{"id":44962,"date":"2022-01-24T00:00:00","date_gmt":"2022-01-24T00:00:00","guid":{"rendered":"urn:uuid:901dd53f-ed1d-cf95-2563-0d82ca498c54"},"modified":"2022-01-24T00:00:00","modified_gmt":"2022-01-24T00:00:00","slug":"investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/","title":{"rendered":"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Thumb_Earth%20Karkaddan%20APT_641\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <!-- Begin mPulse library --> <!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"apt &amp; targeted attacks,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-01-24\"> <meta property=\"article:tag\" content=\"apt &amp; targeted attacks\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/a\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\"> <title>Investigating APT36 or Earth Karkaddans Attack Chain and Malware Arsenal<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/a\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\"><br \/>\n<meta property=\"og:title\" content=\"Investigating APT36 or Earth Karkaddans Attack Chain and Malware Arsenal\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Thumb_Earth%20Karkaddan%20APT_641\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Investigating APT36 or Earth Karkaddans Attack Chain and Malware Arsenal\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Thumb_Earth%20Karkaddan%20APT_641\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.740286298569\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"379442141\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.785714285714\">\n<div class=\"article-details\" role=\"heading\" readability=\"41.181818181818\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">APT &amp; Targeted Attacks<\/p>\n<p class=\"article-details__description\">We investigated the most recent activities of APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, and discuss its use of CapraRAT, an Android RAT with clear similarities in design to the group\u2019s favored Windows malware, Crimson RAT. <\/p>\n<p class=\"article-details__author-by\">By: Trend Micro <time class=\"article-details__date\">January 24, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"40.923076923077\">\n<div readability=\"32.916387959866\">\n<p>APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, has historically targeted Indian military and diplomatic resources. This APT group (also referred to as <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/16\/c\/indian-military-personnel-targeted-by-information-theft-campaign.html\">Operation C-Major<\/a>, PROJECTM, <a href=\"https:\/\/www.techrepublic.com\/article\/compromising-a-government-network-is-so-simple-an-out-of-the-box-dark-web-rat-can-do-it\/\">Mythic Leopard, and Transparent Tribe<\/a>) has been known to use social engineering and phishing lures as an entry point, after which, it deploys the Crimson RAT malware to steal information from its victims.<\/p>\n<p>In late 2021, we saw the group leverage CapraRAT, an Android RAT with clear similarities in design to the group\u2019s favored Windows malware, Crimson RAT. It is interesting to see the degree of crossover in terms of function names, commands, and capabilities between the tools, which we cover in more detail in our technical brief, <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf\">\u201cEarth Karkaddan APT: Adversary Intelligence and Monitoring (AIM) Report.\u201d<\/a><\/p>\n<p>Our investigation is based on Trend Micro Smart Protection Network (SPN) data gathered from January 2020 to September 2021.<\/p>\n<h2><span class=\"body-subhead-title\">Looking into one of Earth Karkaddan\u2019s recent campaigns<\/span><\/h2>\n<p>Typically, Earth Karkaddan\u2019s arrival methods include the use of spear-phishing emails and a USB worm that would then drop and execute a remote access trojan (RAT).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig1_Earth%20Karkaddan%20APT.png\" alt=\"Figure 1. Earth Karkaddan\u2019s attack chain\"><figcaption>Figure 1. Earth Karkaddan\u2019s attack chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The malicious emails feature a variety of lures to deceive victims into downloading malware, including fraudulent government documents, honeytraps showing profiles of attractive women, and recently, coronavirus-themed information.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig2_Earth%20Karkaddan%20APT.jpg\" alt=\"Figure 2. An example of a fake government-related spear-phishing email \"><figcaption>Figure 2. An example of a fake government-related spear-phishing email <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig3_Earth%20Karkaddan%20APT.png\" alt=\"Figure 3. An example of a coronavirus-related spear-phishing email attachment\"><figcaption>Figure 3. An example of a coronavirus-related spear-phishing email attachment<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Once the victim downloads the malicious macro, it will decrypt an embedded executable dropper that is hidden inside a text box, which will then be saved to a hardcoded path prior to it executing in the machine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig4_Earth%20Karkaddan%20APT.png\" alt=\"Figure 4. Malicious macro that decrypts an executable hidden inside a text box\"><figcaption>Figure 4. Malicious macro that decrypts an executable hidden inside a text box<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig5_Earth%20Karkaddan%20APT.png\" alt=\"Figure 5. Examples of encrypted Crimson RAT executables hidden inside text boxes\"><figcaption>Figure 5. Examples of encrypted Crimson RAT executables hidden inside text boxes<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Once the executable file is executed, it will proceed to unzip a file named <i>mdkhm.zip<\/i> and then execute a Crimson RAT executable named <i>dlrarhsiva.exe<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig6_Earth%20Karkaddan%20APT.png\" alt=\"Figure 6. The dlrarhsiva.exe Crimson RAT executable\"><figcaption>Figure 6. The dlrarhsiva.exe Crimson RAT executable<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Earth Karkaddan actors are known to use the Crimson RAT malware in its campaigns to communicate with its command-and-control (C&amp;C) server to download other malware or exfiltrate data.