{"id":57012,"date":"2024-09-04T00:00:00","date_gmt":"2024-09-04T00:00:00","guid":{"rendered":"urn:uuid:f512b169-aebc-9d64-dea9-700c3229a651"},"modified":"2024-09-04T00:00:00","modified_gmt":"2024-09-04T00:00:00","slug":"earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/","title":{"rendered":"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthLuscaKTLVdoor-Header:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,articles, news, reports,research\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2024-09-04\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-lusca-ktlvdoor.html\"> <title>Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-lusca-ktlvdoor.html\"><br \/>\n<meta property=\"og:title\" content=\"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/EarthLuscaKTLVdoor-Header.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/EarthLuscaKTLVdoor-Header.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.386947368421\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"192100916\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.7337278106509\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.934911242604\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">While monitoring Earth Lusca, we discovered the threat group\u2019s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign.<\/p>\n<p class=\"article-details__author-by\">By: Cedric Pernet, Jaromir Horejsi <time class=\"article-details__date\">September 04, 2024<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"50.604844674556\">\n<div readability=\"47.165680473373\">\n<h4>Summary<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">During our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The malware&#8217;s configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The scale of the attack campaign is significant, with over 50 C&amp;C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors.<\/span><\/li>\n<\/ul>\n<p>We discovered a new multiplatform backdoor written in Golang that we named KTLVdoor while monitoring Earth Lusca, a Chinese-speaking threat actor <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html\">we had previously covered<\/a>. Our investigation also uncovered both Microsoft Windows and Linux versions of this new malware family.<\/p>\n<p>This previously unreported malware is more complex than the usual tools used by the threat actor. It is highly obfuscated and is being spread in the wild impersonating various system utilities names or similar tools, such as sshd, java, sqlite, bash, edr-agent, and more. The backdoor (agent) is usually distributed as a dynamic library (DLL, SO). &nbsp;The malware features enable the attackers to fully control the environment: run commands, manipulate files, provide system and network information, using proxies, download\/upload files, scan remote ports and more.<\/p>\n<p>The scale of the attack campaign is surprising, as we were able to find more than 50 C&amp;C servers, all hosted at Alibaba in China, communicating with variants of the malware family. While some of those malware samples are tied to Earth Lusca with high confidence, we cannot be sure that the whole infrastructure is used solely by this threat actor. The infrastructure might be shared with other Chinese-speaking threat actors.<\/p>\n<p>We could only find one target of the operation for the moment, a trading company based in China. It is not the first time a Chinese-speaking threat actor has targeted a Chinese company; groups like <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/noodle-rat-reviewing-the-new-backdoor-used-by-chinese-speaking-g.html\" target=\"_blank\" rel=\"noopener\">Iron Tiger<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/f\/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html\" target=\"_blank\" rel=\"noopener\">Void Arachne<\/a> have likewise used tools aimed specifically at Chinese-language speakers.<\/p>\n<h4>KTLVdoor malware analysis<\/h4>\n<h4><b>Highly obfuscated<\/b><\/h4>\n<p>Most of the samples discovered in this campaign are obfuscated: embedded strings are not directly readable, symbols are stripped and most of the functions and packages were renamed to random Base64-like looking strings, in an obvious effort from the developers to slow down the malware analysis (Figure 1).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion--\/EarthLuscaKTLVdoor-Fig1.png\" alt=\"Figure 1. Obfuscated function names as shown in decompiler\"> <\/p>\n<p><figcaption>Figure 1. Obfuscated function names as shown in decompiler<\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<h4>Configuration<\/h4>\n<p>The first step is the initialization of the agent\u2019s configuration parameters. The initialization values are XOR-encrypted and Base64-encoded in the agent\u2019s binary (Figure 2).