OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
AI Analysis
Technical Summary
The threat intelligence report details the use of the KTLVdoor backdoor by the threat actor group Earth Lusca, which is known for conducting sophisticated cyber espionage operations. KTLVdoor is a backdoor malware capable of multi-platform intrusion, suggesting it can operate across different operating systems such as Windows, Linux, or macOS. The backdoor facilitates persistent unauthorized access, enabling the attacker to execute arbitrary commands, exfiltrate data, and potentially deploy additional payloads. Earth Lusca is attributed to China and has historically targeted entities for intelligence gathering. Although the report does not specify affected software versions or vulnerabilities exploited, the presence of this backdoor indicates a targeted intrusion campaign rather than opportunistic exploitation. The lack of known exploits in the wild and absence of patches suggests this is a custom or specialized tool used in targeted attacks rather than a widespread vulnerability. The technical details provided are minimal, with no specific indicators of compromise (IOCs) or exploitation vectors disclosed, limiting the ability to perform detailed technical detection or attribution. The severity is rated as low by the source, likely reflecting limited scope or impact observed to date. However, the persistent nature of backdoors and their use in espionage campaigns means the threat should not be underestimated, especially for organizations with sensitive or strategic information.
Potential Impact
For European organizations, the direct impact of this threat may currently be limited given the targeting focus on Chinese entities and the lack of widespread exploitation. However, European companies with business ties to China, or those in sectors of strategic interest such as technology, telecommunications, or critical infrastructure, could become secondary targets or collateral victims. The presence of a multi-platform backdoor increases risk as it can compromise diverse environments, potentially leading to data breaches, intellectual property theft, and long-term espionage. The stealthy nature of backdoors complicates detection and eradication, potentially allowing attackers to maintain prolonged access. This could undermine confidentiality and integrity of sensitive data and disrupt operations if the backdoor is leveraged for further attacks. Additionally, supply chain risks exist if European organizations use software or hardware components from affected regions or vendors. The geopolitical context and ongoing cyber espionage activities heighten the risk profile for European entities involved in international trade or diplomacy with China.
Mitigation Recommendations
European organizations should implement targeted threat hunting and monitoring for indicators of compromise related to Earth Lusca and KTLVdoor, leveraging threat intelligence feeds from trusted sources such as CIRCL and Trend Micro. Deploy endpoint detection and response (EDR) solutions capable of identifying unusual multi-platform backdoor behaviors, including anomalous command execution and network communications. Network segmentation and strict access controls can limit lateral movement if a backdoor is present. Regularly update and harden systems, even if no patches exist for this specific threat, to reduce attack surface. Employ multi-factor authentication and monitor for unusual authentication patterns to detect unauthorized access. Engage in active collaboration with national cybersecurity centers and information sharing organizations to stay informed on emerging tactics used by Earth Lusca. Conduct thorough audits of supply chain components and third-party software to identify potential infection vectors. Finally, develop and rehearse incident response plans specifically addressing persistent backdoor intrusions to enable rapid containment and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Belgium, Poland, Sweden