<\/p>\n<p>Our analysis shows that the Crimson RAT malware is compiled as a .NET binary with minimal obfuscation. This could indicate that the cybercriminal group behind this campaign is possibly not well-funded.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig7_Earth%20Karkaddan%20APT.jpg\" alt=\"Figure 7. A list of minimally obfuscated commands, function names, and variables from a Crimson RAT malware sample\"><figcaption>Figure 7. A list of minimally obfuscated commands, function names, and variables from a Crimson RAT malware sample<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>Crimson RAT can steal credentials from browsers, collect antivirus information, capture screenshots, and list victim drives, processes, and directories. We have observed how an infected host communicates with a Crimson RAT C&amp;C server to send exfiltrated information including PC name, operating system (OS) information, and the location of the Crimson RAT malware inside the system.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig8_Earth%20Karkaddan%20APT.png\" alt=\"Figure 8. Network traffic from a Crimson RAT malware sample\"><figcaption>Figure 8. Network traffic from a Crimson RAT malware sample<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.6\">\n<div readability=\"14.4\">\n<h3><span class=\"body-subhead-title\">ObliqueRat Malware Analysis<\/span><\/h3>\n<p>Aside from the Crimson RAT malware, the Earth Karkaddan APT group is also known to use the <a href=\"https:\/\/blog.talosintelligence.com\/2021\/02\/obliquerat-new-campaign.html\">ObliqueRat malware<\/a> in its campaigns.<\/p>\n<p>This malware is also commonly distributed in spear-phishing campaigns using social engineering tactics to lure victims into downloading another malicious document. In one of its most recent campaigns, the lure used was that of the Centre for Land Warfare Studies (CLAWS) in New Delhi, India.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig17_Earth%20Karkaddan%20APT.png\" alt=\"Figure 9. Initial spear-phishing document with a link to another malicious document\"><figcaption>Figure 9. Initial spear-phishing document with a link to another malicious document<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Once the victim clicks the link, it will download a document laced with a malicious macro. Upon enabling the macro, it will then download the ObliqueRat malware that is hidden inside an image file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig18_Earth%20Karkaddan%20APT.png\" alt=\"Figure 10. The downloaded &quot;1More-details.doc&quot; contains malicious macros that will download and execute the ObliqueRat malware in a victim\u2019s machine\"><figcaption>Figure 10. The downloaded &#8220;1More-details.doc&#8221; contains malicious macros that will download and execute the ObliqueRat malware in a victim\u2019s machine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The macros inside the file will then download a bitmap image (BMP) file where the ObliqueRAT malware is hidden, decode the downloaded BMP file, then create a persistence mechanism by creating a Startup URL which will automatically run the ObliqueRAT malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig19_Earth%20Karkaddan%20APT.png\" alt=\"Figure 11. Malicious macro codes will download, decode, and execute the ObliqueRat malware\"><figcaption>Figure 11. Malicious macro codes will download, decode, and execute the ObliqueRat malware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>Figure 12 shows a summary of the ObliqueRat malware\u2019s infection chain:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig20_Earth%20Karkaddan%20APT.png\" alt=\"Figure 12. ObliqueRat attack chain\"><figcaption>Figure 12. ObliqueRat attack chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>Below is a list of backdoor commands that this particular ObliqueRAT malware variant can perform:<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"7\">\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>Command (v5.2)<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p><b>Info<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>0<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>System information<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\" valign=\"top\">\n<p><b>1<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>List drive and drive type<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\" valign=\"top\">\n<p><b>3<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>Find certain files and file sizes<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\" valign=\"top\">\n<p><b>4<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>Send back zip files (specified filename)<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>4A\/4E<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Send back zip files<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\" valign=\"top\">\n<p><b>5<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>Find certain files and file sizes<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"312\" valign=\"top\">\n<p><b>6<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"7\">\n<p>Zip certain folder, send back to C&amp;C, then delete it<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>7<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Execute commands<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>8<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Receive file from C&amp;C<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>BACKED<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Back up the file lgb<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>RNM<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Rename file<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>TSK<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>List running processes<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>EXIT<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Stop execution<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\" valign=\"top\">\n<p><b>RESTART<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>Restart connection to C&amp;C<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>KILL<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Kill certain processes<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>AUTO<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Find certain files<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>RHT<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p>Delete files<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Note that in this specific campaign, both the Crimson RAT malware downloader document and the ObliqueRat malware downloader share the same download domain, which is sharingmymedia[.]com. This indicates that both malware types were actively used in Earth Karkaddan APT campaigns.