{"id":56084,"date":"2024-05-16T00:00:00","date_gmt":"2024-05-16T00:00:00","guid":{"rendered":"urn:uuid:955abe7f-3ae5-1d01-f17b-34c676bc0e77"},"modified":"2024-05-16T00:00:00","modified_gmt":"2024-05-16T00:00:00","slug":"tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/","title":{"rendered":"Tracking the Progression of Earth Hundun&#8217;s Cyberespionage Campaign in 2024"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/hundun2-976:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"This report describes how Waterbear and Deuterbear \u2014 two of the tools in Earth Hundun's arsenal \u2014 operate, based on a campaign from 2024.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,apt &amp; targeted attacks,cyber crime,research,articles, news, reports,reports,cyber threats,report\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2024-05-16\"> <meta property=\"article:tag\" content=\"apt &amp; targeted attacks\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/e\/earth-hundun-2.html\"> <title>Tracking the Progression of Earth Hundun&#8217;s Cyberespionage Campaign in 2024 | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/e\/earth-hundun-2.html\"><br \/>\n<meta property=\"og:title\" content=\"Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024\"><br \/>\n<meta property=\"og:description\" content=\"This report describes how Waterbear and Deuterbear \u2014 two of the tools in Earth Hundun's arsenal \u2014 operate, based on a campaign from 2024.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/hundun2-976.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024\"><br \/>\n<meta name=\"twitter:description\" content=\"This report describes how Waterbear and Deuterbear \u2014 two of the tools in Earth Hundun's arsenal \u2014 operate, based on a campaign from 2024.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/hundun2-976.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.528280233893\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"298132053\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7515337423313\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.950920245399\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">APT &amp; Targeted Attacks<\/p>\n<p class=\"article-details__description\">This report describes how Waterbear and Deuterbear \u2014 two of the tools in Earth Hundun&#8217;s arsenal \u2014 operate, based on a campaign from 2024.<\/p>\n<p class=\"article-details__author-by\">By: Pierre Lee, Cyris\tTseng <time class=\"article-details__date\">May 16, 2024<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"34.07301980198\">\n<div readability=\"13.826732673267\">\n<ul>\n<li><span class=\"rte-red-bullet\">Earth Hundun is known for targeting the Asia-Pacific and now employs updated tactics for infection spread and communication.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">This report details how Waterbear and Deuterbear operate, including the stages of infection, command and control (C&amp;C) interaction, and malware component behavior.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Deuterbear, while similar to Waterbear in many ways, shows advancements in capabilities such as including support for shellcode plugins, avoiding handshakes for RAT operation, and using HTTPS for C&amp;C communication.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Comparing the two malware variants, Deuterbear uses a shellcode format, possesses anti-memory scanning, and shares a traffic key with its downloader unlike Waterbear.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The evolution of Waterbear into Deuterbear indicates the development of tools for anti-analysis and detection evasion in Earth Hundun&#8217;s toolbox.<\/span><\/li>\n<\/ul>\n<p>In our <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/24\/d\/earth-hundun-waterbear-deuterbear.html\">previous report<\/a>, we introduced the sophisticated cyberespionage campaign orchestrated by Earth Hundun, a threat actor known for targeting the Asia-Pacific region using the Waterbear malware and its latest iteration, Deuterbear. We first observed Deuterbear being used by Earth Hundun in October 2022, and it has since been part of the group\u2019s subsequent campaigns.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"4a8964\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-1.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-1.png\" alt=\"Figure 1. The industry distribution of endpoints infected by Waterbear and Deuterbear since 2022.\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. The industry distribution of endpoints infected by Waterbear and Deuterbear since 2022.<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"46.5\">\n<div readability=\"38\">\n<p>Our analysis provided insights into the intricate workings of the downloader, detailing its infection flow, traffic behavior, anti-analysis techniques, and evolutionary trajectory.<\/p>\n<p>In this entry, we examine the behavior of the final Remote Access Trojan (RAT) that we recently managed to download from a C&amp;C server, based on an Earth Hundun campaign from 2024.<\/p>\n<p>In our first entry, we focused on the Waterbear downloader (the first stage) and examined its network behavior. This report uses a case study to describe how the threat actor uses the Waterbear RAT and plugin during the second stage and how Waterbear downloaders are spread to other machines, making it more difficult to detect and track.