Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\"><br \/>\n<meta property=\"og:title\" content=\"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/EarthPreta-thumbnail.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/EarthPreta-thumbnail.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"49.585045273099\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"467953583\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.5\">\n<div class=\"article-details\" role=\"heading\" readability=\"41\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">Our Threat Hunting team discusses Earth Preta\u2019s latest technique, in which the APT group leverages MAVInject and Setup Factory to deploy payloads, bypass ESET antivirus, and maintain control over compromised systems.<\/p>\n<p class=\"article-details__author-by\">By: Nathaniel Morales, Nick Dai <time class=\"article-details__date\">February 18, 2025<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.415741187832\">\n<div readability=\"32.40753259295\">\n<h2><span class=\"body-subhead-title\">Summary<\/span><\/h2>\n<ul>\n<li><span class=\"rte-red-bullet\">Researchers from Trend Micro\u2019s Threat Hunting team discovered that Earth Preta, also known as Mustang Panda, uses the Microsoft Application Virtualization Injector to inject payloads into waitfor.exe whenever an ESET antivirus application is detected.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">They utilize Setup Factory to drop and execute the payloads for persistence and to avoid detection.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Earth Preta’s malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration.<\/span><\/li>\n<\/ul>\n<p>Trend Micro\u2019s Threat Hunting team has <a href=\"https:\/\/x.com\/FatzQatz\/status\/1883489162919297325\" target=\"_blank\" rel=\"noopener\">come across<\/a> a new technique employed by <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-preta-new-malware-and-strategies.html\" target=\"_blank\" rel=\"noopener\">Earth Preta<\/a>, also known as Mustang Panda. Earth Preta’s attacks have been known to focus on the Asia-Pacific region: More recently, one campaign used <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/earth-preta-campaign-targets-asia-doplugs.html\" target=\"_blank\" rel=\"noopener\">a variant of the DOPLUGS malware<\/a> to target Taiwan, Vietnam, Malaysia, among other countries. The group, which favors phishing in their campaigns and tends to <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\" target=\"_blank\" rel=\"noopener\">target government entities,<\/a> has had <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/earth-preta-cyberespionage-campaign-hits-over-200.html\" target=\"_blank\" rel=\"noopener\">over 200 victims<\/a> since 2022.<\/p>\n<p>This advanced persistent threat (APT) group has been observed leveraging a Windows utility that\u2019s able to inject code into external processes called the Microsoft Application Virtualization Injector (MAVInject.exe). This injects Earth Preta\u2019s payload into a Windows utility that\u2019s used to sending or waiting for signals between networked computers., waitfor.exe, when an ESET antivirus application is detected running. Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems.<\/p>\n<h2><span class=\"body-subhead-title\">Detailed analysis<\/span><\/h2>\n<p>In Earth Preta\u2019s attack chain, the first malicious file, IRSetup.exe, is used to drop multiple files into the ProgramData\/session directory (Figure 1). These files include a combination of legitimate executables and malicious components (Figure 2). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig01-2.png\" alt=\"Figure 1. Earth Preta\u2019s kill chain\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Earth Preta\u2019s kill chain<\/figcaption><\/div>\n<\/figure><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig02.png\" alt=\"Figure 2. Files dropped by IRSetup.exe\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Files dropped by IRSetup.exe<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>A decoy PDF designed to target Thailand-based users is also executed, likely to distract the victim while the malicious payload is deployed in the background (Figure 3). The fraudulent document asks for the reader\u2019s cooperation in creating a whitelist of phone numbers to aid in the development of an anti-crime platform, allegedly a project supported by multiple government agencies.<\/p>\n<p>This technique aligns with Earth Preta\u2019s previous campaigns, in which they used spear-phishing emails to target victims and executed a decoy PDF to divert attention while the malicious payload was deployed in the background. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig03.png\" alt=\"Figure 3. Decoy PDF (left) and translated text (right)\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. Decoy PDF (left) and translated text (right)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The dropper malware then executes OriginLegacyCLI.exe, a legitimate Electronic Arts (EA) application, to sideload EACore.dll, a modified variant of the TONESHELL backdoor used by Earth Preta, shown in Figure 4.