OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
Earth Lusca, a threat actor linked to China, is reported to use the KTLVdoor backdoor for multiplatform intrusion. This backdoor enables persistent access across different operating systems, facilitating espionage or data exfiltration. Although no known exploits in the wild or patches are currently available, the threat actor's activity indicates targeted payload delivery. The severity is assessed as low based on current information, but the lack of patches and the multiplatform nature warrant attention. European organizations should be aware of potential indirect risks, especially those with ties to Chinese entities or operating in sensitive sectors. Mitigation should focus on enhanced monitoring for unusual backdoor activity and network segmentation. Countries with significant Chinese business presence or geopolitical interest in China-related cyber activities are more likely to be affected. Overall, defenders should prioritize threat intelligence integration and proactive detection mechanisms to mitigate potential future exploitation.
AI Analysis
Technical Summary
The threat actor Earth Lusca, attributed to China, has been observed deploying a backdoor named KTLVdoor that supports multiplatform intrusion capabilities. This backdoor allows the attacker to maintain persistent access across various operating systems, which may include Windows, Linux, and possibly macOS, although specific platforms are not detailed. The KTLVdoor backdoor is used for payload delivery, enabling the threat actor to execute commands, exfiltrate data, or move laterally within compromised networks. The intelligence is derived from open-source intelligence (OSINT) feeds, specifically from CIRCL and Trend Micro, indicating ongoing monitoring of this actor's tactics. No patches or known exploits in the wild have been reported, suggesting either a low detection rate or limited deployment so far. The threat actor's focus appears to be on targets within China, but the multiplatform nature of the backdoor implies potential for broader impact. The lack of detailed technical indicators or CVEs limits the ability to perform signature-based detection, emphasizing the need for behavioral analysis and anomaly detection. The threat is currently assessed as low severity due to limited evidence of widespread exploitation and impact, but the persistent and stealthy nature of backdoors necessitates vigilance.
Potential Impact
For European organizations, the direct impact of Earth Lusca's KTLVdoor backdoor is currently limited, as the primary targeting appears to be within China. However, European entities with business ties to Chinese companies, involvement in supply chains, or operating in sectors of strategic interest (e.g., technology, telecommunications, critical infrastructure) could face indirect risks. The multiplatform capability of the backdoor increases the attack surface, potentially affecting diverse IT environments common in European enterprises. If exploited, the backdoor could lead to unauthorized access, data theft, espionage, and disruption of operations. The absence of patches means that once detected, remediation may require manual removal and system restoration, increasing operational overhead. The stealthy nature of backdoors complicates detection, potentially allowing long-term persistence and data exfiltration. Given geopolitical tensions and the strategic importance of European technology sectors, the threat actor's activity could escalate or pivot to European targets in the future.
Mitigation Recommendations
