Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
An APT group named Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. The campaign, which dates back to November 2020, employs advanced custom malware, rootkits, and cloud storage services for data exfiltration. Earth Kurma utilizes sophisticated tools like TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, demonstrating adaptive malware toolsets and complex evasion techniques. The attackers focus on lateral movement, persistence, and data collection, using various utilities to scan infrastructures and deploy malware. They also employ rootkits to maintain stealth and bypass detection. The group's primary objective appears to be cyberespionage, with a high risk of sensitive data compromise and prolonged, undetected network access.
AI Analysis
Technical Summary
The Earth Kurma APT campaign is a sophisticated cyberespionage operation targeting government and telecommunications sectors primarily in Southeast Asia, including the Philippines, Vietnam, Thailand, and Malaysia. Active since November 2020, this threat actor employs a range of advanced custom malware tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA. These tools enable the group to conduct stealthy operations including lateral movement within networks, persistence through rootkits, and extensive data collection and exfiltration. The use of rootkits allows Earth Kurma to maintain long-term undetected access by evading traditional detection mechanisms. The attackers leverage cloud storage services to exfiltrate sensitive data, complicating attribution and detection. Their tactics include scanning infrastructure to identify valuable targets, deploying malware payloads, and exploiting various techniques mapped to MITRE ATT&CK tactics such as credential access (T1078), persistence (T1547), privilege escalation (T1055), and command and control (T1071). The campaign’s complexity and adaptive toolset indicate a well-resourced and skilled adversary focused on intelligence gathering rather than immediate disruption. Although no known public exploits are reported, the campaign’s longevity and stealth capabilities pose a significant threat to the confidentiality and integrity of targeted organizations’ data.
Potential Impact
For European organizations, the direct targeting of Southeast Asian government and telecom sectors suggests a lower immediate risk of direct compromise. However, European entities with business ties, partnerships, or supply chain dependencies involving Southeast Asian telecom or government agencies could face indirect risks such as data leakage, espionage, or secondary targeting. The use of advanced rootkits and custom malware indicates that if the campaign were to expand or pivot to European targets, the impact could be severe, including prolonged undetected access, intellectual property theft, and disruption of critical communications infrastructure. Additionally, European telecom providers with global operations or subsidiaries in Southeast Asia could be at risk. The campaign’s focus on data exfiltration and stealthy persistence threatens confidentiality and operational integrity, potentially undermining trust and regulatory compliance, especially under GDPR and other data protection frameworks.
Mitigation Recommendations
European organizations, particularly those with connections to Southeast Asia or operating in telecom and government sectors, should implement advanced threat detection and response capabilities focusing on rootkit detection and lateral movement indicators. Specific measures include deploying endpoint detection and response (EDR) solutions capable of identifying kernel-level rootkits and anomalous process behaviors. Network segmentation should be enforced to limit lateral movement opportunities. Monitoring outbound traffic for unusual cloud storage service usage can help detect data exfiltration attempts. Regular threat hunting exercises targeting known Earth Kurma tools and tactics (e.g., TESDAT, SIMPOBOXSPY, KRNRAT, MORIYA) should be conducted. Organizations should also ensure strict credential management, including multi-factor authentication and regular credential audits, to mitigate credential theft risks. Incident response plans must be updated to address stealthy APT behaviors, emphasizing rapid containment and forensic analysis. Collaboration with regional cybersecurity information sharing groups can enhance situational awareness and early warning capabilities.