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig21_Earth%20Karkaddan%20APT.png\" alt=\"Figure 13. Crimson RAT and ObliqueRat spear-phishing email attachments that feature the same download domain\"><figcaption>Figure 13. Crimson RAT and ObliqueRat spear-phishing email attachments that feature the same download domain<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.245901639344\">\n<div readability=\"36.393442622951\">\n<h3><span class=\"body-subhead-title\">CapraRAT, One of Earth Karkaddan\u2019s custom Android RAT<\/span><\/h3>\n<p>Aside from using spear-phishing emails and a USB worm as arrival vectors, Earth Karkaddan also uses Android RATs that could be deployed by means of malicious phishing links. This is not particularly novel for the APT group \u2014&nbsp;in 2018, it used <a href=\"https:\/\/www.amnesty.org\/en\/documents\/asa33\/8366\/2018\/en\/\">StealthAgent<\/a> (detected by Trend Micro as AndroidOS_SMongo.HRX), an Android spyware that can intercept phone calls and messages, track victims\u2019 locations, and steal photos. In 2020, Earth Karkaddan used an updated version of the <a href=\"https:\/\/securelist.com\/transparent-tribe-part-2\/98233\/\">AhMyth Android RAT<\/a> to target Indian military and government personnel via a disguised porn app and a fraudulent national Covid-19 tracking app.<\/p>\n<p>We observed this group using another Android RAT \u2014 TrendMicro has named this \u201cCapraRat\u201d\u2014 which is possibly a modified version of an open-source RAT called AndroRAT. While analyzing this android RAT, we saw several similar capabilities to the CrimsonRat malware that the group usually uses to infect Windows systems.<\/p>\n<p>We have been observing CapraRAT samples since 2017, &nbsp;and one of the first samples we analyzed (SHA-256: d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42, detected by Trend Micro as as AndroidOS_Androrat.HRXD) revealed some interesting things in that year: they used &#8220;com.example.appcode.appcode&#8221; as the APK package name and used a possible public certificate \u201c74bd7b456d9e651fc84446f65041bef1207c408d,\u201d which possibly meant the sample was used for testing, and they just started to use it for their campaigns during that year.<\/p>\n<p>The C&amp;C domain android[.]viral91[.]xyz, where the malware was connecting to also shows that it is very likely that the APT team uses subdomains to host or connect to Android malware. In previous years, some CrimsonRAT samples were also found to be hosted on the viral91[.]xyz domain.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig22_Earth%20Karkaddan%20APT.png\" alt=\"Figure 14. CrimsonRAT malware hosted in viral91[.]xyz\"><figcaption>Figure 14. CrimsonRAT malware hosted in viral91[.]xyz<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.726730310263\">\n<div readability=\"26.128878281623\">\n<p>We were also able to source a <a href=\"https:\/\/www.hybrid-analysis.com\/sample\/16f3a362b75a93d1090a8ba8c78578766c3384ef976e980089add2c46a46a87f?environmentId=100\">phishing doc<\/a>ument, <u>\u201c<\/u><a href=\"https:\/\/www.hybrid-analysis.com\/sample\/16f3a362b75a93d1090a8ba8c78578766c3384ef976e980089add2c46a46a87f?environmentId=100\">csd_car_price_list_2017<\/a><u>,\u201d<\/u> that is related to this domain and has been seen in the wild in 2017. This file name is interesting as \u201ccsd\u201d is likely to be associated to &#8220;Canteen Stores Department&#8221; in Pakistan, which is operated by the Pakistani Ministry of Defence. This is a possible lure for the Indian targets to open the malicious attachment, also used in a similar attack in 2021.<\/p>\n<p>Upon downloading this malicious app that possibly arrived via a malicious link, the user will need to grant permissions upon installation to allow the RAT access to stored information. The malware can do the following on a compromised device:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Access the phone number<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Launch other apps\u2019 installation packages<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Open the camera<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Access the microphone and record audio clips<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Access the unique identification number<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Access location information<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Access phone call history<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Access contact information<\/span><\/li>\n<\/ul>\n<p>Once the Android RAT is executed, it will attempt to establish a connection to its C&amp;C server, 209[.]127[.]19[.]241[:]10284. We have observed that the Remote Desktop Protocol (RDP) certificate associated in this deployment, \u201cWIN-P9NRMH5G6M8,\u201d is a common string found in <a href=\"https:\/\/team-cymru.com\/blog\/2021\/07\/02\/transparent-tribe-apt-infrastructure-mapping-2\/\">previously identified Earth Karkaddan C&amp;C servers<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig23_Earth%20Karkaddan%20APT.png\" alt=\"Figure 15. Decompiled code from CapraRAT connecting to its C&amp;C server\"><figcaption>Figure 15. Decompiled code from CapraRAT connecting to its C&amp;C server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig24_Earth%20Karkaddan%20APT.png\" alt=\"Figure 16. CapraRAT config showing its C&amp;C server and port information \"><figcaption>Figure 16. CapraRAT config showing its C&amp;C server and port information <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig25_Earth%20Karkaddan%20APT.png\" alt=\"Figure 17. Backdoor commands found in CapraRAT\"><figcaption>Figure 17. Backdoor commands found in CapraRAT<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p>This APK file also has the ability to drop mp4 or APK files from asset directory.