An advanced persistent threat (APT) group dubbed Earth Kurma is behind a stealthy, multi-year cyber-espionage campaign targeting government and telecommunications organizations across Southeast Asia.
According to Trend Micro researchers Nick Dai and Sunny Lu, the campaign has been active since at least 2020.
Sophisticated Toolsets and Cloud Abuse
Earth Kurma has shown a high level of operational maturity, blending advanced malware with living-off-the-land binaries and trusted infrastructure. It uses a custom suite of malware, including TESDAT, DMLOADER, SIMPOBOXSPY, and KRNRAT, which facilitate stealthy data collection, persistence, and communication with command-and-control (C&C) servers.
The malicious actors leverage public cloud platforms to exfiltrate confidential documents, often archiving files into encrypted RAR packages before uploading them via tailored tools. It also uses Dropbox and OneDrive to help disguise malicious traffic and capitalizes on trust in these platforms to avoid triggering security alerts.
Long-Term Persistence with Rootkits
Earth Kurma is able to maintain persistence within compromised environments, using rootkits like MORIYA and KRNRAT. These rootkits operate at the kernel level to mask malicious activities, intercept TCP traffic, and inject shellcode directly into memory. Once installed via INF files and system setup DLLs, these rootkits allow the attackers to remain embedded for months—if not years—without detection.
The rootkits also feature capabilities to evade traditional detection methods by invoking system calls directly through enumerated syscall numbers, bypassing API monitoring and endpoint protection solutions.
Lateral Movement and Credential Theft
While initial access vectors remain unclear, Earth Kurma’s lateral movement is well-documented. The attackers rely on a combination of open-source and custom tools like LADON, WMIHACKER, NBTSCAN, and KMLOG—a custom keylogger—to map internal networks and harvest credentials.
They also abuse administrative features in Windows environments, like the SMB protocol and Active Directory’s DFSR (Distributed File System Replication), to move laterally and coordinate exfiltration across domain controllers.
By copying stolen files into the sysvol directories on domain controllers, the bad actors ensure automatic synchronization across multiple systems, effectively turning legitimate network functions into tools of espionage.
Attribution and Threat Landscape
Although the actor shares infrastructure and tools with other Chinese-speaking APT groups—including ToddyCat and Operation TunnelSnake—Trend Micro analysts caution against direct attribution thanks to subtle differences in TTPs.
For instance, the reuse of the MORIYA rootkit and overlap with SIMPOBOXSPY suggests either shared toolkits or possible collaboration between actors.
What sets Earth Kurma apart is that it blends old and new tactics, repurposing code bases while adapting to the specific conditions of each victim network. Its focus on Southeast Asian governments and telecoms also suggests a strategic interest in state and infrastructure intelligence.
Defensive Recommendations
Trend Micro urges entities to adopt proactive defenses, including strong endpoint detection and response (EDR), strict policies on driver installations, Active Directory auditing, and restrictions on SMB usage. Monitoring for unusual Dropbox/OneDrive traffic and enforcing application control policies are also critical.
As Earth Kurma evolves, defenders must remain vigilant against this highly adaptive threat actor exploiting trusted tools and infrastructure for cyberespionage.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.