<\/p>\n<p>Furthermore, we examine the major updates to Deuterbear, including the ability to accept plugins with shellcode formats and the ability to function even without handshakes during RAT operation.<\/p>\n<p>Finally, we will share our findings about the interaction between Earth Hundun and its victims through the Waterbear and Deuterbear malware, showcasing the sophisticated tactics employed by this threat actor.<\/p>\n<p>The following flow chart from a previous campaign illustrates how Waterbear operates in the victim&#8217;s environment and then spreads more Waterbear downloaders across the internal network.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a class=\"bs-modal\" id=\"ac46b5\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-2.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-2.png\" alt=\"Figure 2. One of the Waterbear campaign attack chains\"> <\/a> <\/p>\n<p><figcaption>Figure 2. One of the Waterbear campaign attack chains<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<h2><span class=\"body-subhead-title\">First stage<\/span><\/h2>\n<p>Waterbear usually employs a group of three files for downloading purposes during the first stage of an attack (as mentioned in the previous report). These include the patched legitimate executable, the loader, and the encrypted downloader.<\/p>\n<h2><span class=\"body-subhead-title\">Second stage<\/span><\/h2>\n<ol readability=\"-1.5\">\n<li>After connecting to the C&amp;C server, we downloaded the Waterbear RAT (A) in memory, which contains several command codes inside (see Table 1 for the list of RAT commands). In this case, the Waterbear RAT (A) was only used to download the Waterbear plugin via RAT command 1010 and activate the first export function, \u201cStart\u201d, in the plugin to inject the chosen process.<\/li>\n<li readability=\"0\">The Waterbear plugin contains Waterbear downloader versions 0.27 and 0.28, both unencrypted, varying based on the process&#8217;s bit version. If the process is 32-bit, version 0.27 of the Waterbear downloader will run. On the other hand, version 0.28 will execute to facilitate further downloads on the 64-bit process.\n<p>Waterbear downloader versions 0.27 and 0.28 are the latest that we know of. Their behaviors are the same as the versions before 2020.<\/p>\n<\/li>\n<li>In this case, the Waterbear plugin injects into a 64-bit process, which results in version 0.28 of the Waterbear downloader trying to connect to the new C&amp;C IP address \u2014 which is assigned by Waterbear RAT (A) &nbsp;\u2014&nbsp; and download Waterbear RAT (B), which is almost the same as the previous one, just with a different RSA key inside.<\/li>\n<li>Waterbear RAT (B) will be used to collect the information from the infected machine, including the list of drives and files, and then further spread the Waterbear downloader to other machines. Interestingly, Earth Hundun will replace the C&amp;C string with an internal IP address after downloading the new stage of the RAT or downloader. This is to erase activity traces or connect to other C&amp;C servers in the victim&#8217;s environment, showing that the threat actor can arbitrarily choose its connection targets.<\/li>\n<\/ol>\n<h2><span class=\"body-subhead-title\">Waterbear RAT command<\/span><\/h2>\n<p>Since discussing Waterbear\u2019s functions in our previous blog entry, there have been more that have been implemented, with the latest version shown in the following table:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"19\">\n<tr>\n<th scope=\"col\"><b>Command group<\/b><\/th>\n<th scope=\"col\"><b>Command code (Hex)<\/b><\/th>\n<th scope=\"col\"><b>Command code (Dec)<\/b><\/th>\n<th scope=\"col\"><b>Capability<\/b><\/th>\n<\/tr>\n<tr>\n<td rowspan=\"11\" height=\"198\" width=\"64\">File management<\/td>\n<td width=\"64\">2<\/td>\n<td width=\"64\">2<\/td>\n<td width=\"64\">Enumerate disk drives<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">3<\/td>\n<td width=\"64\">3<\/td>\n<td width=\"64\">List files<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">4<\/td>\n<td width=\"64\">4<\/td>\n<td width=\"64\">Upload file to C&amp;C server<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">5<\/td>\n<td width=\"64\">5<\/td>\n<td width=\"64\">Download file from C&amp;C server<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">6<\/td>\n<td width=\"64\">6<\/td>\n<td width=\"64\">Rename file<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">7<\/td>\n<td width=\"64\">7<\/td>\n<td width=\"64\">Create folder<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">8<\/td>\n<td width=\"64\">8<\/td>\n<td width=\"64\">Delete file<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">A<\/td>\n<td width=\"64\">10<\/td>\n<td width=\"64\">Execute file<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">B<\/td>\n<td width=\"64\">11<\/td>\n<td width=\"64\">Move file<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">C<\/td>\n<td width=\"64\">12<\/td>\n<td width=\"64\">Disguise file metadata<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">D<\/td>\n<td width=\"64\">13<\/td>\n<td width=\"64\">File operation<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"18\" width=\"64\">Other<\/td>\n<td width=\"64\">326<\/td>\n<td width=\"64\">806<\/td>\n<td width=\"64\">Get system language, system time, and Windows installation date<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"9\" height=\"162\" width=\"64\">Window management<\/td>\n<td width=\"64\">327<\/td>\n<td width=\"64\">807<\/td>\n<td width=\"64\">Enumerate windows<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">329<\/td>\n<td