European organizations should implement advanced endpoint detection and response (EDR) solutions capable of identifying unusual process behaviors and network connections indicative of backdoor activity. Network segmentation should be enforced to limit lateral movement in case of compromise. Regular threat hunting exercises focusing on indicators of compromise related to Earth Lusca and KTLVdoor should be conducted, leveraging threat intelligence feeds from trusted sources like CIRCL and Trend Micro. Multi-factor authentication (MFA) should be mandatory to reduce the risk of credential theft facilitating backdoor deployment. Organizations should maintain strict patch management for all systems to reduce exploitable vulnerabilities that could be leveraged to install backdoors. Additionally, monitoring outbound traffic for anomalous connections to suspicious or unknown external IP addresses can help detect data exfiltration attempts. Employee awareness training on phishing and social engineering can reduce initial infection vectors. Finally, collaboration with national cybersecurity centers and sharing of threat intelligence within European cybersecurity communities will enhance collective defense.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Belgium, Sweden
Indicators of Compromise
- hash: 9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99
- hash: 6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525
- hash: 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
- hash: 7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0
- hash: 12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2
- hash: 19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154
- hash: dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641
- hash: b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2
- hash: d095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e
- hash: 99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404
- hash: 3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345
- hash: c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d
- hash: a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848
- hash: 01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267
- hash: 1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68
- hash: 3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb
- hash: aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3
- hash: c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132
- hash: 1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25
- hash: d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1
- hash: 644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703
- hash: 0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216
- hash: 18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670
- hash: d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0
- hash: aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e
- hash: fcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7
- hash: fd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1
- url: 39.105.121.123:9999
- port: 9999
- domain: 39.105.121.123
- text: 39.105.121.123
- domain: 39.105.121.123
- url: 39.107.101.26:9999
- port: 9999
- domain: 39.107.101.26
- text: 39.107.101.26
- domain: 39.107.101.26
- url: 47.94.223.124:9999
- port: 9999
- domain: 47.94.223.124
- text: 47.94.223.124
- domain: 47.94.223.124
- url: 47.94.166.190:9999
- port: 9999
- domain: 47.94.166.190
- text: 47.94.166.190
- domain: 47.94.166.190
- url: 59.110.136.109:9999
- port: 9999
- domain: 59.110.136.109
- text: 59.110.136.109
- domain: 59.110.136.109
- url: 123.56.45.175:81
- port: 81
- domain: 123.56.45.175
- text: 123.56.45.175
- domain: 123.56.45.175
- url: 123.57.223.22:81
- port: 81
- domain: 123.57.223.22
- text: 123.57.223.22
- domain: 123.57.223.22
- url: 39.107.75.91:81
- port: 81
- domain: 39.107.75.91
- text: 39.107.75.91
- domain: 39.107.75.91
- url: 182.92.101.4:81
- port: 81
- text: 182.92.101.4
- url: 123.56.45.175:443
- port: 443
- domain: 123.56.45.175
- text: 123.56.45.175
- domain: 123.56.45.175
- url: 123.57.223.22:443
- port: 443
- domain: 123.57.223.22
- text: 123.57.223.22
- domain: 123.57.223.22
- url: 39.107.75.91:443
- port: 443
- domain: 39.107.75.91
- text: 39.107.75.91
- domain: 39.107.75.91
- url: 182.92.101.4:443
- port: 443
- text: 182.92.101.4
- url: 123.57.6.3:81
- port: 81
- text: 123.57.6.3
- url: 39.107.67.131:81
- port: 81
- domain: 39.107.67.131
- text: 39.107.67.131
- domain: 39.107.67.131
- url: 101.200.156.217:81
- port: 81
- domain: 101.200.156.217
- text: 101.200.156.217
- domain: 101.200.156.217
- url: 182.92.155.149:81
- port: 81
- domain: 182.92.155.149
- text: 182.92.155.149
- domain: 182.92.155.149
- url: 123.57.218.176:81
- port: 81
- domain: 123.57.218.176
