Earth Alux Unplugged: The Cyber Menace from China Taking Over APAC & LATAM!

Cybersecurity researchers expose a China-linked threat actor named Earth Alux, targeting government and tech sectors in the APAC and LATAM regions. Their sneaky tricks involve using Microsoft Paint for reconnaissance and bypassing security with malware like VARGEIT. This hacking group clearly takes the phrase “painting by numbers” to a whole new level.

3P
Published: April 1, 2025 11:30 amAdded: April 1, 2025 at 5:00 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Move over, Marvel Cinematic Universe, Earth Alux has arrived—complete with its own cast of villains like Godzilla, VARGEIT, and COBEACON. This new China-linked threat actor is not here to save the day, but they sure know how to put on a show that spans continents, from Asia-Pacific to Latin America. With its ever-expanding repertoire of malware tools, Earth Alux is giving cyber defenders everywhere a run for their money. Who knew hacking could be so…global?

Key Points:

  • Earth Alux, a China-linked threat actor, has been targeting sectors like government and telecommunications in APAC and LATAM.
  • The group uses sophisticated malware tools, including Godzilla, VARGEIT, and COBEACON, for cyber espionage.
  • VARGEIT operates stealthily via mspaint.exe, while COBEACON uses MASQLOADER or RSBINJECT for initial access.
  • The malware employs advanced techniques like DLL side-loading and anti-API hooking to avoid detection.
  • Earth Alux is committed to refining its capabilities, using tools like ZeroEye and VirTest for ongoing testing.

Meet the New Cyber Villains

Cybersecurity researchers at Trend Micro have unveiled the latest addition to the rogues’ gallery of cyber threat actors: Earth Alux. This China-linked group is making waves across the Asia-Pacific (APAC) and Latin American (LATAM) regions, targeting sectors from government to retail. First spotted in the second quarter of 2023, Earth Alux has since expanded its sinister operations to include Latin America by the middle of 2024. Their primary targets include Thailand, the Philippines, Malaysia, Taiwan, and Brazil. It’s a small world after all, especially when you’re hacking it.

Godzilla and the Malware Monsters

Earth Alux’s infection chains start with the exploitation of vulnerable services in web applications, enabling them to deploy the Godzilla web shell. But don’t expect a giant lizard stomping through Tokyo—this Godzilla is all about facilitating the deployment of additional payloads. Enter VARGEIT and COBEACON, the malware tools with names so cool they could have their own action figures. VARGEIT is known for its stealth, operating via mspaint.exe, and facilitates reconnaissance and data exfiltration. Meanwhile, COBEACON makes its entrance via MASQLOADER or RSBINJECT, setting the stage for a malware extravaganza.

Stealthy Moves and Anti-Detection Techniques

The cybercriminals behind Earth Alux are not just sitting back and letting their malware do all the work. They’ve mastered the art of dodging detection with techniques like anti-API hooking, which overwrites NTDLL.dll hooks to keep security programs scratching their heads. Then there’s DLL side-loading, a technique that makes malware execution look as innocent as a choirboy. VARGEIT doesn’t just sneak around; it uses 10 different channels for command-and-control communications, including Microsoft Outlook and the Graph API. That’s right, this malware can send emails as naturally as your grandma sends you cat memes.

Tool Testing and Refinement: The Cyber Espionage Workshop

Earth Alux is no amateur operation. The group is continually refining its toolkit, employing tools like ZeroEye and VirTest to ensure its malware remains undetected and effective. It’s like they’re running a cyber espionage workshop, complete with detection tests and attempts to find new hosts for DLL side-loading. This ongoing commitment to improvement suggests Earth Alux is in it for the long haul, showing a dedication to cyber espionage that’s almost admirable—if only it weren’t so menacing.

A Global Threat with Sophisticated Techniques

In conclusion, Earth Alux represents a sophisticated and evolving cyber threat with aspirations as global as a fast-food franchise. Leveraging a diverse toolkit and advanced techniques, this group is infiltrating and compromising key sectors, particularly in the APAC and LATAM regions. Their ongoing testing and development indicate a commitment to refining capabilities and evading detection, ensuring that Earth Alux will remain a force to reckon with in the cyber-espionage arena. So, keep your firewalls up and your antiviruses updated—Earth Alux is out there, and they’re not playing fair.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?