Affected Countries
United Kingdom, Germany, France, Netherlands, Italy, Spain
Indicators of Compromise
- hash: 1f276e6545d92a0607dee715b594ef8d
- hash: 60554308955996496aa1e7c4e4399816
- hash: 67165600be58fc451de2059d1d754353
- hash: bebbeba37667453003d2372103c45bbf
- hash: 136076ee6164f20feb4bb322fe0656bc755ebdaf
- hash: 34894d5ffa541ab159b69a2fe0937a5430dac545
- hash: 49b5260daa9a920537fb240363e85d49719d6fd4
- hash: 720d744310bede34a011205006e03be4b9d491cd
- hash: 004adec667373bdf6146e05b9a1c6e0c63941afd38e30c2461eaecb707352466
- hash: 0a50587785bf821d224885cbfc65c5fd251b3e43cda90c3f49435bb3323d2a8b
- hash: 10898b74b612b1e95826521c5ccf36f7a238f5d181993c3c78c2098fcfdc1f3f
- hash: 131bacdddd51f0d5d869b63912606719cd8f7a8f5b5f4237cbdb5c2e22e2cba2
- hash: 1ab42121bb45028a17a3438b65a3634adb7d673a4e1291efeabf227a4e016cfb
- hash: 1c350d09c1cd545d54c38cd03aba3fd4eb0e8d97a3ba6c3744cc33ed92cb9a48
- hash: 1e48967e24d4ae2ac2697ef09c0f2702285825831bd516cb3be8859496fd296f
- hash: 1f3f384e29eab247ec99d97dfe6a4b67110888e4ad313b75fa9d0beceef87e93
- hash: 1f5f6cc1cbf578412ea5279dbdb432eda251309695513a74de66063ab02789f1
- hash: 2c9b8e4852181d51ff72dc6dec78bef014db8af83d30c05c3e9c5eb060278730
- hash: 2e87615142170a7510e26f94790bfb81df4d499a9f530d0bd8fe0fb1575b17f8
- hash: 34366323262346e10d8780bad9d30c6d4d747e4ec543243be76f33b7c028ea36
- hash: 37a397a2482b37d19d58588c0a897a08111b74d122c21542f1bf852ae83e1db0
- hash: 383aa73fe72caf268ce0874ebbcd13fc4c9e1e5c6200cdd66862de7257942cea
- hash: 398234b692a80a424939e98a2d96a705ce3fd9d61950420b5f2af45890abc48e
- hash: 4198b4ec5bb0c72112e9cf835686c33b9a97037acfb7727e494046a73106e938
- hash: 45e1138f2b8e822cbd4573cb53104b402ae26dcddb42c70534cf024a8bc6db66
- hash: 49ab6e2b5e378c74d196aecac4e84c969c800051167c1e33d204531fabd17990
- hash: 4ae186ee19d0d3e246dc37ac722a27d5297d2577de59b8583c97897480290bc1
- hash: 54e14b7742801970c578fad2ec2a193334ca8a17b60ee18dd6ec0fbfc8ce900b
- hash: 612a5fcb7620deef45a021140b6c06ab9c0473dce5b7e4a54960e330a00c90f3
- hash: 6190b13df521306bfa7ee973b864ba304ee0971865a66afbe0b4661c986099f4
- hash: 66edb72f6f7c8cad23c6659a81fa023f57c1a86c7d7b7022f1453b177f2b3670
- hash: 6bbbb227d679ea00f0663c2e261d5649417d08285f9acc1fd80e806ddea08403
- hash: 6ef3a27fdca386fe093c12146cd854d9ae6b42ca637950ca46bfd364ceab5b53
- hash: 73afc6af6fdfcaf9832aa2975489271bad7c8ea58679f1a2ddd8f60b44cc4a13
- hash: 75cc8474abb1d9a06cd8086fede98958653d013fb7ff89bbc32458b022a8fc94
- hash: 823a0862d10f41524362ba8e8976ddfd4524c74075bd7f3beffa794afb54f196
- hash: 8414136128f73fa7e29032df7b8115bc89832c57e2602d81de1e520cc2d7958d
- hash: 85e78a1b0a78e5d921c89241aaadd505d66dc4df29ca7d8a81098f42487ba350
- hash: 876c822f333e812041af24ae80935a830ca5016f9aaf2e8319ebb6cab1f9d7d0
- hash: 8c703148567cb66fe27bc07d18de58aa36aa84a49f1ce7545e9ec56378857d3d
- hash: 8ca1ffbd3cd22b9bead766ebd2a0f7b2d195b03d533bacf0cb8e1b1887af5636
- hash: 8e6583cca6dd4a78bdc0387c7f30334ab038e5c77848f708fe578e60dd8d9e00
- hash: 96b407856889c920a49f921d925118a130b904e99f9fe43a87342c680ffb9f27
- hash: a359a06fbc6b5cf5adf7f53c35145b28f3c8a70f6998631090021825aea08e22
- hash: aa925a5a8a7d5b36a66431f4968bd1003d1bbb6cb3ff6d03d9e3e0143c48382b
- hash: aef3407310de48e13575c3d98b660ab7ddafb7efe3f4909682907ac286062392
- hash: b26e8e0be066ee0b86f8fb2b0a703717ebbf34c8a33ef9a6f8f164ad012f1746
- hash: c0326a0cd6137514ee14b6ac3be7461e8cf6c6adec74d087fd30cb06b91ecda2
- hash: c6f73268eba553c7991f876a166440f5b4d519dea6b13bc90583fde1e89e81ed
- hash: d3d2355b1ffb3f6f4ba493000e135dfd1b28156672e17f0b34dfc90cc3add352
- hash: e143c15eaa0b3faccc93ce3693960323dbaa683ac9ce30382e876690278dfefa
- hash: ec9220cf8208a3105022b47861d4e200672846ef484c1ea481c5cfd617cb18dc