- text: 123.57.218.176
- domain: 123.57.218.176
- url: 47.99.78.41:443
- port: 443
- domain: 47.99.78.41
- text: 47.99.78.41
- domain: 47.99.78.41
- url: 47.96.97.77:443
- port: 443
- domain: 47.96.97.77
- text: 47.96.97.77
- domain: 47.96.97.77
- url: 47.96.5.136:443
- port: 443
- domain: 47.96.5.136
- text: 47.96.5.136
- domain: 47.96.5.136
- url: 47.96.135.49:443
- port: 443
- domain: 47.96.135.49
- text: 47.96.135.49
- domain: 47.96.135.49
- url: 116.62.120.97:443
- port: 443
- domain: 116.62.120.97
- text: 116.62.120.97
- domain: 116.62.120.97
- url: 123.57.60.94:443
- port: 443
- domain: 123.57.60.94
- text: 123.57.60.94
- domain: 123.57.60.94
- url: 39.105.107.130:443
- port: 443
- domain: 39.105.107.130
- text: 39.105.107.130
- domain: 39.105.107.130
- url: 182.92.233.242:443
- port: 443
- domain: 182.92.233.242
- text: 182.92.233.242
- domain: 182.92.233.242
- url: 47.94.229.250:443
- port: 443
- domain: 47.94.229.250
- text: 47.94.229.250
- domain: 47.94.229.250
- url: 182.92.169.60:443
- port: 443
- domain: 182.92.169.60
- text: 182.92.169.60
- domain: 182.92.169.60
- url: 47.96.160.242:443
- port: 443
- domain: 47.96.160.242
- text: 47.96.160.242
- domain: 47.96.160.242
- url: 116.62.231.152:443
- port: 443
- domain: 116.62.231.152
- text: 116.62.231.152
- domain: 116.62.231.152
- url: 47.96.13.99:443
- port: 443
- domain: 47.96.13.99
- text: 47.96.13.99
- domain: 47.96.13.99
- url: 47.98.173.175:443
- port: 443
- domain: 47.98.173.175
- text: 47.98.173.175
- domain: 47.98.173.175
- url: 47.97.109.62:443
- port: 443
- domain: 47.97.109.62
- text: 47.97.109.62
- domain: 47.97.109.62
- url: 139.224.254.181:53
- port: 53
- domain: 139.224.254.181
- text: 139.224.254.181
- domain: 139.224.254.181
- url: 139.224.45.232:53
- port: 53
- domain: 139.224.45.232
- text: 139.224.45.232
- domain: 139.224.45.232
- url: 47.102.36.88:53
- port: 53
- domain: 47.102.36.88
- text: 47.102.36.88
- domain: 47.102.36.88
- url: 47.101.43.111:53
- port: 53
- domain: 47.101.43.111
- text: 47.101.43.111
- domain: 47.101.43.111
- url: 139.196.196.178:53
- port: 53
- domain: 139.196.196.178
- text: 139.196.196.178
- domain: 139.196.196.178
- url: 123.57.60.94:8081
- port: 8081
- domain: 123.57.60.94
- text: 123.57.60.94
- domain: 123.57.60.94
- url: 39.105.107.130:8081
- port: 8081
- domain: 39.105.107.130
- text: 39.105.107.130
- domain: 39.105.107.130
- url: 182.92.233.242:8081
- port: 8081
- domain: 182.92.233.242
- text: 182.92.233.242
- domain: 182.92.233.242
- url: 47.94.229.250:8081
- port: 8081
- domain: 47.94.229.250
- text: 47.94.229.250
- domain: 47.94.229.250
- url: 182.92.169.60:8081
- port: 8081
- domain: 182.92.169.60
- text: 182.92.169.60
- domain: 182.92.169.60
- url: 47.100.98.234:443
- port: 443
- domain: 47.100.98.234
- text: 47.100.98.234
- domain: 47.100.98.234
- url: 106.14.175.235:443
- port: 443
- domain: 106.14.175.235
- text: 106.14.175.235
- domain: 106.14.175.235
- url: 106.15.193.24:443
- port: 443
- domain: 106.15.193.24
- text: 106.15.193.24
- domain: 106.15.193.24
- url: 47.100.121.195:443
- port: 443
- domain: 47.100.121.195
- text: 47.100.121.195
- domain: 47.100.121.195
- url: 47.100.59.42:443
- port: 443
- domain: 47.100.59.42
- text: 47.100.59.42
- domain: 47.100.59.42
- url: 47.100.160.164:80
- port: 80
- domain: 47.100.160.164
- text: 47.100.160.164
- domain: 47.100.160.164
- url: 47.101.48.168:80
- port: 80
- domain: 47.101.48.168
- text: 47.101.48.168
- domain: 47.101.48.168
- url: 47.101.137.187:8032
- port: 8032
- domain: 47.101.137.187
- text: 47.101.137.187
- domain: 47.101.137.187
- url: 139.196.89.210:80
- port: 80
- domain: 139.196.89.210
- text: 139.196.89.210
- domain: 139.196.89.210
- url: 106.15.90.75:80
- port: 80
- domain: 106.15.90.75
- text: 106.15.90.75
- domain: 106.15.90.75
- url: 47.93.38.26:53
- port: 53
- domain: 47.93.38.26
- text: 47.93.38.26
- domain: 47.93.38.26
- url: 39.106.135.228:53
- port: 53
- domain: 39.106.135.228
- text: 39.106.135.228
- domain: 39.106.135.228
- url: 47.95.198.228:53
- port: 53
- domain: 47.95.198.228
- text: 47.95.198.228
- domain: 47.95.198.228
- url: 101.201.68.58:53
- port: 53
- domain: 101.201.68.58
- text: 101.201.68.58
- domain: 101.201.68.58
- url: 47.94.194.248:53