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig04.png\" alt=\"Figure 4. Loading the malicious DLL\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. Loading the malicious DLL<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h2><span class=\"body-subhead-title\">TONESHELL backdoor \u2013 EACore.dll<\/span><\/h2>\n<p>EACore.dll contains multiple export functions, as shown below in Figure 5, but all of them point to the same malicious function. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig05.png\" alt=\"Figure 5. Export functions of EACore.dll\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Export functions of EACore.dll<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>One of the functions checks if either ekrn.exe or egui.exe, both associated with ESET antivirus applications, are running on the machine (Figure 6). If either process is detected, the malware registers EACore.dll using regsvr32.exe to execute the DLLRegisterServer function (Figure 7).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig06.png\" alt=\"Figure 6. Checking of ESET process\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. Checking of ESET process<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig07.png\" alt=\"Figure 7. Running via regsvr32.exe\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. Running via regsvr32.exe<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>The DLLRegisterServer<b> <\/b>export will then execute waitfor.exe. MAVInject.exe, which is capable of proxy execution of malicious code by injecting to a running process as a means of bypassing ESET detection, is then used to inject the malicious code into it (Figure 8) via the following command:<\/p>\n<p><i><span class=\"blockquote\">Mavinject.exe <Target PID> \/INJECTRUNNING <Malicious DLL><\/span><\/i><\/p>\n<p>It is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used ESET software.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig08.png\" alt=\"Figure 8. Function used to inject malicious code to waitfor.exe\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. Function used to inject malicious code to waitfor.exe<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<h2><span class=\"body-subhead-title\">Exception handler<\/span><\/h2>\n<p>The malware also implements an exception handler (Figure 9) that activates when ESET applications are not found, allowing it to proceed with its payload. Instead of injecting the malicious code via MAVInject.exe, it directly injects its code into waitfor.exe<b> <\/b>using WriteProcessMemory and CreateRemoteThreadEx APIs (Figure 10).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig09.png\" alt=\"Figure 9. Setting up the structured exception handler\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. Setting up the structured exception handler<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig10.png\" alt=\"Figure 10. Code injection function (top) and injected code in waitfor.exe (bottom)\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Code injection function (top) and injected code in waitfor.exe (bottom)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h2><span class=\"body-subhead-title\">C&C communication<\/span><\/h2>\n<p>The malware decrypts the shellcode stored in the .data section (Figure 11), where it will contain the functions to communicate with its C&C server, <i>www[.]militarytc[.]com:443<\/i> (Figure 12).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig11.png\" alt=\"Figure 11. Function containing the decryption of shellcode\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. Function containing the decryption of shellcode<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig12.png\" alt=\"Figure 12. Function to communicate with C&C server\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. Function to communicate with C&C server<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38.392857142857\">\n<div class=\"responsive-table-wrap\" readability=\"22.641941391941\">\n<p>The malware communicates with the command-and-control (C&C) server through the ws2_32.send API call. It generates a random identifier, gathers the computer name, and sends this information to the C&C server. The C&C protocol is similar to that of its previous variant, as outlined in <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\">our past research<\/a>. However, this variant involves some minor changes. For example, the generated victim ID is now stored to current_directory\\CompressShaders for persistence. Also, the handshake packet is slightly different, as shown in Table 1.