&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion--\/EarthLuscaKTLVdoor-Fig2.png\" alt=\"Figure 2. Example of the decrypted configuration\"> <\/p>\n<p><figcaption>Figure 2. Example of the decrypted configuration<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.798882681564\">\n<div readability=\"16.905027932961\">\n<p>The configuration\u2019s file format is a custom <a href=\"https:\/\/en.wikipedia.org\/wiki\/Type%E2%80%93length%E2%80%93value\" target=\"_blank\" rel=\"noopener\">TLV<\/a>-like (length-type-length-value) format. The \u201cKTLV\u201d marker is usually prepended with four-byte length of the structure and behaves like a marker of the beginning of the structure. Then, a list of parameters and their values follows. From Figure 3, you can notice a \u201cproto\u201d parameter, which is five bytes long (notice 05 followed by <b>proto <\/b>string, followed by type 02 ( = string ), followed by length 04 ( = 4 bytes ), followed by string <b>http<\/b>, which is the protocol parameter value.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"7.5\">\n<figure class=\"image-figure\" readability=\"5\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion--\/EarthLuscaKTLVdoor-Fig3.png\" alt=\"Figure 3. Parameter proto, type string (02), value http, as stored in configuration file\"> <\/p>\n<p><figcaption>Figure 3. Parameter proto, type string (02), value http, as stored in configuration file<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"8\">\n<figure class=\"image-figure\" readability=\"6\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion--\/EarthLuscaKTLVdoor-Fig4.png\" alt=\"Figure 4. Parameter sleep, type long long (08), value 0x7530 = 30 000 milliseconds = 30 seconds, as stored in configuration file\"> <\/p>\n<p><figcaption>Figure 4. Parameter sleep, type long long (08), value 0x7530 = 30 000 milliseconds = 30 seconds, as stored in configuration file<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div class=\"responsive-table-wrap\" readability=\"7\">\n<p>The supported type formats are shown in Table 1:<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"1\">\n<tr>\n<td width=\"264\" valign=\"top\"><b>Value<\/b><\/td>\n<td width=\"360\" valign=\"top\"><b>Type<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"264\" valign=\"top\">01<\/td>\n<td width=\"360\" valign=\"top\">structure\/iteration (followed by KTLV marker)<\/td>\n<\/tr>\n<tr>\n<td width=\"264\" valign=\"top\">02<\/td>\n<td width=\"360\" valign=\"top\">string<\/td>\n<\/tr>\n<tr>\n<td width=\"264\" valign=\"top\">03<\/td>\n<td width=\"360\" valign=\"top\">boolean (1byte)<\/td>\n<\/tr>\n<tr>\n<td width=\"264\" valign=\"top\">08<\/td>\n<td width=\"360\" valign=\"top\">long long (8 bytes)<\/td>\n<\/tr>\n<tr>\n<td width=\"264\" valign=\"top\">09<\/td>\n<td width=\"360\" valign=\"top\">integer (4 bytes)<\/td>\n<\/tr>\n<tr>\n<td width=\"264\" valign=\"top\">0B<\/td>\n<td width=\"360\" valign=\"top\">byte (1 byte)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 1. Supported value type formats<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div class=\"responsive-table-wrap\" readability=\"8\">\n<p>The configuration file may contain the following parameters, as shown in Table 2:<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"6\">\n<tr>\n<td width=\"254\" valign=\"top\"><b>Parameter name<\/b><\/td>\n<td width=\"88\" valign=\"top\"><b>Type<\/b><\/td>\n<td width=\"282\" valign=\"top\"><b>Description\/comment<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"254\" valign=\"top\">listen<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">active mode (default) \/ passive mode<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">connect<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">Encrypted C&amp;C servers<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"254\" valign=\"top\">duplex<\/td>\n<td width=\"88\" valign=\"top\">boolean<\/td>\n<td width=\"282\" valign=\"top\">Simplex or duplex delivery<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">conn_timeout<\/td>\n<td width=\"88\" valign=\"top\">long long<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">max_read_limit<\/td>\n<td width=\"88\" valign=\"top\">long long<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">conn_max_retry<\/td>\n<td width=\"88\" valign=\"top\">long long<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">proxy<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">proto<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">http, tcp, dns, icmp<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">domain<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">host<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"254\" valign=\"top\">secret<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">To decrypt value(s) of \u201cconnect\u201d<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">tls<\/td>\n<td width=\"88\" valign=\"top\">boolean<\/td>\n<td width=\"282\" valign=\"top\">Enabled or disabled<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">stls<\/td>\n<td width=\"88\" valign=\"top\">boolean<\/td>\n<td width=\"282\" valign=\"top\">Enabled or