width=\"64\">809<\/td>\n<td width=\"64\">Hide window<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">32A<\/td>\n<td width=\"64\">810<\/td>\n<td width=\"64\">Show window<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">32B<\/td>\n<td width=\"64\">811<\/td>\n<td width=\"64\">Close window<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">32C<\/td>\n<td width=\"64\">812<\/td>\n<td width=\"64\">Minimize window<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">32D<\/td>\n<td width=\"64\">813<\/td>\n<td width=\"64\">Maximize window<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">32F<\/td>\n<td width=\"64\">815<\/td>\n<td width=\"64\">Take a screenshot<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">330<\/td>\n<td width=\"64\">816<\/td>\n<td width=\"64\">Set screenshot event signaled<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">331<\/td>\n<td width=\"64\">817<\/td>\n<td width=\"64\">Remote desktop<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"6\" height=\"108\" width=\"64\">Process management<\/td>\n<td width=\"64\">332<\/td>\n<td width=\"64\">818<\/td>\n<td width=\"64\">Enumerate process<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">333<\/td>\n<td width=\"64\">819<\/td>\n<td width=\"64\">Terminate process<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">335<\/td>\n<td width=\"64\">821<\/td>\n<td width=\"64\">Suspend process with pID<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">336<\/td>\n<td width=\"64\">822<\/td>\n<td width=\"64\">Resume process with pID<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">337<\/td>\n<td width=\"64\">823<\/td>\n<td width=\"64\">Retrieve process module information<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">338<\/td>\n<td width=\"64\">824<\/td>\n<td width=\"64\">Retrieve process module information (for files or objects using the authenticode policy provider)<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" height=\"36\" width=\"64\">Network management<\/td>\n<td width=\"64\">339<\/td>\n<td width=\"64\">825<\/td>\n<td width=\"64\">Get extended TCP table<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">33A<\/td>\n<td width=\"64\">826<\/td>\n<td width=\"64\">SetTcpEntry Set state of the TCP connection with MIB_TCP_STATE_DELETE_TCB<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"6\" height=\"108\" width=\"64\">Service management<\/td>\n<td width=\"64\">33B<\/td>\n<td width=\"64\">827<\/td>\n<td width=\"64\">Enumerate services<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">33C<\/td>\n<td width=\"64\">828<\/td>\n<td rowspan=\"5\" width=\"64\">Manipulate service<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">33D<\/td>\n<td width=\"64\">829<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">33E<\/td>\n<td width=\"64\">830<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">33F<\/td>\n<td width=\"64\">831<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">340<\/td>\n<td width=\"64\">832<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"2\" height=\"36\" width=\"64\">Configuration management<\/td>\n<td width=\"64\">341<\/td>\n<td width=\"64\">833<\/td>\n<td width=\"64\">Get C&amp;C in downloader configuration<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">342<\/td>\n<td width=\"64\">834<\/td>\n<td width=\"64\">Set C&amp;C in downloader configuration<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">Remote shell<\/td>\n<td width=\"64\">3EE<\/td>\n<td width=\"64\">1006<\/td>\n<td width=\"64\">Start remote shell<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">management<\/td>\n<td width=\"64\">3EF<\/td>\n<td width=\"64\">1007<\/td>\n<td width=\"64\">Exit remote shell<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">&nbsp;<\/td>\n<td width=\"64\">3F0<\/td>\n<td width=\"64\">1008<\/td>\n<td width=\"64\">Get remote shell PID<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">&nbsp;<\/td>\n<td width=\"64\">3F2<\/td>\n<td width=\"64\">1010<\/td>\n<td width=\"64\">Download plugin and execute the export function \u201cStart\u201d<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">Unknown<\/td>\n<td width=\"64\">514<\/td>\n<td width=\"64\">1300<\/td>\n<td width=\"64\">Unknown<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"6\" height=\"108\" width=\"64\">Registry management<\/td>\n<td width=\"64\">7DB<\/td>\n<td width=\"64\">2011<\/td>\n<td width=\"64\">Enumerate registry<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">7DC<\/td>\n<td width=\"64\">2012<\/td>\n<td width=\"64\">Enumerate registry value<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">7DD<\/td>\n<td width=\"64\">2013<\/td>\n<td width=\"64\">Create registry key<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">7DE<\/td>\n<td width=\"64\">2014<\/td>\n<td width=\"64\">Set registry value<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">7DF<\/td>\n<td width=\"64\">2015<\/td>\n<td width=\"64\">Delete registry key<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">7E0<\/td>\n<td width=\"64\">2016<\/td>\n<td width=\"64\">Delete registry value<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" height=\"54\" width=\"64\">Basic control<\/td>\n<td width=\"64\">1F41<\/td>\n<td width=\"64\">8001<\/td>\n<td width=\"64\">Get current window<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">1F44<\/td>\n<td width=\"64\">8004<\/td>\n<td width=\"64\">Set the infection mark in registry HKCU\\Console\\Quick\\Edit<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">1F45<\/td>\n<td width=\"64\">8005<\/td>\n<td