- hash: f3916c414db0f660d488c9d3aaa8355f3eb036ca27a9c606fe7e5e1a9bd42b38
- hash: f52d9355b9efb6a1fcb32b890c5c373274df21ce38050d49416f469be95dc783
- hash: f9892636093266a01ed6f0486c00189d2eeb532a3086660490f4efeb6d026487
- domain: www.dfsg3gfsga.space
- domain: www.igtsadlb2ra.pw
- domain: www.ihyvcs5t.pw
- domain: www.vidsec.cc
Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
Description
An APT group named Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. The campaign, which dates back to November 2020, employs advanced custom malware, rootkits, and cloud storage services for data exfiltration. Earth Kurma utilizes sophisticated tools like TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, demonstrating adaptive malware toolsets and complex evasion techniques. The attackers focus on lateral movement, persistence, and data collection, using various utilities to scan infrastructures and deploy malware. They also employ rootkits to maintain stealth and bypass detection. The group's primary objective appears to be cyberespionage, with a high risk of sensitive data compromise and prolonged, undetected network access.
AI-Powered Analysis
Technical Analysis
The Earth Kurma APT campaign is a sophisticated cyberespionage operation targeting government and telecommunications sectors primarily in Southeast Asia, including the Philippines, Vietnam, Thailand, and Malaysia. Active since November 2020, this threat actor employs a range of advanced custom malware tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA. These tools enable the group to conduct stealthy operations including lateral movement within networks, persistence through rootkits, and extensive data collection and exfiltration. The use of rootkits allows Earth Kurma to maintain long-term undetected access by evading traditional detection mechanisms. The attackers leverage cloud storage services to exfiltrate sensitive data, complicating attribution and detection. Their tactics include scanning infrastructure to identify valuable targets, deploying malware payloads, and exploiting various techniques mapped to MITRE ATT&CK tactics such as credential access (T1078), persistence (T1547), privilege escalation (T1055), and command and control (T1071). The campaign’s complexity and adaptive toolset indicate a well-resourced and skilled adversary focused on intelligence gathering rather than immediate disruption. Although no known public exploits are reported, the campaign’s longevity and stealth capabilities pose a significant threat to the confidentiality and integrity of targeted organizations’ data.
Potential Impact
For European organizations, the direct targeting of Southeast Asian government and telecom sectors suggests a lower immediate risk of direct compromise. However, European entities with business ties, partnerships, or supply chain dependencies involving Southeast Asian telecom or government agencies could face indirect risks such as data leakage, espionage, or secondary targeting. The use of advanced rootkits and custom malware indicates that if the campaign were to expand or pivot to European targets, the impact could be severe, including prolonged undetected access, intellectual property theft, and disruption of critical communications infrastructure. Additionally, European telecom providers with global operations or subsidiaries in Southeast Asia could be at risk. The campaign’s focus on data exfiltration and stealthy persistence threatens confidentiality and operational integrity, potentially undermining trust and regulatory compliance, especially under GDPR and other data protection frameworks.