disabled<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">sleep<\/td>\n<td width=\"88\" valign=\"top\">long long<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">jitter<\/td>\n<td width=\"88\" valign=\"top\">long long<\/td>\n<td width=\"282\" valign=\"top\">Sleep time variation<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">silent<\/td>\n<td width=\"88\" valign=\"top\">boolean<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">long_connection_boundary<\/td>\n<td width=\"88\" valign=\"top\">long long<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"254\" valign=\"top\">short_connection_wait_time<\/td>\n<td width=\"88\" valign=\"top\">long long<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">client_id<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">Hardcoded GUID of target<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"254\" valign=\"top\">external_channel_enabled<\/td>\n<td width=\"88\" valign=\"top\">boolean<\/td>\n<td width=\"282\" valign=\"top\">Should get external IP or not<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">external_type<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"254\" valign=\"top\">auth_param<\/td>\n<td width=\"88\" valign=\"top\">struct<\/td>\n<td width=\"282\" valign=\"top\">Contains \u201chttp_header\u201d and \u201curi\u201d<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">http_header<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">uri<\/td>\n<td width=\"88\" valign=\"top\">string<\/td>\n<td width=\"282\" valign=\"top\">Request\u2019s URL path<\/td>\n<\/tr>\n<tr>\n<td width=\"254\" valign=\"top\">debug<\/td>\n<td width=\"88\" valign=\"top\">boolean<\/td>\n<td width=\"282\" valign=\"top\">Enabled or disabled<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 2. Supported configuration parameters<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.048213081591\">\n<div class=\"responsive-table-wrap\" readability=\"11.838165879973\">\n<p>The configuration is processed, and the internal configuration structure (Config) is updated. Part of the Config structure is the HostInfo structure, which also contains additional parameters about the currently infected machine (Table 3). These structures are updated based on the current machine environment.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"4.912510936133\">\n<tr>\n<td width=\"208\" valign=\"top\"><b>Parameter name<\/b><\/td>\n<td width=\"74\" valign=\"top\"><b>Type<\/b><\/td>\n<td width=\"342\" valign=\"top\"><b>Description\/comment<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Session<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Randomly generated GUID during each run<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">RealIP<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Obtained from ipconfig \/ ifconfig<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Username<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Hostname<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">ProcessName<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Executable<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">PID<\/td>\n<td width=\"74\" valign=\"top\">uint32<\/td>\n<td width=\"342\" valign=\"top\">Process ID<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">ParentProcessName<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">PPID<\/td>\n<td width=\"74\" valign=\"top\">uint32<\/td>\n<td width=\"342\" valign=\"top\">Parent process ID<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Arch<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">32 or 64 bit<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">OS<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">OS name<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Platform<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">OS name + version<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Disks<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">List of available disks<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">DiskDetails<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">List of available disks + their sizes<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Uptime<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Feature<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">MachineGuid from HKLM\\SOFTWARE\\Microsoft\\Cryptography<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Protocol<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Proxy<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Domain<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Host<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">TLSEnable<\/td>\n<td width=\"74\" valign=\"top\">boolean<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">STLSEnable<\/td>\n<td width=\"74\" valign=\"top\">boolean<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr readability=\"1.6330275229358\">\n<td width=\"208\" valign=\"top\">ExternalIP<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">External