width=\"64\">Terminate connection and RAT process<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"9\" height=\"162\" width=\"64\">Proxy<\/td>\n<td width=\"64\">2332<\/td>\n<td width=\"64\">9010<\/td>\n<td width=\"64\">Update C&amp;C IP address<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">2333<\/td>\n<td width=\"64\">9011<\/td>\n<td width=\"64\">Proxy data to the connected server<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">2334<\/td>\n<td width=\"64\">9012<\/td>\n<td width=\"64\">Shutdown all connections<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">2335<\/td>\n<td width=\"64\">9013<\/td>\n<td width=\"64\">Shutdown the given connection<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">2336<\/td>\n<td width=\"64\">9014<\/td>\n<td width=\"64\">Listen port<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">2337<\/td>\n<td width=\"64\">9015<\/td>\n<td width=\"64\">Proxy data via the specified socket handle<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">2338<\/td>\n<td width=\"64\">9016<\/td>\n<td width=\"64\">Close the specified socket handle<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">2339<\/td>\n<td width=\"64\">9017<\/td>\n<td width=\"64\">Shutdown both sending and receiving of a specific socket handle<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">233A<\/td>\n<td width=\"64\">9018<\/td>\n<td width=\"64\">Proxy the data from the socket back to the C&amp;C server<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><sup>Table 1. List of Waterbear RAT commands<\/sup><\/p>\n<p>Before receiving the backdoor command, the RAT sends the victim\u2019s information to the C&amp;C server via command code 8002:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"2\">\n<tr>\n<th scope=\"col\">Data offset<\/th>\n<th scope=\"col\">Data size<\/th>\n<th scope=\"col\">Data content<\/th>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x00<\/td>\n<td width=\"64\">0x01<\/td>\n<td width=\"64\">IsUserAnAdmin<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x01<\/td>\n<td width=\"64\">0x9C<\/td>\n<td width=\"64\">GetVersionExA<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x9D<\/td>\n<td width=\"64\">0x10<\/td>\n<td width=\"64\">gethostbyname<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0xAD<\/td>\n<td width=\"64\">0x44<\/td>\n<td width=\"64\">gethostname<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0xF1<\/td>\n<td width=\"64\">0x18<\/td>\n<td width=\"64\">GetUserNameA<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x109<\/td>\n<td width=\"64\">0x04<\/td>\n<td width=\"64\">GetLastInputInfo<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x10D<\/td>\n<td width=\"64\">0x50<\/td>\n<td width=\"64\">GetWindowTextA&nbsp;<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x15D<\/td>\n<td width=\"64\">0x12<\/td>\n<td width=\"64\">GetAdaptersInfo<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x16F<\/td>\n<td width=\"64\">0x10<\/td>\n<td width=\"64\">Downloader version<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">0x17F<\/td>\n<td width=\"64\">0x30<\/td>\n<td width=\"64\">Drive of information in current process<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">0x1AF<\/td>\n<td width=\"64\">0x04<\/td>\n<td width=\"64\">Infection mark in HKCU\\Control Panel\\Colors<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x1B3<\/td>\n<td width=\"64\">0x04<\/td>\n<td width=\"64\">GetCurrentProcessId<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x1B7<\/td>\n<td width=\"64\">0x01<\/td>\n<td width=\"64\">RAT version<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><sup>Table 2.&nbsp;The structure of victim information that Waterbear sends to the C&amp;C server<br \/><\/sup><\/p>\n<p>This section will explain Earth Hundun&#8217;s use of Deuterbear and provide a comprehensive analysis of the Deuterbear RAT.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"ab0485\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-3.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-3.png\" alt=\"Figure 3. Installation pathway of Deuterbear\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. Installation pathway of Deuterbear<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"47\">\n<div readability=\"39\">\n<p>The installation pathway of Deuterbear is depicted in Figure 3. Note that it is similar to Waterbear, which implements two stages to install the backdoor.<\/p>\n<p>In the first stage, the loader employs a basic XOR calculation to decrypt the downloader, facilitating the retrieval of the first stage RAT from the C&amp;C server. Subsequently, the threat actor applies the first stage RAT to survey the victim\u2019s system and identify an appropriate folder for persistence. This is where the second-stage Deuterbear components will be installed, including the loader with CryptUnprotectData decryption, the encrypted downloader, and associated registries (the decryption flow was discussed in the previous blog entry).<\/p>\n<p>In most of the infected systems, only the second stage Deuterbear is available. Our monitoring indicates that all components of the first stage Deuterbear are totally removed after the \u201cpersistence installation\u201d is completed. It seems that Earth Hundun prefers to keep the loaders using CryptUnprotectData decryption, even in cases where the successful installation of Deuterbear is achieved during the first stage. This strategy effectively protects their tracks and prevents the malware from easily being analyzed by threat researchers, particularly in simulated environments rather than real victim systems.