Government and telecom sectors across Southeast Asia are now firmly in the crosshairs of a stealthy new advanced persistent threat (APT) group known as Earth Kurma. Since June 2024, this group has orchestrated an escalating series of cyberattacks, using a mix of custom malware, stealthy rootkits, and trusted cloud storage platforms to steal sensitive data.
Security researchers from Trend Micro revealed that Earth Kurma’s campaign poses a significant business risk, driven by targeted espionage, credential theft, and persistent footholds gained through sophisticated kernel-level rootkits. Countries most affected include the Philippines, Vietnam, Thailand, and Malaysia, where the group has exfiltrated critical data via cloud services like Dropbox and Microsoft OneDrive.
Although Earth Kurma’s activities can be traced back to November 2020, its latest wave of intrusions shows a much sharper, more dangerous evolution. Tools such as TESDAT and SIMPOBOXSPY have been central to its operations, allowing attackers to quietly siphon sensitive documents without immediate detection. Rootkits like KRNRAT and Moriya, previously associated with high-profile attacks under the TunnelSnake campaign, have also been spotted, highlighting the group’s focus on stealth and persistence.
Interestingly, the malware SIMPOBOXSPY and certain exfiltration scripts show overlaps with ToddyCat, another known APT group, although a definitive link has not yet been confirmed.
How Earth Kurma initially breaches its targets remains unclear. Once inside, attackers move laterally across networks using a range of tools like NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger. A keylogger, KMLOG, is deployed to harvest credentials, adding another layer to their espionage operations. Notably, the open-source Ladon framework has ties to TA428, a China-linked hacking group known for its aggressive cyber campaigns.
Maintaining a long-term presence is crucial for Earth Kurma. To achieve this, they use customized loaders — DUNLOADER, TESDAT, and DMLOADER — designed to stealthily inject next-stage payloads into memory. These payloads include Cobalt Strike Beacons, KRNRAT, Moriya, and specialized data exfiltration malware.
One of the standout features of Earth Kurma’s approach is its use of living-off-the-land (LotL) techniques. Instead of dropping obvious malware, they cleverly exploit legitimate system tools like syssetup.dll to deploy their rootkits. This allows them to operate under the radar, making detection far more difficult for defenders.
The Moriya rootkit acts as a network sniffer, inspecting TCP packets for hidden payloads and injecting malicious code into new “svchost.exe” processes. KRNRAT, meanwhile, combines five different open-source projects, offering capabilities like process manipulation, traffic obfuscation, and stealthy command-and-control (C2) communications.
Before exfiltration, TESDAT scours infected machines for document files with extensions like .pdf, .docx, .xls, and .pptx. These files are collected into a “tmp” folder, encrypted into a RAR archive using a set password, and then stealthily uploaded. SIMPOBOXSPY handles uploads to Dropbox using hard-coded access tokens, while another tool, ODRIZ, leverages OneDrive, uploading stolen data via refresh tokens.
Despite sharing some code with ToddyCat operations, Trend Micro stresses that Earth Kurma remains a distinct, highly adaptive threat. The group has demonstrated an alarming ability to customize its tools based on target environments, even repurposing a victim’s own infrastructure to advance its espionage objectives.
With Earth Kurma’s aggressive campaigns showing no signs of slowing, Southeast Asia’s cybersecurity landscape faces a growing challenge. Organizations must stay vigilant, strengthen their defenses, and closely monitor trusted cloud services, which are increasingly being weaponized by sophisticated threat actors.
