Earth Kasha, an Advanced Persistent Threat (APT) group linked to APT10, has initiated a new cyber espionage campaign in March 2025 targeting government agencies and public institutions primarily in Taiwan and Japan. The campaign employs spear-phishing techniques to deliver a sophisticated and updated version of the ANEL backdoor malware. Notably, the updated ANEL backdoor incorporates a new command enabling the execution of Beacon Object Files (BOF) directly in memory, enhancing stealth and evasion capabilities by avoiding disk writes. Additionally, the malware uses SharpHide, a known tool for hiding malicious code within legitimate .NET assemblies, to maintain persistence on compromised systems. The second-stage payload, NOOPDOOR, has been enhanced to support Command and Control (C&C) communications over DNS over HTTPS (DoH), which allows the malware to blend its traffic with legitimate encrypted DNS queries, making detection and blocking more challenging for network defenders. The attack chain begins with compromised email accounts used to send spear-phishing emails containing malicious Excel files. These files exploit social engineering and evasion techniques to bypass security controls and deliver the payload. The campaign demonstrates Earth Kasha's continuous evolution in Tactics, Techniques, and Procedures (TTPs), leveraging advanced evasion, persistence, and covert communication methods to conduct espionage operations. The use of spear-phishing, memory-resident payloads, and encrypted DNS communications indicates a high level of sophistication aimed at long-term infiltration and data exfiltration from sensitive government and public sector targets.

For European organizations, especially those involved in government, public administration, or sectors with geopolitical relevance, this threat poses significant risks. Although the campaign currently targets Taiwan and Japan, the advanced techniques and tools used by Earth Kasha could be adapted to target European entities, particularly those with strategic ties or interests in East Asia. The use of spear-phishing and compromised email accounts increases the risk of initial compromise, while the memory-resident execution and DoH-based C&C communications complicate detection and response efforts. Successful infiltration could lead to unauthorized access to sensitive information, espionage, disruption of operations, and potential compromise of critical infrastructure. The stealthy nature of the malware and its persistence mechanisms could allow attackers to maintain long-term access, increasing the potential for data theft and manipulation without immediate detection.

European organizations should implement targeted and advanced defensive measures beyond generic advice. These include: 1) Enhancing email security by deploying advanced anti-phishing solutions that analyze email context, sender reputation, and attachment behavior, coupled with user training focused on spear-phishing awareness. 2) Employing endpoint detection and response (EDR) tools capable of detecting in-memory execution and anomalous behaviors such as BOF execution and SharpHide usage. 3) Monitoring DNS traffic for unusual DoH activity, including anomalous query patterns or connections to suspicious domains, and applying DNS filtering and inspection where feasible. 4) Implementing strict application whitelisting and code integrity policies to prevent unauthorized execution of malicious assemblies. 5) Regularly auditing and securing email accounts to prevent compromise, including multi-factor authentication (MFA) and anomaly detection for login behaviors. 6) Conducting threat hunting exercises focused on indicators of compromise related to Earth Kasha’s TTPs and maintaining updated threat intelligence feeds to detect emerging variants. 7) Network segmentation to limit lateral movement and data exfiltration capabilities of attackers.