<\/p>\n<h2><span class=\"body-subhead-title\">Deuterbear RAT<\/span><\/h2>\n<p>The Deuterbear RAT directly inherits several components from the downloader, including:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">All anti-analysis techniques (please refer to our previous report for more details).<\/span><\/li>\n<li><span class=\"rte-red-bullet\">HTTPS tunnel.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Routine to receive and send traffic.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">RC4 key to decrypt and encrypt traffic.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Routine to decrypt and encrypt the desired function.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Key to decrypt and encrypt the desired function.<\/span><\/li>\n<\/ul>\n<p>Due to having the same HTTPS channel and RC4 traffic key, Deuterbear RAT doesn&#8217;t require a handshake with the C&amp;C server to update communication protocols. This enables the threat actor to seamlessly control the client, regardless of whether the process is in the downloader or RAT status. Prior to executing backdoor commands, the Deuterbear RAT transmits victim information to the C&amp;C server via RAT command 975 with the structure (Table 3) highly reminiscent of the Waterbear RAT (Table 2).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"3\">\n<tr>\n<th scope=\"col\">Data offset<\/th>\n<th scope=\"col\">Data size<\/th>\n<th scope=\"col\">Data content<\/th>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">0x00<\/td>\n<td width=\"64\">0x04<\/td>\n<td width=\"64\">Signature in configuration of downloader (00 00 01 00)<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x04<\/td>\n<td width=\"64\">0x01<\/td>\n<td width=\"64\">IsUserAnAdmin<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x05<\/td>\n<td width=\"64\">0x20<\/td>\n<td width=\"64\">GetUserNameA<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x25<\/td>\n<td width=\"64\">0x80<\/td>\n<td width=\"64\">OS version<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0xA5<\/td>\n<td width=\"64\">0x04<\/td>\n<td width=\"64\">gethostbyname<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0xA9<\/td>\n<td width=\"64\">0x46<\/td>\n<td width=\"64\">gethostname<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0xEF<\/td>\n<td width=\"64\">0x50<\/td>\n<td width=\"64\">GetWindowTextA<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x13F<\/td>\n<td width=\"64\">0x04<\/td>\n<td width=\"64\">GetLastInputInfo<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x143<\/td>\n<td width=\"64\">0x26<\/td>\n<td width=\"64\">GetAdaptersInfo<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x169<\/td>\n<td width=\"64\">0x04<\/td>\n<td width=\"64\">GetCurrentProcessId<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x16D<\/td>\n<td width=\"64\">0x01<\/td>\n<td width=\"64\">RAT Version<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">0x16E<\/td>\n<td width=\"64\">0x04<\/td>\n<td width=\"64\">Infection mark in HKCU\\Control Panel\\Colors<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">0x172<\/td>\n<td width=\"64\">0x08<\/td>\n<td width=\"64\">Last write time of temp folder in system folder<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p><sup>Table 3. The structure of victim information that Deuterbear sends to the C&amp;C server<\/sup><\/p>\n<h3><span class=\"body-subhead-title\">Deuterbear RAT command<\/span><\/h3>\n<p>Comparing Deuterbear with Waterbear reveals several functionalities directly replicated from the Waterbear RAT, such as process management, file management, and remote shell capabilities.&nbsp;<\/p>\n<p>Although Deuterbear streamlines its capabilities, retaining only 20 RAT commands (Table 4) compared to over 60 for Waterbear (Table 1), the Deuterbear RAT accepts more plugins to enhance flexibility and accommodate additional functionalities, including two shellcodes and a portable executable (PE) DLL via RAT command 979. After installing the plugins, the threat actor sends the next traffic to determine which plugin is launched. There are three kinds of protocols:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Execute the first shellcode and the first export function of PE(DLL)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Execute the second shellcode and the first export function of PE(DLL)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Only execute the first export function of PE(DLL)<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"14.5\">\n<tr>\n<th scope=\"col\"><b>Command group<\/b><\/th>\n<th scope=\"col\"><b>Command code (Hex)<\/b><\/th>\n<th scope=\"col\"><b>Command code (Dec)<\/b><\/th>\n<th scope=\"col\"><b>Capability<\/b><\/th>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"18\" width=\"64\" rowspan=\"6\">File management<\/td>\n<td width=\"64\">0x27<\/td>\n<td width=\"64\">39<\/td>\n<td width=\"64\">List files (date, size, name)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"64\">0x28<\/td>\n<td width=\"64\">40<\/td>\n<td width=\"64\">Upload file to C&amp;C server<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"64\">0x29<\/td>\n<td width=\"64\">41<\/td>\n<td width=\"64\">Download file from C&amp;C server<\/td>\n<\/tr>\n<tr>\n<td width=\"64\">0x2A<\/td>\n<td width=\"64\">42<\/td>\n<td width=\"64\">Rename file<\/td>\n<\/tr>\n<tr>\n<td width=\"64\">0x2C<\/td>\n<td width=\"64\">44<\/td>\n<td width=\"64\">SHFileOperationA<\/td>\n<\/tr>\n<tr>\n<td width=\"64\">0x2E<\/td>\n<td width=\"64\">46<\/td>\n<td