- port: 53
- domain: 47.94.194.248
- text: 47.94.194.248
- domain: 47.94.194.248
- url: 182.92.243.166:1433
- port: 1433
- domain: 182.92.243.166
- text: 182.92.243.166
- domain: 182.92.243.166
- url: 47.95.168.191:80
- port: 80
- domain: 47.95.168.191
- text: 47.95.168.191
- domain: 47.95.168.191
- url: 47.98.121.179:443
- port: 443
- domain: 47.98.121.179
- text: 47.98.121.179
- domain: 47.98.121.179
- url: 47.96.106.167:443
- port: 443
- domain: 47.96.106.167
- text: 47.96.106.167
- domain: 47.96.106.167
- url: 116.62.142.53:443
- port: 443
- domain: 116.62.142.53
- text: 116.62.142.53
- domain: 116.62.142.53
- url: 121.40.70.23:443
- port: 443
- domain: 121.40.70.23
- text: 121.40.70.23
- domain: 121.40.70.23
- url: 118.31.53.137:443
- port: 443
- domain: 118.31.53.137
- text: 118.31.53.137
- domain: 118.31.53.137
- url: 47.98.50.198:80
- port: 80
- domain: 47.98.50.198
- text: 47.98.50.198
- domain: 47.98.50.198
- url: 39.106.40.121:53
- port: 53
- domain: 39.106.40.121
- text: 39.106.40.121
- domain: 39.106.40.121
- url: 101.200.63.187:53
- port: 53
- domain: 101.200.63.187
- text: 101.200.63.187
- domain: 101.200.63.187
- url: 101.201.35.96:53
- port: 53
- domain: 101.201.35.96
- text: 101.201.35.96
- domain: 101.201.35.96
- url: 39.107.231.100:53
- port: 53
- domain: 39.107.231.100
- text: 39.107.231.100
- domain: 39.107.231.100
- url: 47.95.12.152:53
- port: 53
- domain: 47.95.12.152
- text: 47.95.12.152
- domain: 47.95.12.152
- url: 47.94.20.102:443
- port: 443
- domain: 47.94.20.102
- text: 47.94.20.102
- domain: 47.94.20.102
- url: 101.201.69.42:443
- port: 443
- domain: 101.201.69.42
- text: 101.201.69.42
- domain: 101.201.69.42
- url: 47.94.202.137:443
- port: 443
- domain: 47.94.202.137
- text: 47.94.202.137
- domain: 47.94.202.137
- url: 47.94.193.44:443
- port: 443
- domain: 47.94.193.44
- text: 47.94.193.44
- domain: 47.94.193.44
- url: 47.94.227.15:443
- port: 443
- domain: 47.94.227.15
- text: 47.94.227.15
- domain: 47.94.227.15
- url: 47.94.143.163:443
- port: 443
- domain: 47.94.143.163
- text: 47.94.143.163
- domain: 47.94.143.163
- url: 39.106.13.202:443
- port: 443
- domain: 39.106.13.202
- text: 39.106.13.202
- domain: 39.106.13.202
- url: 47.93.47.186:443
- port: 443
- domain: 47.93.47.186
- text: 47.93.47.186
- domain: 47.93.47.186
- url: 59.110.226.246:443
- port: 443
- domain: 59.110.226.246
- text: 59.110.226.246
- domain: 59.110.226.246
- url: 47.94.200.23:443
- port: 443
- domain: 47.94.200.23
- text: 47.94.200.23
- domain: 47.94.200.23
- link: https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html
- text: During our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions. KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning. The malware's configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis. The scale of the attack campaign is significant, with over 50 C&C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors.
- text: Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
- text: Blog
- file: Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion _ Trend Micro (US).pdf
OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
Description
Earth Lusca, a threat actor linked to China, is reported to use the KTLVdoor backdoor for multiplatform intrusion. This backdoor enables persistent access across different operating systems, facilitating espionage or data exfiltration. Although no known exploits in the wild or patches are currently available, the threat actor's activity indicates targeted payload delivery. The severity is assessed as low based on current information, but the lack of patches and the multiplatform nature warrant attention. European organizations should be aware of potential indirect risks, especially those with ties to Chinese entities or operating in sensitive sectors. Mitigation should focus on enhanced monitoring for unusual backdoor activity and network segmentation. Countries with significant Chinese business presence or geopolitical interest in China-related cyber activities are more likely to be affected. Overall, defenders should prioritize threat intelligence integration and proactive detection mechanisms to mitigate potential future exploitation.