IP address obtained via <a href=\"http:\/\/myip.ipip.net\/\" target=\"_blank\" rel=\"noopener\">http:\/\/myip.ipip.net<\/a>; only if external_channel_enabled set<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">SleepTime<\/td>\n<td width=\"74\" valign=\"top\">uint64<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Jitter<\/td>\n<td width=\"74\" valign=\"top\">uint64<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">ReConnectTime<\/td>\n<td width=\"74\" valign=\"top\">uint64<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Env<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Environment variables<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">ClientID<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Value from the config<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">IsAdmin<\/td>\n<td width=\"74\" valign=\"top\">boolean<\/td>\n<td width=\"342\" valign=\"top\">True or false<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Mode<\/td>\n<td width=\"74\" valign=\"top\">string<\/td>\n<td width=\"342\" valign=\"top\">Active or passive<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 3. HostInfo parameters<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38\">\n<div class=\"responsive-table-wrap\" readability=\"21\">\n<h4>Connection settings<\/h4>\n<p>The C&amp;C server(s) are stored in the \u201cconnect\u201d value. The value is AES-GCM-encrypted and Base64-encoded. The AES-GCM method uses a standard prepended 12-byte nonce and appended 16-byte tag. The AES-GCM key is derived from a \u201csecret\u201d value by computing the MD5 hash of it and using key padding (extending the key size) to 32-bytes by appending 16 zeroes (0x00 bytes) to it.<\/p>\n<h4>KTLVdoor malware communication<\/h4>\n<p>After the initialization steps are completed, the agent starts a communication loop with the C&amp;C server. The communication is done by sending and receiving messages, which are GZIP-compressed and AES-GCM-encrypted. Based on the configuration settings, the message delivery can be either in simplex mode (one device on channel can only send, another device on the channel can only receive) or in duplex mode (both devices can simultaneously send and receive messages).<\/p>\n<p>Each message contains a message header followed by the message data (msg).<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"194\" valign=\"top\"><b>Field name<\/b><\/td>\n<td width=\"161\" valign=\"top\"><b>Field type<\/b><\/td>\n<td width=\"264\" valign=\"top\"><b>Field value<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"194\" valign=\"top\">sender<\/td>\n<td width=\"161\" valign=\"top\">String<\/td>\n<td width=\"264\" valign=\"top\">Session ID or admin<\/td>\n<\/tr>\n<tr>\n<td width=\"194\" valign=\"top\">receiver<\/td>\n<td width=\"161\" valign=\"top\">String<\/td>\n<td width=\"264\" valign=\"top\">Session ID or admin<\/td>\n<\/tr>\n<tr>\n<td width=\"194\" valign=\"top\">token<\/td>\n<td width=\"161\" valign=\"top\">String<\/td>\n<td width=\"264\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"194\" valign=\"top\">route<\/td>\n<td width=\"161\" valign=\"top\">String<\/td>\n<td width=\"264\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"194\" valign=\"top\">task_id<\/td>\n<td width=\"161\" valign=\"top\">uint64<\/td>\n<td width=\"264\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"194\" valign=\"top\">task_status<\/td>\n<td width=\"161\" valign=\"top\">uint8<\/td>\n<td width=\"264\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"194\" valign=\"top\">task_type<\/td>\n<td width=\"161\" valign=\"top\">uint64<\/td>\n<td width=\"264\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"194\" valign=\"top\">sub_task_type<\/td>\n<td width=\"161\" valign=\"top\">uint64<\/td>\n<td width=\"264\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 4. Message header fields<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion--\/EarthLuscaKTLVdoor-Fig5.png\" alt=\"Figure 5. Message with OS info sent to the C&amp;C server\"> <\/p>\n<p><figcaption>Figure 5. Message with OS info sent to the C&amp;C server<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div class=\"responsive-table-wrap\" readability=\"16\">\n<p>Notice that the sender of this outgoing message (from the infected machine to the C&amp;C server) has the session ID of the currently infected machine. The receiver is \u201cadmin\u201d, which is the C&amp;C server. In the case of the incoming message (from the C&amp;C server to the infected machine), the \u201csender\u201d is \u201cadmin\u201d and the \u201creceiver\u201d is the session ID. In the case of sending the HostInfo message to the C&amp;C server, notice that the parameter name \u201cmsg\u201d (containing message content) followed by \u201cKTLV\u201d marker (Figure 5), which contains all the fields from HostInfo structure (Table 4).<\/p>\n<h4>Receiving task<\/h4>\n<p>The agent implements several handlers for processing received tasks from the C&amp;C server (Table 5).