width=\"64\">Execute File<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\" rowspan=\"2\">Process management<\/td>\n<td width=\"64\">0xE7<\/td>\n<td width=\"64\">231<\/td>\n<td width=\"64\">Enumerate process<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"64\">0xE8<\/td>\n<td width=\"64\">232<\/td>\n<td width=\"64\">Terminate targeted process<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\" rowspan=\"2\">Configuration management<\/td>\n<td width=\"64\">0x1FF<\/td>\n<td width=\"64\">511<\/td>\n<td width=\"64\">Collect data in the downloader configuration<br \/>&gt;C&amp;C string<br \/>&gt;Execution time<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"64\">0x200<\/td>\n<td width=\"64\">512<\/td>\n<td width=\"64\">Update data in the downloader configuration<br \/>&gt;C&amp;C string<br \/>&gt;Execution time<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\" rowspan=\"3\">Remote shell management&nbsp;<\/td>\n<td width=\"64\">0x2FC<\/td>\n<td width=\"64\">764<\/td>\n<td width=\"64\">Start remote shell<\/td>\n<\/tr>\n<tr>\n<td width=\"64\">0x2FD<\/td>\n<td width=\"64\">765<\/td>\n<td width=\"64\">Exit remote shell<\/td>\n<\/tr>\n<tr>\n<td width=\"64\">0x2FE<\/td>\n<td width=\"64\">766<\/td>\n<td width=\"64\">Get PID of remote shell<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" height=\"54\" width=\"64\">Basic control<\/td>\n<td width=\"64\">0x3CE<\/td>\n<td width=\"64\">974<\/td>\n<td width=\"64\">Get current window<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">0x3D1<\/td>\n<td width=\"64\">977<\/td>\n<td width=\"64\">Set infection mark in HKCU\\Control Panel\\Colors<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">0x3D2<\/td>\n<td width=\"64\">978<\/td>\n<td width=\"64\">Terminate connection and RAT process<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td rowspan=\"5\" height=\"234\" width=\"64\">Plugins management<\/td>\n<td width=\"64\">0x3D3<\/td>\n<td width=\"64\">979<\/td>\n<td width=\"64\"><span class=\"rte-red-bullet\">Download plugins from C&amp;C server:<br \/>&gt;PE (DLL)<br \/><\/span>&gt;First Shellcode (Encrypted by key fromconfig of downloader)&nbsp;&nbsp;<br \/>&gt;Second shellcode(Encrypted by key from config of downloader)&nbsp;<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">0x3D4<\/td>\n<td width=\"64\">980<\/td>\n<td>Uninstall plugins<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"54\" width=\"64\">0x3E8~0x578<\/td>\n<td width=\"64\">1000~1400<\/td>\n<td width=\"64\"><span class=\"rte-red-bullet\">Execute plugins<br \/>&gt;First shellcode<br \/><\/span>&gt;First export function of PE (DLL)&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">&gt; 0x578<\/td>\n<td width=\"64\">&gt; 1400<\/td>\n<td width=\"64\">Execute plugins<br \/>&gt;Second shellcode<br \/>&gt;First export function of PE (DLL)<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td height=\"36\" width=\"64\">Other<\/td>\n<td width=\"64\">Other<\/td>\n<td width=\"64\" readability=\"5\">\n<p>Execute plugins<\/p>\n<p>&gt;First export function of PE (DLL)<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p><sup>Table 4. List of Deuterbear RAT commands<\/sup><\/p>\n<p>Examples of similarities in backdoor commands between Waterbear and Deuterbear are shown in the images from Figure 4 to Figure 6.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"d7bca8\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-4.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-4.png\" alt=\"Figure 4. The function that starts remote shell in Waterbear RAT (left) and Deuterbear RAT (right) \"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. The function that starts remote shell in Waterbear RAT (left) and Deuterbear RAT (right) <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"84fb46\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-5.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-5.png\" alt=\"Figure 5. The function that enumerates disk drives in Waterbear RAT (left) and Deuterbear RAT (right) \"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. The function that enumerates disk drives in Waterbear RAT (left) and Deuterbear RAT (right) <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a class=\"bs-modal\" id=\"97f9e9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-6.png\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/fig-6.png\" alt=\"Figure 6. The function that lists files in Waterbear RAT (left) and Deuterbear RAT (right)\"> <\/a> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. The function that lists files in Waterbear RAT (left) and Deuterbear RAT (right)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Comparing the Waterbear and Deuterbear downloaders, Table 5 shows the differences in the RAT part:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"8\">\n<tr>\n<th scope=\"col\">Properties<\/th>\n<th scope=\"col\">Waterbear RAT<\/th>\n<th scope=\"col\">Deuterbear RAT<\/th>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">Format<\/td>\n<td width=\"64\">PE file<\/td>\n<td width=\"64\">Shellcode<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">Anti-Memory scanning<\/td>\n<td width=\"64\">No<\/td>\n<td width=\"64\">Yes<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">C&amp;C communication<\/td>\n<td width=\"64\">HTTP<\/td>\n<td width=\"64\">HTTPS<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">Size of packet header<\/td>\n<td width=\"64\">10<\/td>\n<td width=\"64\">5<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Share the same traffic key with