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"3\">\n<tr>\n<td width=\"69\" valign=\"top\"><b>Offset<\/b><\/td>\n<td width=\"129\" valign=\"top\"><b>Size<\/b><\/td>\n<td width=\"153\" valign=\"top\"><b>Name<\/b><\/td>\n<td width=\"273\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"69\" valign=\"top\">0x0<\/td>\n<td width=\"129\" valign=\"top\">0x3<\/td>\n<td width=\"153\" valign=\"top\">magic<\/td>\n<td width=\"273\" valign=\"top\">17 03 03<\/td>\n<\/tr>\n<tr>\n<td width=\"69\" valign=\"top\">0x3<\/td>\n<td width=\"129\" valign=\"top\">0x2<\/td>\n<td width=\"153\" valign=\"top\">size<\/td>\n<td width=\"273\" valign=\"top\">The payload size<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"69\" valign=\"top\">0x5<\/td>\n<td width=\"129\" valign=\"top\">0x100<\/td>\n<td width=\"153\" valign=\"top\">key<\/td>\n<td width=\"273\" valign=\"top\">The payload encryption key<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"69\" valign=\"top\">0x105<\/td>\n<td width=\"129\" valign=\"top\">0x10<\/td>\n<td width=\"153\" valign=\"top\">victim_id<\/td>\n<td width=\"273\" valign=\"top\">The unique victim ID (generated by CoCreateGuid)<\/td>\n<\/tr>\n<tr>\n<td width=\"69\" valign=\"top\">0x115<\/td>\n<td width=\"129\" valign=\"top\">0x1<\/td>\n<td width=\"153\" valign=\"top\">reserved<\/td>\n<td width=\"273\" valign=\"top\"> <\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"69\" valign=\"top\">0x116<\/td>\n<td width=\"129\" valign=\"top\">0x4<\/td>\n<td width=\"153\" valign=\"top\">hostname_length<\/td>\n<td width=\"273\" valign=\"top\">The length of the hostname<\/td>\n<\/tr>\n<tr>\n<td width=\"69\" valign=\"top\">0x11A<\/td>\n<td width=\"129\" valign=\"top\">hostname_length <\/td>\n<td width=\"153\" valign=\"top\">hostname<\/td>\n<td width=\"273\" valign=\"top\">The hostname<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<p><span class=\"rte-icon-component-text\">Table 1. Contents of the sent data<\/span><\/p>\n<p>The command codes are also slightly different. In this variant, all of the debug strings are removed. It supports command codes 4 through 19 and has the following capabilities:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Reverse shell<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Delete file<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Move file<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/EarthPretaFig13.png\" alt=\"Figure 13. Information sent to C&C server\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 13. Information sent to C&C server<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.84250764526\">\n<div readability=\"13.646788990826\">\n<h2><span class=\"body-subhead-title\">Attribution to Earth Preta<\/span><\/h2>\n<p>For attribution, we believe this variant is more likely associated with Earth Preta. It was distributed using similar TTPs (spear-phishing) and works like the earlier variant mentioned <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\" target=\"_blank\" rel=\"noopener\">in our previous entry on Earth Preta<\/a>. It employs CoCreateGuid to generate a unique victim ID, which is stored in a standalone file \u2014 a behavior not observed in earlier variants. Additionally, the same C&C server was linked to <a href=\"https:\/\/x.com\/anyrun_app\/status\/1750533106736718288\" target=\"_blank\" rel=\"noopener\">another sample<\/a> attributed to Earth Preta, and the shared <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=To_Hex(%27None%27,0)Drop_bytes(0,10,false)Register(%27%5E(.%7B256%7D)%27,true,false,true)From_Hex(%27Auto%27)XOR(%7B%27option%27:%27Hex%27,%27string%27:%27$R0%27%7D,%27Standard%27,false)To_Hexdump(16,false,false,false)&input=FwMDATWcyETQLBhUoLxoZHBMuHRA3AiEEGxYlOD8qKSwjPi0gBxIxFCsmNQgPOjk8Mw49MBciASQ7NgUYHwoJDAMeDQAnMhE0CwYVKC8aGRwTLh0QNwIhBBsWJTg\/KiksIz4tIAcSMRQrJjUIDzo5PDMOPTAXIgEkOzYFGB8KCQwDHg0AJzIRNAsGFSgvGhkcEy4dEDcCIQQbFiU4PyopLCM%2BLSAHEjEUKyY1CA86OTwzDj0wFyIBJDs2BRgfCgkMAx4NACcyETQLBhUoLxoZHBMuHRA3AiEEGxYlOD8qKSwjPi0gBxIxFCsmNQgPOjk8Mw49MBciASQ7NgUYHwoJDAMeDQAaSJURipbx%2B0zS\/MaooIyKd4ohFRsHZSz\/OOk5Iy3tNAcZcQarN\/UbDyk5LrMdPSEXIgEAAA\" target=\"_blank\" rel=\"noopener\">CyberChef<\/a> formula still successfully decrypts the packet being sent. Based on these factors, we attribute this variant to Earth Preta with medium confidence.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.387096774194\">\n<div readability=\"13.548387096774\">\n<h2><span class=\"body-subhead-title\">Trend Vision One<\/span><\/h2>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/one-platform.html\" title=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\" target=\"_blank\" rel=\"noopener\">Trend Vision One<\/a><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\">\u2122<\/a> is a cybersecurity platform that simplifies security and helps enterprises detect and stop threats faster by consolidating multiple security capabilities, enabling greater command of the enterprise\u2019s attack surface, and providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk insights, earlier threat detection, and automated risk and threat response options in a single solution.