AI-Powered Analysis
Technical Analysis
The threat actor Earth Lusca, attributed to China, has been observed deploying a backdoor named KTLVdoor that supports multiplatform intrusion capabilities. This backdoor allows the attacker to maintain persistent access across various operating systems, which may include Windows, Linux, and possibly macOS, although specific platforms are not detailed. The KTLVdoor backdoor is used for payload delivery, enabling the threat actor to execute commands, exfiltrate data, or move laterally within compromised networks. The intelligence is derived from open-source intelligence (OSINT) feeds, specifically from CIRCL and Trend Micro, indicating ongoing monitoring of this actor's tactics. No patches or known exploits in the wild have been reported, suggesting either a low detection rate or limited deployment so far. The threat actor's focus appears to be on targets within China, but the multiplatform nature of the backdoor implies potential for broader impact. The lack of detailed technical indicators or CVEs limits the ability to perform signature-based detection, emphasizing the need for behavioral analysis and anomaly detection. The threat is currently assessed as low severity due to limited evidence of widespread exploitation and impact, but the persistent and stealthy nature of backdoors necessitates vigilance.
Potential Impact
For European organizations, the direct impact of Earth Lusca's KTLVdoor backdoor is currently limited, as the primary targeting appears to be within China. However, European entities with business ties to Chinese companies, involvement in supply chains, or operating in sectors of strategic interest (e.g., technology, telecommunications, critical infrastructure) could face indirect risks. The multiplatform capability of the backdoor increases the attack surface, potentially affecting diverse IT environments common in European enterprises. If exploited, the backdoor could lead to unauthorized access, data theft, espionage, and disruption of operations. The absence of patches means that once detected, remediation may require manual removal and system restoration, increasing operational overhead. The stealthy nature of backdoors complicates detection, potentially allowing long-term persistence and data exfiltration. Given geopolitical tensions and the strategic importance of European technology sectors, the threat actor's activity could escalate or pivot to European targets in the future.
Mitigation Recommendations
European organizations should implement advanced endpoint detection and response (EDR) solutions capable of identifying unusual process behaviors and network connections indicative of backdoor activity. Network segmentation should be enforced to limit lateral movement in case of compromise. Regular threat hunting exercises focusing on indicators of compromise related to Earth Lusca and KTLVdoor should be conducted, leveraging threat intelligence feeds from trusted sources like CIRCL and Trend Micro. Multi-factor authentication (MFA) should be mandatory to reduce the risk of credential theft facilitating backdoor deployment. Organizations should maintain strict patch management for all systems to reduce exploitable vulnerabilities that could be leveraged to install backdoors. Additionally, monitoring outbound traffic for anomalous connections to suspicious or unknown external IP addresses can help detect data exfiltration attempts. Employee awareness training on phishing and social engineering can reduce initial infection vectors. Finally, collaboration with national cybersecurity centers and sharing of threat intelligence within European cybersecurity communities will enhance collective defense.
Affected Countries
Technical Details
- Uuid
- f1d154e7-f660-4146-8140-5985f0d69aa8
- Original Timestamp
- 1725448717
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99 | Backdoor SHA256 hashes | |
hash6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525 | Backdoor SHA256 hashes | |
hash20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951 | Backdoor SHA256 hashes | |
