Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools - The Hacker News

Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools Ravie LakshmananApr 28, 2025Cyber Espionage / Cloud Security Government and telecommunications sectors in Southeast Asia have become the target of a "sophisticated" campaign undertaken by a new advanced persistent threat (APT) group called Earth Kurma since June 2024. The attacks, per Trend Micro, have leveraged custom malware, rootkits, and cloud storage services for data exfiltration. The Philippines, Vietnam, Thailand, and Malaysia are among the prominent targets. "This campaign poses a high business risk due to targeted espionage, credential theft, persistent foothold established through kernel-level rootkits, and data exfiltration via trusted cloud platforms," security researchers Nick Dai and Sunny Lu said in an analysis published last week. The threat actor's activities date back to November 2020, with the intrusions primarily relying on services like Dropbox and Microsoft OneDrive to siphon sensitive data using tools like TESDAT and SIMPOBOXSPY. Two other noteworthy malware families in its arsenal include rootkits such as KRNRAT and Moriya, the latter of which has been observed previously in attacks aimed at high-profile organizations in Asia and Africa as part of an espionage campaign dubbed TunnelSnake. Trend Micro also said that SIMPOBOXSPY and the exfiltration script used in the attacks share overlaps with another APT group codenamed ToddyCat. However, a definitive attribution remains inconclusive. It's currently not known as to how the threat actors gain initial access to target environments. The initial foothold is then abused to scan and conduct lateral movement using a variety of tools like NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger. Also deployed is a keylogger referred to as KMLOG to harvest credentials. It's worth noting that the use of the open-source Ladon framework has been previously attributed to a China-linked hacking group called TA428 (aka Vicious Panda). Persistence on the hosts is accomplished by three different loader strains referred to as DUNLOADER, TESDAT, and DMLOADER, which are capable of loading next-stage payloads into memory and executing them. These consist of Cobalt Strike Beacons, rootkits like KRNRAT and Moriya, as well as data exfiltration malware. What distinguishes these attacks is the use of living-off-the-land (LotL) techniques to install the rootkits, where hackers employ legitimate system tools and features, in this case, syssetup.dll, rather than introducing easily detectable malware. While Moriya is engineered to inspect incoming TCP packets for a malicious payload and inject shellcode into a newly spawned "svchost.exe" process, KRNRAT is an amalgamation of five different open-source projects with capabilities such as process manipulation, file hiding, shellcode execution, traffic concealment, and command-and-control (C2) communication. KRNRAT, like Moriya, is also designed to load a user-mode agent the rootkit and inject it into "svchost.exe." The user-mode agent serves as a backdoor to retrieve a follow-on payload from the C2 server.  "Before exfiltrating the files, several commands executed by the loader TESDAT collected specific document files with the following extensions: .pdf, .doc, .docx, .xls, .xlsx, .ppt, and .pptx," the researchers said. "The documents are first placed into a newly created folder named "tmp," which is then archived using WinRAR with a specific password." One of the bespoke tools used for data exfiltration is SIMPOBOXSPY, which can upload the RAR archive to Dropbox with a specific access token. According to a Kasperksy report from October 2023, the generic Dropbox uploader is "probably not exclusively used by ToddyCat." ODRIZ, another program used for the same purpose, uploads the collected information to OneDrive by specifying the OneDrive refresh token as an input parameter. "Earth Kurma remains highly active, continuing to target countries around Southeast Asia," Trend Micro said. "They have the capability to adapt to victim environments and maintain a stealthy presence." "They can also reuse the same code base from previously identified campaigns to customize their toolsets, sometimes even utilizing the victim’s infrastructure to achieve their goals." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, Cloud security, Credential Theft, cybersecurity, data exfiltration, Espionage, Malware, rootkit, Trend Micro Trending News Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Load More ▼ Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Get the 2026 ASV Report to Benchmark Top Validation Tools Guide - Discover How to Validate AI Risks With Adversarial Testing Fix Security Noise by Focusing Only on Validated Exposures