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig26_Earth%20Karkaddan%20APT.png\" alt=\"Figure 18. CapraRAT APK file drops an mp4 file\"><figcaption>Figure 18. CapraRAT APK file drops an mp4 file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The RAT also has a persistence mechanism that always keeps the app active. It checks whether the service is still running every minute, and if it is not, the service will be launched again.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Fig27_Earth%20Karkaddan%20APT.png\" alt=\"Figure 19. CapraRAT\u2019s persistence mechanism\"><figcaption>Figure 19. CapraRAT\u2019s persistence mechanism<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"30.740888666999\">\n<div readability=\"11.753869196206\">\n<h2><span class=\"body-subhead-title\">Reducing risks: How to defend against APT attacks<\/span><\/h2>\n<p>Earth Karkaddan has been stealing information since 2016 by means of creative social engineering lures and file-stealing malware. Users can adopt the following security best practices to thwart Earth Karkaddan attacks:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Be careful of opening unsolicited and unexpected emails, especially those that call for urgency<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Watch out for malicious email red flags, which include atypical sender domains and grammatical and spelling lapses<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Avoid clicking on links or downloading attachments in emails, especially from unknown sources<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Block threats that arrive via email such as malicious links using hosted email security and antispam protection<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Download apps only from trusted sources<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Be wary of the scope of app permissions<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Get multilayered mobile security solutions that can protect devices against online threats, malicious applications, and even data loss<\/span><\/li>\n<\/ul>\n<p>The following security solutions can also protect users from email-based attacks:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/email-and-collaboration\/cloud-app-security.html\"><b>Trend Micro\u2122 Cloud App Security<\/b><\/a><b>&nbsp;<\/b>\u2013 Enhances the security of Microsoft Office 365 and other cloud services via computer vision and real-time scanning. It also protects organizations from email-based threats.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/email-and-collaboration\/email-inspector.html\"><b>Trend Micro\u2122 Deep Discovery\u2122 Email Inspector<\/b><\/a><b>&nbsp;<\/b>\u2013 Defends users through a combination of real-time scanning and advanced analysis techniques for known and unknown attacks.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.trendmicro.com\/us\/enterprise\/product-security\/mobile-security\/\">Trend Micro<\/a>\u2122 <a href=\"https:\/\/www.trendmicro.com\/us\/enterprise\/product-security\/mobile-security\/\">Mobile Security for Enterprise<\/a> suite \u2013 Provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps and detects and blocks malware and fraudulent websites.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/mars.trendmicro.com\/\">Trend Micro\u2019s Mobile App Reputation Service<\/a> (MARS) \u2013 Covers Android and iOS threats using leading sandbox and <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/machine-learning\">machine learning<\/a> technologies to protect users against<\/span> malware, zero-day and known exploits, privacy leaks, and application vulnerability.<\/li>\n<\/ul>\n<h2><\/h2>\n<p>A list of indicators can be found in this <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf\">text file<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/a\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We investigated the most recent activities of APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, and discuss its use of CapraRAT, an Android RAT with clear similarities in design to the group\u2019s favored Windows malware, Crimson RAT. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":44963,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510],"class_list":["post-44962","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-01-24T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Thumb_Earth%20Karkaddan%20APT_641\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal\",\"datePublished\":\"2022-01-24T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/\"},\"wordCount\":1804,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal.png\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/\",\"name\":\"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal.png\",\"datePublished\":\"2022-01-24T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/01\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal.png\",\"width\":2008,\"height\":1250},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/","og_locale":"en_US","og_type":"article","og_title":"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-01-24T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/a\/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal\/Thumb_Earth%20Karkaddan%20APT_641","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal","datePublished":"2022-01-24T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/"},"wordCount":1804,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal.png","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/","url":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/","name":"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal.png","datePublished":"2022-01-24T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/01\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal.png","width":2008,"height":1250},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware-arsenal\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Investigating APT36 or Earth Karkaddan\u2019s Attack Chain and Malware Arsenal"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44962","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44962"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44962\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44963"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44962"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44962"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44962"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}