downloader<\/td>\n<td>No<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td height=\"18\" width=\"64\">Format of Plugin<\/td>\n<td width=\"64\">PE file<\/td>\n<td width=\"64\">PE file and shellcode<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"18\" width=\"64\">Registry of infection mark<\/td>\n<td width=\"64\">HKCU\\Console\\Quick\\Edit<\/td>\n<td width=\"64\">HKCU\\Control Panel\\Colors<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Counts of backdoor command<\/td>\n<td width=\"64\">60+<\/td>\n<td width=\"64\">20<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>Functionality of backdoor command<\/td>\n<td height=\"18\" width=\"64\">File management<br \/>Process management<br \/>Configuration management<br \/>Remote Shell management<br \/>Windows management<br \/>Registry management<br \/>Service management<br \/>Network management<br \/>Proxy<\/td>\n<td width=\"64\">File management<br \/>Process management<br \/>Configuration management<br \/>Remote Shell management<br \/>Plugins management<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.852779953015\">\n<div readability=\"31.523884103367\">\n<p><sup>Table 5. Differences between the Waterbear RAT and Deuterbear RAT<\/sup><\/p>\n<p>Waterbear has gone through continuous evolution, eventually giving rise to the emergence of a new malware, Deuterbear. Interestingly, both Waterbear and Deuterbear continue to evolve independently, rather than one simply replacing the other.<\/p>\n<p>Based on the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/d\/earth-hundun-waterbear-deuterbear.html\">downloader analysis<\/a> presented in April 2024. We made a comprehensive examination of the RAT, which is a component seldom downloaded from the C&amp;C server due to temporary port openings. Through a systematic comparison of Deuterbear and Waterbear in the loader, downloader, RAT and behavioral aspects, we gained insights into the evolution of the techniques employed by Earth Hundun. While the Waterbear and Deuterbear family represent just one facet of the group\u2019s arsenal, we believe that continuous refinement of tools will be implemented in other malware for anti-analysis, and detection evasion, particularly in traffic and file handling.<\/p>\n<p>Organizations can defend themselves from Earth Hundun attacks by performing a memory scan for downloads and the Waterbear and Deuterbear RATs. Furthermore, detecting the registry used to <b>decrypt <\/b>the Deuterbear downloader can help scan for its presence within the system.<\/p>\n<p><span class=\"body-subhead-title\">MITRE ATT&amp;CK<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"10%\">\n<tbody readability=\"36.5\">\n<tr>\n<th scope=\"col\"><b>Tactic<\/b><\/th>\n<th scope=\"col\"><b>Technique<\/b><\/th>\n<th scope=\"col\"><b>ID<\/b><\/th>\n<th scope=\"col\"><b>Description<\/b><\/th>\n<\/tr>\n<tr readability=\"2\">\n<td rowspan=\"2\" height=\"42\" width=\"64\">Execution<\/td>\n<td width=\"64\">Shared Modules<\/td>\n<td width=\"64\">T1129&nbsp;&nbsp;<\/td>\n<td width=\"64\">Dynamically loads the DLLs through the shellcode<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Native API<\/td>\n<td width=\"64\">T1106&nbsp;&nbsp;<\/td>\n<td width=\"64\">Dynamically loads the APIs through the shellcode<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td rowspan=\"2\" height=\"42\" width=\"64\">Persistence&nbsp;&nbsp;<\/td>\n<td width=\"64\">Hijack Execution Flow: DLL Side-Loading<\/td>\n<td width=\"64\">T1574.002<\/td>\n<td width=\"64\">Uses modified legitimate executable to load the malicious DLL<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"18\" width=\"64\">Boot or Logon Autostart Execution: Print Processors<\/td>\n<td width=\"64\">T1547.012<\/td>\n<td width=\"64\">Deuterbear abuses print processors to run malicious DLLs during system&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Privilege Escalation<\/td>\n<td width=\"64\">Process Injection<\/td>\n<td width=\"64\">T1055<\/td>\n<td width=\"64\">Waterbear and Deuterbear inject the targeted process<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td rowspan=\"4\" height=\"72\" width=\"64\">Defense Evasion<\/td>\n<td width=\"64\">Deobfuscate\/Decode Files or Information<\/td>\n<td width=\"64\">T1140<\/td>\n<td width=\"64\">Uses RC4 or CryptUnprotectData to decrypt encrypted downloader<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Execution Guardrails<\/td>\n<td width=\"64\">T1480<\/td>\n<td width=\"64\">Targets specific path\/registry in the victim\u2019s environment<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td height=\"18\" width=\"64\">Virtualization\/Sandbox Evasion: Time Based Evasion<\/td>\n<td width=\"64\">T1497.003<\/td>\n<td width=\"64\">Deuterbear checks sandbox by API, Sleep, whether normal operation.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Debugger Evasion<\/td>\n<td width=\"64\">T1622<\/td>\n<td width=\"64\">Deuterbear checks debugger mode by process time.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td rowspan=\"6\" height=\"108\" width=\"64\">Discovery<\/td>\n<td width=\"64\">File and Directory Discovery<\/td>\n<td width=\"64\">T1083<\/td>\n<td width=\"64\">Waterbear and Deuterbear RAT searches files and directories or in specific locations.<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"18\" width=\"64\">System Network Configuration Discovery: Internet Connection Discovery<\/td>\n<td width=\"64\">T1016.001<\/td>\n<td width=\"64\">Downloaders check for internet connectivity on compromised systems.