Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan

Conclusion and security recommendations

Earth Kasha continues to be an active advanced persistent threat and is now targeting government agencies and public institutions in Taiwan and Japan in its latest campaign which we detected in March 2025. Malicious actors behind the group continue to use spear-phishing to target their victims but employ slightly modified TTPs from their previous campaigns. A malicious Excel file now carries ROAMINGMOUSE, when before they used a Word file; additionally, the malicious routine trigger was also switched from a mousemove event to the click event.

The ANEL file we observed in this new campaign encrypts its version number like the ANEL file version from Earth Kasha’s previous campaign in 2024, but we found that the ANEL file from the 2025 campaign implemented a new command to support an execution of BOF (Beacon Object File) in memory. This latest campaign also potentially leveraged SharpHide for persistence: to launch the second stage backdoor NOOPDOOR through the Hidden Start (hstart64.exe), and to hide a UI of MSBuild on autorun.

Enterprises and organizations, especially those with high-value assets like sensitive data relating to governance, as well as intellectual property, infrastructure data, and access credentials should continue to be vigilant and implement proactive security measures to prevent falling victim to cyberattacks. We recommend the following measures so enterprises can help secure against the TTPs discussed in this blog:

• Educate users on the risks of selecting and opening external or unrecognized OneDrive links and implement a zero-trust policy when interacting with such links and files on unrecognized emails.
• Monitor potential abuse of DNS over HTTPS.
• Disable macros downloaded from the internet.
• Maximize endpoint detection response tools to detect suspicious activity.

Proactive security with Trend Vision One™

Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital estate. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.

Trend Vision One Threat Intelligence

To stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats.

Trend Vision One Intelligence Reports App [IOC Sweeping]

Still in the Game: Earth Kasha’s Continued Spear-Phishing Campaign targeting Taiwan and Japan

Trend Vision One Threat Insights App

Emerging Threats: Still in the Game: Earth Kasha’s Continued Spear-Phishing Campaign targeting Taiwan and Japan

Threat Actor: Earth Kasha

Hunting Query

eventName:MALWARE_DETECTION AND (malName:*ROAMINGMOUSE*  OR malName:*ANEL* OR malName:*NOOPLDR* OR malName:*NOOPDOOR*)

eventSubId: 301 AND (hostName: *.srmbr.net OR hostName: *.kyolpon.com) 

eventSubId: 204 AND (dst: 172.233.73.249 OR dst: 172.105.62.188 OR dst: 192.46.215.56 OR dst: 139.162.38.102)   

Indicators of Compromise (IoC)  

Download the list of IoCs here. 

Read More HERE