hash7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0 | Backdoor SHA256 hashes | |
hash12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2 | Backdoor SHA256 hashes | |
hash19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154 | Backdoor SHA256 hashes | |
hashdc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641 | Backdoor SHA256 hashes | |
hashb66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2 | Backdoor SHA256 hashes | |
hashd095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e | Backdoor SHA256 hashes | |
hash99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404 | Backdoor SHA256 hashes | |
hash3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345 | Backdoor SHA256 hashes | |
hashc75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d | Backdoor SHA256 hashes | |
hasha133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848 | Backdoor SHA256 hashes | |
hash01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267 | Backdoor SHA256 hashes | |
hash1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68 | Backdoor SHA256 hashes | |
hash3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb | Backdoor SHA256 hashes | |
hashaa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3 | Backdoor SHA256 hashes | |
hashc0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132 | Backdoor SHA256 hashes | |
hash1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25 | Backdoor SHA256 hashes | |
hashd18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1 | Backdoor SHA256 hashes | |
hash644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703 | Backdoor SHA256 hashes | |
hash0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216 | Backdoor SHA256 hashes | |
hash18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670 | Backdoor SHA256 hashes | |
hashd72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0 | Backdoor SHA256 hashes | |
hashaa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e | Earth Lusca’s archive | |
hashfcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7 | Earth Lusca’s LNK file | |
hashfd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1 | Earth Lusca’s DLL decryptor |
Url
| Value | Description | Copy |
|---|---|---|
url39.105.121.123:9999 | — | |
url39.107.101.26:9999 | — | |
url47.94.223.124:9999 | — | |
url47.94.166.190:9999 | — | |
url59.110.136.109:9999 | — | |
url123.56.45.175:81 | — | |
url123.57.223.22:81 | — | |
url39.107.75.91:81 | — | |
url182.92.101.4:81 | — | |
url123.56.45.175:443 | — | |
url123.57.223.22:443 | — | |
url39.107.75.91:443 | — | |
url182.92.101.4:443 | — | |
url123.57.6.3:81 | — | |
url39.107.67.131:81 | — | |
url101.200.156.217:81 | — | |
url182.92.155.149:81 | — | |
url123.57.218.176:81 | — | |
url47.99.78.41:443 | — | |
url47.96.97.77:443 | — | |
url47.96.5.136:443 | — | |
url47.96.135.49:443 | — | |
url116.62.120.97:443 | — | |
url123.57.60.94:443 | — | |
url39.105.107.130:443 | — | |
url182.92.233.242:443 | — | |
url47.94.229.250:443 | — | |
url182.92.169.60:443 | — | |
url47.96.160.242:443 | — | |
url116.62.231.152:443 | — | |
url47.96.13.99:443 | — | |
url47.98.173.175:443 | — | |
url47.97.109.62:443 | — | |
url139.224.254.181:53 | — | |
url139.224.45.232:53 | — | |
url47.102.36.88:53 | — | |
url47.101.43.111:53 | — | |
url139.196.196.178:53 | — | |
url123.57.60.94:8081 | — | |
url39.105.107.130:8081 | — | |
url182.92.233.242:8081 | — | |
url47.94.229.250:8081 | — | |
url182.92.169.60:8081 | — | |
url47.100.98.234:443 | — | |
url106.14.175.235:443 | — | |
url106.15.193.24:443 | — | |
url47.100.121.195:443 | — | |
url47.100.59.42:443 | — | |
url47.100.160.164:80 | — | |
url47.101.48.168:80 | — | |
url47.101.137.187:8032 | — | |
url139.196.89.210:80 | — | |
url106.15.90.75:80 | — | |
url47.93.38.26:53 | — | |
url39.106.135.228:53 | — | |
url47.95.198.228:53 | — | |
url101.201.68.58:53 | — | |
url47.94.194.248:53 | — | |
url182.92.243.166:1433 | — | |
url47.95.168.191:80 | — | |
url47.98.121.179:443 | — | |
url47.96.106.167:443 | — | |
url116.62.142.53:443 | — | |
url121.40.70.23:443 | — | |
url118.31.53.137:443 | — | |
url47.98.50.198:80 | — | |