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.625178826896\">\n<div readability=\"29.718884120172\">\n<h2><span class=\"body-subhead-title\">Trend Vision One Threat Intelligence<\/span><\/h2>\n<p>To stay ahead of evolving threats,\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\" target=\"_blank\" rel=\"noopener\">Trend Vision One <\/a>customers can access a range of Intelligence Reports and Threat Insights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats.<\/p>\n<p><b>Trend Vision One Intelligence Reports App [IOC Sweeping]<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection<\/span><\/li>\n<\/ul>\n<p><b>Trend Vision One Threat Insights App<\/b><\/p>\n<h2><span class=\"body-subhead-title\">Hunting Queries<\/span><\/h2>\n<p><b>Trend Vision One Search App<\/b><\/p>\n<p>Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.\u202f\u202f\u202f<\/p>\n<p><i>Project Injection to waitfor.exe with hardcoded parameter used by Earth Preta<\/i><\/p>\n<p><span class=\"blockquote\">processFilePath:*ProgramData\\\\session\\\\OriginLegacyCLI.exe AND objectCmd:*Windows\\\\SysWOW64\\\\waitfor.exe\\” \\”Event19030000000\\” AND tags: “XSAE.F8404”<\/span><\/p>\n<p>More hunting queries are available for Vision One customers with\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" target=\"_blank\" rel=\"noopener\">Threat Insights Entitlement enabled<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<h2><span class=\"body-subhead-title\">Conclusion<\/span><\/h2>\n<p>The recent findings of Trend Micro\u2019s Threat Hunting team highlight the sophisticated methods employed by Earth Preta to compromise systems and evade security measures. By leveraging MAVInject.exe to inject malicious payloads into waitfor.exe, and using Setup Factory to drop and execute these payloads, Earth Preta effectively bypasses ESET antivirus detection and maintains persistence on infected systems. Its attack chain demonstrates the group’s advanced level of expertise in developing and refining their evasion techniques, with its use of legitimate applications like Setup Factory and OriginLegacyCLI.exe further complicating detection efforts. Organizations should be vigilant about enhancing their monitoring capabilities, focusing on identifying unusual activities in legitimate processes and executable files, to stay ahead of the evolving tactics of APT groups like Earth Preta.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our Threat Hunting team discusses Earth Preta\u2019s latest technique, in which the APT group leverages MAVInject and Setup Factory to deploy payloads, bypass ESET antivirus, and maintain control over compromised systems. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9534,9509],"class_list":["post-58171","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-latest-news","tag-trend-micro-research-research"],"yoast_head":"\n<title>Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-18T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPreta-thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection\",\"datePublished\":\"2025-02-18T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/\"},\"wordCount\":1506,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthPreta-thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Latest News\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/\",\"name\":\"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthPreta-thumbnail:Large?qlt=80\",\"datePublished\":\"2025-02-18T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthPreta-thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthPreta-thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/","og_locale":"en_US","og_type":"article","og_title":"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-02-18T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPreta-thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection","datePublished":"2025-02-18T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/"},"wordCount":1506,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPreta-thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Latest News","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/","url":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/","name":"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPreta-thumbnail:Large?qlt=80","datePublished":"2025-02-18T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPreta-thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPreta-thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=58171"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58171\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=58171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=58171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=58171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":58171,"date":"2025-02-18T00:00:00","date_gmt":"2025-02-18T00:00:00","guid":{"rendered":"urn:uuid:c5720b0c-196b-4c49-0977-4013a70d888a"},"modified":"2025-02-18T00:00:00","modified_gmt":"2025-02-18T00:00:00","slug":"earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection\/","title":{"rendered":"Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection"},"content":{"rendered":"