techniques, including open-source scanning tools and vulnerability-scanning tools like sqlmap and wordpressscan. Earth Krahang exploits those vulnerabilities in systems like OpenFire and Oracle Web Applications Desktop Integrator to infiltrate networks and employs phishing emails with geopolitical themes to trick victims into opening malicious attachments or clicking on URLs.
These tactics allow Earth Krahang to compromise government infrastructure, host malicious payloads, and conduct spear-phishing attacks, often using compromised government email accounts to target other government-related entities.
While government organisations are the primary targets, Earth Krahang also attacks sectors such as education and telecommunications across 23 countries, mainly in Asia and America. The group shares connections with other Chinese state-backed gangs and potentially with I-Soon, a Chinese security contractor implicated in extensive hacking campaigns against foreign governments.
Organisations are urged to implement robust cybersecurity measures, including employee training to recognise phishing attempts and ensuring software is regularly updated with security patches to thwart such attacks.