Indicators of Compromise
- hash: 9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99
- hash: 6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525
- hash: 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
- hash: 7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0
- hash: 12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2
- hash: 19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154
- hash: dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641
- hash: b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2
- hash: d095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e
- hash: 99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404
- hash: 3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345
- hash: c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d
- hash: a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848
- hash: 01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267
- hash: 1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68
- hash: 3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb
- hash: aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3
- hash: c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132
- hash: 1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25
- hash: d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1
- hash: 644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703
- hash: 0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216
- hash: 18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670
- hash: d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0
- hash: aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e
- hash: fcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7
- hash: fd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1
- url: 39.105.121.123:9999
- port: 9999
- domain: 39.105.121.123
- text: 39.105.121.123
- domain: 39.105.121.123
- url: 39.107.101.26:9999
- port: 9999
- domain: 39.107.101.26
- text: 39.107.101.26
- domain: 39.107.101.26
- url: 47.94.223.124:9999
- port: 9999
- domain: 47.94.223.124
- text: 47.94.223.124
- domain: 47.94.223.124
- url: 47.94.166.190:9999
- port: 9999
- domain: 47.94.166.190
- text: 47.94.166.190
- domain: 47.94.166.190
- url: 59.110.136.109:9999
- port: 9999
- domain: 59.110.136.109
- text: 59.110.136.109
- domain: 59.110.136.109
- url: 123.56.45.175:81
- port: 81
- domain: 123.56.45.175
- text: 123.56.45.175
- domain: 123.56.45.175
- url: 123.57.223.22:81
- port: 81
- domain: 123.57.223.22
- text: 123.57.223.22
- domain: 123.57.223.22
- url: 39.107.75.91:81
- port: 81
- domain: 39.107.75.91
- text: 39.107.75.91
- domain: 39.107.75.91
- url: 182.92.101.4:81
- port: 81
- text: 182.92.101.4
- url: 123.56.45.175:443
- port: 443
- domain: 123.56.45.175
- text: 123.56.45.175
- domain: 123.56.45.175
- url: 123.57.223.22:443
- port: 443
- domain: 123.57.223.22
- text: 123.57.223.22
- domain: 123.57.223.22
- url: 39.107.75.91:443
- port: 443
- domain: 39.107.75.91
- text: 39.107.75.91
- domain: 39.107.75.91
- url: 182.92.101.4:443
- port: 443
- text: 182.92.101.4
- url: 123.57.6.3:81
- port: 81
- text: 123.57.6.3
- url: 39.107.67.131:81
- port: 81
- domain: 39.107.67.131
- text: 39.107.67.131
- domain: 39.107.67.131
- url: 101.200.156.217:81
- port: 81
- domain: 101.200.156.217
- text: 101.200.156.217