<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"17\">\n<tr>\n<td width=\"138\" valign=\"top\"><b>Handler<\/b><\/td>\n<td width=\"162\" valign=\"top\"><b>Subtasks<\/b><\/td>\n<td width=\"108\" valign=\"top\"><b>Parameters<\/b><\/td>\n<td width=\"216\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"138\" valign=\"top\">Breakchain<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">shell<br \/>flag<br \/>cmd<br \/>abs_path<\/td>\n<td width=\"216\" valign=\"top\">Start terminal<br \/>Run command<br \/>Wait three seconds<br \/>Kill terminal (SIGKILL)<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">Exit<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">&nbsp;<\/td>\n<td width=\"216\" valign=\"top\">Exit process<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"138\" valign=\"top\">FileDownload<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">file_path<br \/>section_size<\/td>\n<td width=\"216\" valign=\"top\">Read file<br \/>Upload it to C&amp;C<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"138\" valign=\"top\">FileMD5<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">file_path<\/td>\n<td width=\"216\" valign=\"top\">Read file<br \/>Compute MD5 hash<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td width=\"138\" valign=\"top\">FileManager<\/td>\n<td width=\"162\" valign=\"top\">01 &#8211; list all files<br \/>02 &#8211; Create dir<br \/>03 &#8211; Create file<br \/>04 &#8211; Delete file<br \/>05 &#8211; Copy file<br \/>06 &#8211; Rename<br \/>07 &#8211; Write file<br \/>08 &#8211; Read file<br \/>09 &#8211; Change access permissions<\/td>\n<td width=\"108\" valign=\"top\">dirName<br \/>OR<br \/>file_path<br \/>OR<br \/>dst_path<br \/>src_path<br \/>OR<br \/>file_path<br \/>file_content<br \/>OR<br \/>mode<\/td>\n<td width=\"216\" valign=\"top\">File and directory operations<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"138\" valign=\"top\">FileUpload<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">file_path<br \/>file_contents<br \/>position<\/td>\n<td width=\"216\" valign=\"top\">Write data from server to file on victim machine<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">GC<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">&nbsp;<\/td>\n<td width=\"216\" valign=\"top\">Run garbage collection<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"138\" valign=\"top\">InteractiveShell<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">send<br \/>data<br \/>OR<br \/>start<br \/>OR<br \/>stop<br \/>OR<br \/>recv<\/td>\n<td width=\"216\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">NetStat<\/td>\n<td width=\"162\" valign=\"top\">01 &#8211; list connections<\/td>\n<td width=\"108\" valign=\"top\">&nbsp;<\/td>\n<td width=\"216\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">PortScan<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">gateway<br \/>ips<br \/>ports<br \/>&nbsp;<\/td>\n<td width=\"216\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">Process<\/td>\n<td width=\"162\" valign=\"top\">01 &#8211; list<br \/>02 &#8211; kill<\/td>\n<td width=\"108\" valign=\"top\">pid<\/td>\n<td width=\"216\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">RefreshHostInfo<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">&nbsp;<\/td>\n<td width=\"216\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">Run<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">cmdn!<\/td>\n<td width=\"216\" valign=\"top\">Run command<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">Sleep<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">sleep_time<br \/>jitter<\/td>\n<td width=\"216\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"138\" valign=\"top\">TimeStomp<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">src_path<br \/>dst_path<br \/>time<\/td>\n<td width=\"216\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"138\" valign=\"top\">TaskCache<\/td>\n<td width=\"162\" valign=\"top\">01 &#8211; list of tasks<br \/>02 &#8211; delete task<br \/>03 &#8211; clear task cache<\/td>\n<td width=\"108\" valign=\"top\">task_id<br \/>&nbsp;<\/td>\n<td width=\"216\" valign=\"top\">&nbsp;<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td width=\"138\" valign=\"top\">SoInject<\/td>\n<td width=\"162\" valign=\"top\">04 &#8211; &nbsp;inject to library<\/td>\n<td width=\"108\" valign=\"top\">plugin_task_type<br \/>tmp_payload_cache<br \/>params<\/td>\n<td width=\"216\" valign=\"top\">Run shellcode, Linux platform<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"138\" valign=\"top\">ReflectDllInject<\/td>\n<td width=\"162\" valign=\"top\">&nbsp;<\/td>\n<td width=\"108\" valign=\"top\">&nbsp;<\/td>\n<td width=\"216\" valign=\"top\">Run shellcode, Windows platform<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td width=\"138\" valign=\"top\">Socks<\/td>\n<td width=\"162\" valign=\"top\">01 \u2013 start handler<br \/>02 \u2013 get task<br \/>04 \u2013 data via TCP<br \/>05 \u2013 