url39.106.40.121:53 | — | |
url101.200.63.187:53 | — | |
url101.201.35.96:53 | — | |
url39.107.231.100:53 | — | |
url47.95.12.152:53 | — | |
url47.94.20.102:443 | — | |
url101.201.69.42:443 | — | |
url47.94.202.137:443 | — | |
url47.94.193.44:443 | — | |
url47.94.227.15:443 | — | |
url47.94.143.163:443 | — | |
url39.106.13.202:443 | — | |
url47.93.47.186:443 | — | |
url59.110.226.246:443 | — | |
url47.94.200.23:443 | — |
Port
| Value | Description | Copy |
|---|---|---|
port9999 | — | |
port9999 | — | |
port9999 | — | |
port9999 | — | |
port9999 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port80 | — | |
port80 | — | |
port8032 | — | |
port80 | — | |
port80 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port1433 | — | |
port80 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port80 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain39.105.121.123 | — | |
domain39.105.121.123 | — | |
domain39.107.101.26 | — | |
domain39.107.101.26 | — | |
domain47.94.223.124 | — | |
domain47.94.223.124 | — | |
domain47.94.166.190 | — | |
domain47.94.166.190 | — | |
domain59.110.136.109 | — | |
domain59.110.136.109 | — | |
domain123.56.45.175 | — | |
domain123.56.45.175 | — | |
domain123.57.223.22 | — | |
domain123.57.223.22 | — | |
domain39.107.75.91 | — | |
domain39.107.75.91 | — | |
domain123.56.45.175 | — | |
domain123.56.45.175 | — | |
domain123.57.223.22 | — | |
domain123.57.223.22 | — | |
domain39.107.75.91 | — | |
domain39.107.75.91 | — | |
domain39.107.67.131 | — | |
domain39.107.67.131 | — | |
domain101.200.156.217 | — | |
domain101.200.156.217 | — | |
domain182.92.155.149 | — | |
domain182.92.155.149 | — | |
domain123.57.218.176 | — | |
domain123.57.218.176 | — | |
domain47.99.78.41 | — | |
domain47.99.78.41 | — | |
domain47.96.97.77 | — | |
domain47.96.97.77 | — | |
domain47.96.5.136 | — | |
domain47.96.5.136 | — | |
domain47.96.135.49 | — | |
domain47.96.135.49 | — | |
domain116.62.120.97 | — | |
domain116.62.120.97 | — | |
domain123.57.60.94 | — | |
domain123.57.60.94 | — | |
domain39.105.107.130 | — | |
domain39.105.107.130 | — | |
domain182.92.233.242 | — | |
domain182.92.233.242 | — | |
domain47.94.229.250 | — | |
domain47.94.229.250 | — | |
domain182.92.169.60 | — | |
domain182.92.169.60 | — | |
domain47.96.160.242 | — | |
domain47.96.160.242 | — | |
domain116.62.231.152 | — | |
domain116.62.231.152 | — | |
domain47.96.13.99 | — | |
domain47.96.13.99 | — | |
domain47.98.173.175 | — | |
domain47.98.173.175 | — | |
domain47.97.109.62 | — | |
domain47.97.109.62 | — | |
domain139.224.254.181 | — | |
domain139.224.254.181 | — | |
domain139.224.45.232 | — | |
domain139.224.45.232 | — | |
domain47.102.36.88 | — | |
domain47.102.36.88 | — | |
domain47.101.43.111 | — | |
domain47.101.43.111 | — | |
domain139.196.196.178 | — | |
domain139.196.196.178 | — | |
domain123.57.60.94 | — | |
domain123.57.60.94 | — | |
domain39.105.107.130 | — | |
domain39.105.107.130 | — | |
domain182.92.233.242 | — | |
domain182.92.233.242 | — | |
domain47.94.229.250 | — | |
domain47.94.229.250 | — | |
domain182.92.169.60 | — | |
domain182.92.169.60 | — | |
domain47.100.98.234 | — | |
domain47.100.98.234 | — | |
domain106.14.175.235 | — | |
domain106.14.175.235 | — | |
domain106.15.193.24 | — | |
domain106.15.193.24 | — | |
domain47.100.121.195 | — | |
domain47.100.121.195 | — | |
domain47.100.59.42 | — | |
domain47.100.59.42 | — | |
domain47.100.160.164 | — | |
domain47.100.160.164 | — | |
domain47.101.48.168 | — | |
domain47.101.48.168 | — | |
domain47.101.137.187 | — | |
domain47.101.137.187 | — | |
domain139.196.89.210 | — | |
domain139.196.89.210 | — | |
domain106.15.90.75 | — | |
domain106.15.90.75 | — | |
domain47.93.38.26 | — | |
domain47.93.38.26 | — | |
domain39.106.135.228 | — | |
domain39.106.135.228 | — | |
domain47.95.198.228 | — | |
domain47.95.198.228 | — | |
domain101.201.68.58 | — | |
domain101.201.68.58 | — | |
domain47.94.194.248 | — | |
domain47.94.194.248 | — | |
domain182.92.243.166 | — | |
domain182.92.243.166 | — | |
domain47.95.168.191 | — | |
domain47.95.168.191 | — | |
domain47.98.121.179 | — | |
domain47.98.121.179 | — | |