- domain: 101.200.156.217
- url: 182.92.155.149:81
- port: 81
- domain: 182.92.155.149
- text: 182.92.155.149
- domain: 182.92.155.149
- url: 123.57.218.176:81
- port: 81
- domain: 123.57.218.176
- text: 123.57.218.176
- domain: 123.57.218.176
- url: 47.99.78.41:443
- port: 443
- domain: 47.99.78.41
- text: 47.99.78.41
- domain: 47.99.78.41
- url: 47.96.97.77:443
- port: 443
- domain: 47.96.97.77
- text: 47.96.97.77
- domain: 47.96.97.77
- url: 47.96.5.136:443
- port: 443
- domain: 47.96.5.136
- text: 47.96.5.136
- domain: 47.96.5.136
- url: 47.96.135.49:443
- port: 443
- domain: 47.96.135.49
- text: 47.96.135.49
- domain: 47.96.135.49
- url: 116.62.120.97:443
- port: 443
- domain: 116.62.120.97
- text: 116.62.120.97
- domain: 116.62.120.97
- url: 123.57.60.94:443
- port: 443
- domain: 123.57.60.94
- text: 123.57.60.94
- domain: 123.57.60.94
- url: 39.105.107.130:443
- port: 443
- domain: 39.105.107.130
- text: 39.105.107.130
- domain: 39.105.107.130
- url: 182.92.233.242:443
- port: 443
- domain: 182.92.233.242
- text: 182.92.233.242
- domain: 182.92.233.242
- url: 47.94.229.250:443
- port: 443
- domain: 47.94.229.250
- text: 47.94.229.250
- domain: 47.94.229.250
- url: 182.92.169.60:443
- port: 443
- domain: 182.92.169.60
- text: 182.92.169.60
- domain: 182.92.169.60
- url: 47.96.160.242:443
- port: 443
- domain: 47.96.160.242
- text: 47.96.160.242
- domain: 47.96.160.242
- url: 116.62.231.152:443
- port: 443
- domain: 116.62.231.152
- text: 116.62.231.152
- domain: 116.62.231.152
- url: 47.96.13.99:443
- port: 443
- domain: 47.96.13.99
- text: 47.96.13.99
- domain: 47.96.13.99
- url: 47.98.173.175:443
- port: 443
- domain: 47.98.173.175
- text: 47.98.173.175
- domain: 47.98.173.175
- url: 47.97.109.62:443
- port: 443
- domain: 47.97.109.62
- text: 47.97.109.62
- domain: 47.97.109.62
- url: 139.224.254.181:53
- port: 53
- domain: 139.224.254.181
- text: 139.224.254.181
- domain: 139.224.254.181
- url: 139.224.45.232:53
- port: 53
- domain: 139.224.45.232
- text: 139.224.45.232
- domain: 139.224.45.232
- url: 47.102.36.88:53
- port: 53
- domain: 47.102.36.88
- text: 47.102.36.88
- domain: 47.102.36.88
- url: 47.101.43.111:53
- port: 53
- domain: 47.101.43.111
- text: 47.101.43.111
- domain: 47.101.43.111
- url: 139.196.196.178:53
- port: 53
- domain: 139.196.196.178
- text: 139.196.196.178
- domain: 139.196.196.178
- url: 123.57.60.94:8081
- port: 8081
- domain: 123.57.60.94
- text: 123.57.60.94
- domain: 123.57.60.94
- url: 39.105.107.130:8081
- port: 8081
- domain: 39.105.107.130
- text: 39.105.107.130
- domain: 39.105.107.130
- url: 182.92.233.242:8081
- port: 8081
- domain: 182.92.233.242
- text: 182.92.233.242
- domain: 182.92.233.242
- url: 47.94.229.250:8081
- port: 8081
- domain: 47.94.229.250
- text: 47.94.229.250
- domain: 47.94.229.250
- url: 182.92.169.60:8081
- port: 8081
- domain: 182.92.169.60
- text: 182.92.169.60
- domain: 182.92.169.60
- url: 47.100.98.234:443
- port: 443
- domain: 47.100.98.234
- text: 47.100.98.234
- domain: 47.100.98.234
- url: 106.14.175.235:443
- port: 443
- domain: 106.14.175.235
- text: 106.14.175.235
- domain: 106.14.175.235
- url: 106.15.193.24:443
- port: 443
- domain: 106.15.193.24
- text: 106.15.193.24
- domain: 106.15.193.24
- url: 47.100.121.195:443
- port: 443
- domain: 47.100.121.195
- text: 47.100.121.195
- domain: 47.100.121.195
- url: 47.100.59.42:443
- port: 443
- domain: 47.100.59.42
- text: 47.100.59.42
- domain: 47.100.59.42
- url: 47.100.160.164:80
- port: 80
- domain: 47.100.160.164
- text: 47.100.160.164
- domain: 47.100.160.164
- url: 47.101.48.168:80
- port: 80
- domain: 47.101.48.168
- text: 47.101.48.168
- domain: 47.101.48.168