close TCP<br \/>06 \u2013 data via UDP<br \/>08 \u2013 connect to address via UDP<\/td>\n<td width=\"108\" valign=\"top\">seq<br \/>addr<br \/>username<br \/>password<br \/>OR<br \/>task_id<br \/>OR<br \/>seq<br \/>data<br \/>&nbsp;<\/td>\n<td width=\"216\" valign=\"top\">Socks proxy<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 5. Handlers for processing tasks from C&amp;C server<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.318059299191\">\n<div readability=\"32.488544474394\">\n<p>PortScan implements many scanning methods, including:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">ScanTCP<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ScanRDP<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ScanWinRM<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ScanSmb2<\/span><\/li>\n<li><span class=\"rte-red-bullet\">RdpWithNTLM<\/span><\/li>\n<li><span class=\"rte-red-bullet\">DialTLS<\/span><\/li>\n<li><span class=\"rte-red-bullet\">DialTCP<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ScanPing<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ScanPing<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ScanMssql<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ScanBanner<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ScanWeb<\/span><\/li>\n<\/ul>\n<h4>Conclusion<\/h4>\n<p>We have been able to tie samples of KTLVdoor to the threat actor Earth Lusca with high confidence. However, we were not able to tie several other samples of this malware family to this threat actor. In addition, the size of the infrastructure we have been able to discover is very unusual. Seeing that all C&amp;C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&amp;C server could not be some early stage of testing new tooling.<\/p>\n<p>This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors. While a lot of details on this campaign are not yet known, we will keep monitoring this activity and possibly give updates about it at a later time.<\/p>\n<h4>Trend solutions<\/h4>\n<p>Organizations looking to defend themselves from sophisticated attacks can consider powerful security technologies such as&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\" target=\"_blank\" rel=\"noopener\">Trend Vision One\u2122<\/a>, which allows security teams to continuously identify attack surfaces, including both known and unknown, plus managed and unmanaged cyber assets. Vision One\u2122 offers multilayered protection and behavior detection, helping block malicious tools and services before they can inflict damage on user machines and systems.<\/p>\n<h4>Indicators of Compromise (IOCs)<\/h4>\n<p>The full list of IOCs can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion--\/Indicators%20of%20Compromise%20-%20Earth%20Lusca%20Uses%20KTLVdoor%20Backdoor%20for%20Multiplatform%20Intrusion.txt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-lusca-ktlvdoor.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>While monitoring Earth Lusca, we discovered the threat group\u2019s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9513,9509],"class_list":["post-57012","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-04T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthLuscaKTLVdoor-Header:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion\",\"datePublished\":\"2024-09-04T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/\"},\"wordCount\":1821,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthLuscaKTLVdoor-Header:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/\",\"name\":\"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthLuscaKTLVdoor-Header:Large?qlt=80\",\"datePublished\":\"2024-09-04T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthLuscaKTLVdoor-Header:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthLuscaKTLVdoor-Header:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/","og_locale":"en_US","og_type":"article","og_title":"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-09-04T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthLuscaKTLVdoor-Header:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion","datePublished":"2024-09-04T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/"},"wordCount":1821,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthLuscaKTLVdoor-Header:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/","url":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/","name":"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthLuscaKTLVdoor-Header:Large?qlt=80","datePublished":"2024-09-04T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthLuscaKTLVdoor-Header:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthLuscaKTLVdoor-Header:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/earth-lusca-uses-ktlvdoor-backdoor-for-multiplatform-intrusion\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57012"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57012\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}