Mitigation Recommendations
European organizations, particularly those with connections to Southeast Asia or operating in telecom and government sectors, should implement advanced threat detection and response capabilities focusing on rootkit detection and lateral movement indicators. Specific measures include deploying endpoint detection and response (EDR) solutions capable of identifying kernel-level rootkits and anomalous process behaviors. Network segmentation should be enforced to limit lateral movement opportunities. Monitoring outbound traffic for unusual cloud storage service usage can help detect data exfiltration attempts. Regular threat hunting exercises targeting known Earth Kurma tools and tactics (e.g., TESDAT, SIMPOBOXSPY, KRNRAT, MORIYA) should be conducted. Organizations should also ensure strict credential management, including multi-factor authentication and regular credential audits, to mitigate credential theft risks. Incident response plans must be updated to address stealthy APT behaviors, emphasizing rapid containment and forensic analysis. Collaboration with regional cybersecurity information sharing groups can enhance situational awareness and early warning capabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html","https://documents.trendmicro.com/assets/txt/EarthKurma-IOCssVJ3RcK.txt"]
- Adversary
- Earth Kurma
- Pulse Id
- 6813dda8c5c2a896eb350730
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash1f276e6545d92a0607dee715b594ef8d | MD5 of 8414136128f73fa7e29032df7b8115bc89832c57e2602d81de1e520cc2d7958d | |
hash60554308955996496aa1e7c4e4399816 | MD5 of b26e8e0be066ee0b86f8fb2b0a703717ebbf34c8a33ef9a6f8f164ad012f1746 | |
hash67165600be58fc451de2059d1d754353 | MD5 of 66edb72f6f7c8cad23c6659a81fa023f57c1a86c7d7b7022f1453b177f2b3670 | |
hashbebbeba37667453003d2372103c45bbf | MD5 of 1ab42121bb45028a17a3438b65a3634adb7d673a4e1291efeabf227a4e016cfb | |
hash136076ee6164f20feb4bb322fe0656bc755ebdaf | SHA1 of 66edb72f6f7c8cad23c6659a81fa023f57c1a86c7d7b7022f1453b177f2b3670 | |
hash34894d5ffa541ab159b69a2fe0937a5430dac545 | SHA1 of 1ab42121bb45028a17a3438b65a3634adb7d673a4e1291efeabf227a4e016cfb | |
hash49b5260daa9a920537fb240363e85d49719d6fd4 | SHA1 of b26e8e0be066ee0b86f8fb2b0a703717ebbf34c8a33ef9a6f8f164ad012f1746 | |
hash720d744310bede34a011205006e03be4b9d491cd | SHA1 of 8414136128f73fa7e29032df7b8115bc89832c57e2602d81de1e520cc2d7958d | |
hash004adec667373bdf6146e05b9a1c6e0c63941afd38e30c2461eaecb707352466 | — | |
hash0a50587785bf821d224885cbfc65c5fd251b3e43cda90c3f49435bb3323d2a8b | — | |
hash10898b74b612b1e95826521c5ccf36f7a238f5d181993c3c78c2098fcfdc1f3f | — | |
hash131bacdddd51f0d5d869b63912606719cd8f7a8f5b5f4237cbdb5c2e22e2cba2 | — | |
hash1ab42121bb45028a17a3438b65a3634adb7d673a4e1291efeabf227a4e016cfb | — | |
hash1c350d09c1cd545d54c38cd03aba3fd4eb0e8d97a3ba6c3744cc33ed92cb9a48 | — | |
hash1e48967e24d4ae2ac2697ef09c0f2702285825831bd516cb3be8859496fd296f | — | |
hash1f3f384e29eab247ec99d97dfe6a4b67110888e4ad313b75fa9d0beceef87e93 | — | |
hash1f5f6cc1cbf578412ea5279dbdb432eda251309695513a74de66063ab02789f1 | — | |
hash2c9b8e4852181d51ff72dc6dec78bef014db8af83d30c05c3e9c5eb060278730 | — | |
hash2e87615142170a7510e26f94790bfb81df4d499a9f530d0bd8fe0fb1575b17f8 | — | |
hash34366323262346e10d8780bad9d30c6d4d747e4ec543243be76f33b7c028ea36 | — | |
hash37a397a2482b37d19d58588c0a897a08111b74d122c21542f1bf852ae83e1db0 | — | |