- url: 47.101.137.187:8032
- port: 8032
- domain: 47.101.137.187
- text: 47.101.137.187
- domain: 47.101.137.187
- url: 139.196.89.210:80
- port: 80
- domain: 139.196.89.210
- text: 139.196.89.210
- domain: 139.196.89.210
- url: 106.15.90.75:80
- port: 80
- domain: 106.15.90.75
- text: 106.15.90.75
- domain: 106.15.90.75
- url: 47.93.38.26:53
- port: 53
- domain: 47.93.38.26
- text: 47.93.38.26
- domain: 47.93.38.26
- url: 39.106.135.228:53
- port: 53
- domain: 39.106.135.228
- text: 39.106.135.228
- domain: 39.106.135.228
- url: 47.95.198.228:53
- port: 53
- domain: 47.95.198.228
- text: 47.95.198.228
- domain: 47.95.198.228
- url: 101.201.68.58:53
- port: 53
- domain: 101.201.68.58
- text: 101.201.68.58
- domain: 101.201.68.58
- url: 47.94.194.248:53
- port: 53
- domain: 47.94.194.248
- text: 47.94.194.248
- domain: 47.94.194.248
- url: 182.92.243.166:1433
- port: 1433
- domain: 182.92.243.166
- text: 182.92.243.166
- domain: 182.92.243.166
- url: 47.95.168.191:80
- port: 80
- domain: 47.95.168.191
- text: 47.95.168.191
- domain: 47.95.168.191
- url: 47.98.121.179:443
- port: 443
- domain: 47.98.121.179
- text: 47.98.121.179
- domain: 47.98.121.179
- url: 47.96.106.167:443
- port: 443
- domain: 47.96.106.167
- text: 47.96.106.167
- domain: 47.96.106.167
- url: 116.62.142.53:443
- port: 443
- domain: 116.62.142.53
- text: 116.62.142.53
- domain: 116.62.142.53
- url: 121.40.70.23:443
- port: 443
- domain: 121.40.70.23
- text: 121.40.70.23
- domain: 121.40.70.23
- url: 118.31.53.137:443
- port: 443
- domain: 118.31.53.137
- text: 118.31.53.137
- domain: 118.31.53.137
- url: 47.98.50.198:80
- port: 80
- domain: 47.98.50.198
- text: 47.98.50.198
- domain: 47.98.50.198
- url: 39.106.40.121:53
- port: 53
- domain: 39.106.40.121
- text: 39.106.40.121
- domain: 39.106.40.121
- url: 101.200.63.187:53
- port: 53
- domain: 101.200.63.187
- text: 101.200.63.187
- domain: 101.200.63.187
- url: 101.201.35.96:53
- port: 53
- domain: 101.201.35.96
- text: 101.201.35.96
- domain: 101.201.35.96
- url: 39.107.231.100:53
- port: 53
- domain: 39.107.231.100
- text: 39.107.231.100
- domain: 39.107.231.100
- url: 47.95.12.152:53
- port: 53
- domain: 47.95.12.152
- text: 47.95.12.152
- domain: 47.95.12.152
- url: 47.94.20.102:443
- port: 443
- domain: 47.94.20.102
- text: 47.94.20.102
- domain: 47.94.20.102
- url: 101.201.69.42:443
- port: 443
- domain: 101.201.69.42
- text: 101.201.69.42
- domain: 101.201.69.42
- url: 47.94.202.137:443
- port: 443
- domain: 47.94.202.137
- text: 47.94.202.137
- domain: 47.94.202.137
- url: 47.94.193.44:443
- port: 443
- domain: 47.94.193.44
- text: 47.94.193.44
- domain: 47.94.193.44
- url: 47.94.227.15:443
- port: 443
- domain: 47.94.227.15
- text: 47.94.227.15
- domain: 47.94.227.15
- url: 47.94.143.163:443
- port: 443
- domain: 47.94.143.163
- text: 47.94.143.163
- domain: 47.94.143.163
- url: 39.106.13.202:443
- port: 443
- domain: 39.106.13.202
- text: 39.106.13.202
- domain: 39.106.13.202
- url: 47.93.47.186:443
- port: 443
- domain: 47.93.47.186
- text: 47.93.47.186
- domain: 47.93.47.186
- url: 59.110.226.246:443
- port: 443
- domain: 59.110.226.246
- text: 59.110.226.246
- domain: 59.110.226.246
- url: 47.94.200.23:443
- port: 443
- domain: 47.94.200.23
- text: 47.94.200.23
- domain: 47.94.200.23
- link: https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html
- text: During our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions. KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning. The malware's configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis. The scale of the attack campaign is significant, with over 50 C&C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors.
