Initially targeting the Asia-Pacific region, the group expanded its operations to Latin America by mid-2024, primarily focusing on government, technology, logistics, manufacturing, telecommunications, IT services, and retail sectors in countries including Thailand, the Philippines, Malaysia, Taiwan, and Brazil. VARGEIT operates as a multi-channel configurable backdoor with remarkable capabilities, including drive information collection, process monitoring, file manipulation, command line execution, and the ability to inject additional tools without leaving traces on the filesystem. The cybersecurity landscape has been disrupted by Earth Alux, a China-linked advanced persistent threat (APT) group actively conducting espionage operations since the second quarter of 2023. The increasing sophistication of Earth Alux’s tactics highlights the evolving nature of cyber espionage threats facing organizations today, particularly those in strategic sectors across Asia-Pacific and Latin America regions. Once established in a network, Earth Alux focuses on long-term data collection and exfiltration, potentially leading to disrupted operations and significant financial losses across critical industries. These mspaint processes perform various malicious activities, including security event log examination, group policy discovery, network/LDAP reconnaissance, and data exfiltration. The group primarily utilizes VARGEIT as its primary backdoor, alongside COBEACON, with VARGEIT employed across multiple stages of their attacks to maintain persistence and execute malicious operations. Earth Alux primarily gains initial access by exploiting vulnerable services in exposed servers, subsequently implanting web shells such as GODZILLA to facilitate the delivery of their malware. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. During exfiltration operations, the malware connects to attacker-controlled cloud storage buckets, sending compressed archives of collected sensitive information. This technique allows Earth Alux to execute additional tools without leaving detectable artifacts on disk. What makes this malware particularly concerning is its ability to leverage multiple communication channels, with the Outlook channel (using Graph API) being predominantly used in observed attacks. Rather than dropping files onto the target system, the malware opens instances of mspaint.exe into which it injects shellcode received directly from command-and-control servers. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 31 Mar 2025 12:40:15 +0000