domain47.96.106.167 | — | |
domain47.96.106.167 | — | |
domain116.62.142.53 | — | |
domain116.62.142.53 | — | |
domain121.40.70.23 | — | |
domain121.40.70.23 | — | |
domain118.31.53.137 | — | |
domain118.31.53.137 | — | |
domain47.98.50.198 | — | |
domain47.98.50.198 | — | |
domain39.106.40.121 | — | |
domain39.106.40.121 | — | |
domain101.200.63.187 | — | |
domain101.200.63.187 | — | |
domain101.201.35.96 | — | |
domain101.201.35.96 | — | |
domain39.107.231.100 | — | |
domain39.107.231.100 | — | |
domain47.95.12.152 | — | |
domain47.95.12.152 | — | |
domain47.94.20.102 | — | |
domain47.94.20.102 | — | |
domain101.201.69.42 | — | |
domain101.201.69.42 | — | |
domain47.94.202.137 | — | |
domain47.94.202.137 | — | |
domain47.94.193.44 | — | |
domain47.94.193.44 | — | |
domain47.94.227.15 | — | |
domain47.94.227.15 | — | |
domain47.94.143.163 | — | |
domain47.94.143.163 | — | |
domain39.106.13.202 | — | |
domain39.106.13.202 | — | |
domain47.93.47.186 | — | |
domain47.93.47.186 | — | |
domain59.110.226.246 | — | |
domain59.110.226.246 | — | |
domain47.94.200.23 | — | |
domain47.94.200.23 | — |
Text
| Value | Description | Copy |
|---|---|---|
text39.105.121.123 | — | |
text39.107.101.26 | — | |
text47.94.223.124 | — | |
text47.94.166.190 | — | |
text59.110.136.109 | — | |
text123.56.45.175 | — | |
text123.57.223.22 | — | |
text39.107.75.91 | — | |
text182.92.101.4 | — | |
text123.56.45.175 | — | |
text123.57.223.22 | — | |
text39.107.75.91 | — | |
text182.92.101.4 | — | |
text123.57.6.3 | — | |
text39.107.67.131 | — | |
text101.200.156.217 | — | |
text182.92.155.149 | — | |
text123.57.218.176 | — | |
text47.99.78.41 | — | |
text47.96.97.77 | — | |
text47.96.5.136 | — | |
text47.96.135.49 | — | |
text116.62.120.97 | — | |
text123.57.60.94 | — | |
text39.105.107.130 | — | |
text182.92.233.242 | — | |
text47.94.229.250 | — | |
text182.92.169.60 | — | |
text47.96.160.242 | — | |
text116.62.231.152 | — | |
text47.96.13.99 | — | |
text47.98.173.175 | — | |
text47.97.109.62 | — | |
text139.224.254.181 | — | |
text139.224.45.232 | — | |
text47.102.36.88 | — | |
text47.101.43.111 | — | |
text139.196.196.178 | — | |
text123.57.60.94 | — | |
text39.105.107.130 | — | |
text182.92.233.242 | — | |
text47.94.229.250 | — | |
text182.92.169.60 | — | |
text47.100.98.234 | — | |
text106.14.175.235 | — | |
text106.15.193.24 | — | |
text47.100.121.195 | — | |
text47.100.59.42 | — | |
text47.100.160.164 | — | |
text47.101.48.168 | — | |
text47.101.137.187 | — | |
text139.196.89.210 | — | |
text106.15.90.75 | — | |
text47.93.38.26 | — | |
text39.106.135.228 | — | |
text47.95.198.228 | — | |
text101.201.68.58 | — | |
text47.94.194.248 | — | |
text182.92.243.166 | — | |
text47.95.168.191 | — | |
text47.98.121.179 | — | |
text47.96.106.167 | — | |
text116.62.142.53 | — | |
text121.40.70.23 | — | |
text118.31.53.137 | — | |
text47.98.50.198 | — | |
text39.106.40.121 | — | |
text101.200.63.187 | — | |
text101.201.35.96 | — | |
text39.107.231.100 | — | |
text47.95.12.152 | — | |
text47.94.20.102 | — | |
text101.201.69.42 | — | |
text47.94.202.137 | — | |
text47.94.193.44 | — | |
text47.94.227.15 | — | |
text47.94.143.163 | — | |
text39.106.13.202 | — | |
text47.93.47.186 | — | |
text59.110.226.246 | — | |
text47.94.200.23 | — | |
textDuring our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions.
KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.
The malware's configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis.
The scale of the attack campaign is significant, with over 50 C&C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors. | — | |
textEarth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion | — | |
textBlog | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html | — |
File
| Value | Description | Copy |
|---|---|---|
fileEarth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion _ Trend Micro (US).pdf | — |
Threat ID: 68359ca25d5f0974d01fcc40
Added to database: 5/27/2025, 11:06:10 AM
Last enriched: 12/24/2025, 6:14:18 AM
Last updated: 1/19/2026, 9:57:17 AM
Views: 43
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.