<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td height=\"18\" width=\"64\">System Network Connections Discovery<\/td>\n<td width=\"64\">T1049<\/td>\n<td width=\"64\">Waterbear and Deuterbear RAT lists network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Process Discovery<\/td>\n<td width=\"64\">T1057<\/td>\n<td width=\"64\">Waterbear and Deuterbear RAT searches specific process.<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td height=\"18\" width=\"64\">System Information Discovery<\/td>\n<td width=\"64\">T1082<\/td>\n<td width=\"64\">Waterbear and Deuterbear RAT get detailed information about the operating system and hardware, including version, username, and architecture.<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Query Registry<\/td>\n<td width=\"64\">T1012<\/td>\n<td width=\"64\">Queries data from registry to decrypt downloader<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"18\" width=\"64\">Lateral Movement<\/td>\n<td width=\"64\">Remote Services: Windows Remote Management<\/td>\n<td width=\"64\">T1021.006<\/td>\n<td width=\"64\">Waterbear and Deuterbear RAT control remote shell<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Collection<\/td>\n<td width=\"64\">Data from Local System<\/td>\n<td width=\"64\">T1005<\/td>\n<td width=\"64\">Collects basic information of victim<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"18\" width=\"64\">Exfiltration<\/td>\n<td width=\"64\">Exfiltration Over Command-and-Control Channel<\/td>\n<td width=\"64\">T1041<\/td>\n<td width=\"64\">Sends collected data to C&amp;C<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td rowspan=\"3\" height=\"63\" width=\"64\">Command and Control<\/td>\n<td width=\"64\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"64\">T1071.001<\/td>\n<td width=\"64\">Downloaders communicate with C&amp;C by HTTP\/HTTPS<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td height=\"18\" width=\"64\">Encrypted Channel<\/td>\n<td width=\"64\">T1573<\/td>\n<td width=\"64\">Employs a RC4\/RSA to conceal command and control traffic<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"18\" width=\"64\">Data Encoding: Non-Standard Encoding<\/td>\n<td width=\"64\">T1132.002<\/td>\n<td width=\"64\">Encodes traffic with a non-standard RC4 to make the content of traffic more difficult to detect<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"27.084210526316\">\n<div readability=\"6.1157894736842\">\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/e\/tracking-the-progression-of-earth-hundun-cyberespionage-campaign-\/ioc-tracking-the-progression-of-earth-hundun-cyberespionage-campaign-in-2024.txt\">on this link<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/e\/earth-hundun-2.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This report describes how Waterbear and Deuterbear \u2014 two of the tools in Earth Hundun&#8217;s arsenal \u2014 operate, based on a campaign from 2024. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9521,9513,9509],"class_list":["post-56084","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Tracking the Progression of Earth Hundun&#039;s Cyberespionage Campaign in 2024 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tracking the Progression of Earth Hundun&#039;s Cyberespionage Campaign in 2024 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-16T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/hundun2-976:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Tracking the Progression of Earth Hundun&#8217;s Cyberespionage Campaign in 2024\",\"datePublished\":\"2024-05-16T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/\"},\"wordCount\":2684,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/hundun2-976:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/\",\"name\":\"Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/hundun2-976:Large?qlt=80\",\"datePublished\":\"2024-05-16T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/hundun2-976:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/hundun2-976:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Tracking the Progression of Earth Hundun&#8217;s Cyberespionage Campaign in 2024\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/","og_locale":"en_US","og_type":"article","og_title":"Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-05-16T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/hundun2-976:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Tracking the Progression of Earth Hundun&#8217;s Cyberespionage Campaign in 2024","datePublished":"2024-05-16T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/"},"wordCount":2684,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/hundun2-976:Large?qlt=80","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/","url":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/","name":"Tracking the Progression of Earth Hundun's Cyberespionage Campaign in 2024 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/hundun2-976:Large?qlt=80","datePublished":"2024-05-16T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/hundun2-976:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/hundun2-976:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/tracking-the-progression-of-earth-hunduns-cyberespionage-campaign-in-2024\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Tracking the Progression of Earth Hundun&#8217;s Cyberespionage Campaign in 2024"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56084"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56084\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}