hash383aa73fe72caf268ce0874ebbcd13fc4c9e1e5c6200cdd66862de7257942cea | — | |
hash398234b692a80a424939e98a2d96a705ce3fd9d61950420b5f2af45890abc48e | — | |
hash4198b4ec5bb0c72112e9cf835686c33b9a97037acfb7727e494046a73106e938 | — | |
hash45e1138f2b8e822cbd4573cb53104b402ae26dcddb42c70534cf024a8bc6db66 | — | |
hash49ab6e2b5e378c74d196aecac4e84c969c800051167c1e33d204531fabd17990 | — | |
hash4ae186ee19d0d3e246dc37ac722a27d5297d2577de59b8583c97897480290bc1 | — | |
hash54e14b7742801970c578fad2ec2a193334ca8a17b60ee18dd6ec0fbfc8ce900b | — | |
hash612a5fcb7620deef45a021140b6c06ab9c0473dce5b7e4a54960e330a00c90f3 | — | |
hash6190b13df521306bfa7ee973b864ba304ee0971865a66afbe0b4661c986099f4 | — | |
hash66edb72f6f7c8cad23c6659a81fa023f57c1a86c7d7b7022f1453b177f2b3670 | — | |
hash6bbbb227d679ea00f0663c2e261d5649417d08285f9acc1fd80e806ddea08403 | — | |
hash6ef3a27fdca386fe093c12146cd854d9ae6b42ca637950ca46bfd364ceab5b53 | — | |
hash73afc6af6fdfcaf9832aa2975489271bad7c8ea58679f1a2ddd8f60b44cc4a13 | — | |
hash75cc8474abb1d9a06cd8086fede98958653d013fb7ff89bbc32458b022a8fc94 | — | |
hash823a0862d10f41524362ba8e8976ddfd4524c74075bd7f3beffa794afb54f196 | — | |
hash8414136128f73fa7e29032df7b8115bc89832c57e2602d81de1e520cc2d7958d | — | |
hash85e78a1b0a78e5d921c89241aaadd505d66dc4df29ca7d8a81098f42487ba350 | — | |
hash876c822f333e812041af24ae80935a830ca5016f9aaf2e8319ebb6cab1f9d7d0 | — | |
hash8c703148567cb66fe27bc07d18de58aa36aa84a49f1ce7545e9ec56378857d3d | — | |
hash8ca1ffbd3cd22b9bead766ebd2a0f7b2d195b03d533bacf0cb8e1b1887af5636 | — | |
hash8e6583cca6dd4a78bdc0387c7f30334ab038e5c77848f708fe578e60dd8d9e00 | — | |
hash96b407856889c920a49f921d925118a130b904e99f9fe43a87342c680ffb9f27 | — | |
hasha359a06fbc6b5cf5adf7f53c35145b28f3c8a70f6998631090021825aea08e22 | — | |
hashaa925a5a8a7d5b36a66431f4968bd1003d1bbb6cb3ff6d03d9e3e0143c48382b | — | |
hashaef3407310de48e13575c3d98b660ab7ddafb7efe3f4909682907ac286062392 | — | |
hashb26e8e0be066ee0b86f8fb2b0a703717ebbf34c8a33ef9a6f8f164ad012f1746 | — | |
hashc0326a0cd6137514ee14b6ac3be7461e8cf6c6adec74d087fd30cb06b91ecda2 | — | |
hashc6f73268eba553c7991f876a166440f5b4d519dea6b13bc90583fde1e89e81ed | — | |
hashd3d2355b1ffb3f6f4ba493000e135dfd1b28156672e17f0b34dfc90cc3add352 | — | |
hashe143c15eaa0b3faccc93ce3693960323dbaa683ac9ce30382e876690278dfefa | — | |
hashec9220cf8208a3105022b47861d4e200672846ef484c1ea481c5cfd617cb18dc | — | |
hashf3916c414db0f660d488c9d3aaa8355f3eb036ca27a9c606fe7e5e1a9bd42b38 | — | |
hashf52d9355b9efb6a1fcb32b890c5c373274df21ce38050d49416f469be95dc783 | — | |
hashf9892636093266a01ed6f0486c00189d2eeb532a3086660490f4efeb6d026487 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainwww.dfsg3gfsga.space | — | |
domainwww.igtsadlb2ra.pw | — | |
domainwww.ihyvcs5t.pw | — | |
domainwww.vidsec.cc | — |
Threat ID: 683b62e6182aa0cae2f0d715
Added to database: 5/31/2025, 8:13:26 PM
Last enriched: 7/3/2025, 4:09:46 AM
Last updated: 8/17/2025, 7:43:26 AM
Views: 21
Related Threats
Microsoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumThreat Actor Claims to Sell 15.8 Million Plain-Text PayPal Credentials
MediumElastic EDR 0-day: Microsoft-signed driver can be weaponized to attack its own host
MediumEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumGmail Phishing Campaign Analysis – “New Voicemail” Email with Dynamics Redirect + Captcha
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.