- text: Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
- text: Blog
- file: Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion _ Trend Micro (US).pdf
OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
Description
OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
AI-Powered Analysis
Technical Analysis
The threat intelligence report details the use of the KTLVdoor backdoor by the threat actor group Earth Lusca, which is known for conducting sophisticated cyber espionage operations. KTLVdoor is a backdoor malware capable of multi-platform intrusion, suggesting it can operate across different operating systems such as Windows, Linux, or macOS. The backdoor facilitates persistent unauthorized access, enabling the attacker to execute arbitrary commands, exfiltrate data, and potentially deploy additional payloads. Earth Lusca is attributed to China and has historically targeted entities for intelligence gathering. Although the report does not specify affected software versions or vulnerabilities exploited, the presence of this backdoor indicates a targeted intrusion campaign rather than opportunistic exploitation. The lack of known exploits in the wild and absence of patches suggests this is a custom or specialized tool used in targeted attacks rather than a widespread vulnerability. The technical details provided are minimal, with no specific indicators of compromise (IOCs) or exploitation vectors disclosed, limiting the ability to perform detailed technical detection or attribution. The severity is rated as low by the source, likely reflecting limited scope or impact observed to date. However, the persistent nature of backdoors and their use in espionage campaigns means the threat should not be underestimated, especially for organizations with sensitive or strategic information.
Potential Impact
For European organizations, the direct impact of this threat may currently be limited given the targeting focus on Chinese entities and the lack of widespread exploitation. However, European companies with business ties to China, or those in sectors of strategic interest such as technology, telecommunications, or critical infrastructure, could become secondary targets or collateral victims. The presence of a multi-platform backdoor increases risk as it can compromise diverse environments, potentially leading to data breaches, intellectual property theft, and long-term espionage. The stealthy nature of backdoors complicates detection and eradication, potentially allowing attackers to maintain prolonged access. This could undermine confidentiality and integrity of sensitive data and disrupt operations if the backdoor is leveraged for further attacks. Additionally, supply chain risks exist if European organizations use software or hardware components from affected regions or vendors. The geopolitical context and ongoing cyber espionage activities heighten the risk profile for European entities involved in international trade or diplomacy with China.
Mitigation Recommendations
European organizations should implement targeted threat hunting and monitoring for indicators of compromise related to Earth Lusca and KTLVdoor, leveraging threat intelligence feeds from trusted sources such as CIRCL and Trend Micro. Deploy endpoint detection and response (EDR) solutions capable of identifying unusual multi-platform backdoor behaviors, including anomalous command execution and network communications. Network segmentation and strict access controls can limit lateral movement if a backdoor is present. Regularly update and harden systems, even if no patches exist for this specific threat, to reduce attack surface. Employ multi-factor authentication and monitor for unusual authentication patterns to detect unauthorized access. Engage in active collaboration with national cybersecurity centers and information sharing organizations to stay informed on emerging tactics used by Earth Lusca. Conduct thorough audits of supply chain components and third-party software to identify potential infection vectors. Finally, develop and rehearse incident response plans specifically addressing persistent backdoor intrusions to enable rapid containment and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- f1d154e7-f660-4146-8140-5985f0d69aa8
- Original Timestamp
- 1725448717
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99 | Backdoor SHA256 hashes | |
hash6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525 | Backdoor SHA256 hashes | |
hash20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951 | Backdoor SHA256 hashes | |
hash7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0 | Backdoor SHA256 hashes | |
hash12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2 | Backdoor SHA256 hashes | |
hash19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154 | Backdoor SHA256 hashes | |
hashdc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641 | Backdoor SHA256 hashes | |
hashb66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2 | Backdoor SHA256 hashes | |
hashd095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e | Backdoor SHA256 hashes | |
hash99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404 | Backdoor SHA256 hashes | |
hash3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345 | Backdoor SHA256 hashes | |
hashc75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d | Backdoor SHA256 hashes | |
hasha133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848 | Backdoor SHA256 hashes | |
hash01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267 | Backdoor SHA256 hashes | |
hash1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68 | Backdoor SHA256 hashes | |
hash3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb | Backdoor SHA256 hashes | |
hashaa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3 | Backdoor SHA256 hashes | |
hashc0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132 | Backdoor SHA256 hashes | |
hash1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25 | Backdoor SHA256 hashes | |
hashd18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1 | Backdoor SHA256 hashes | |
hash644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703 | Backdoor SHA256 hashes | |
hash0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216 | Backdoor SHA256 hashes | |
hash18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670 | Backdoor SHA256 hashes | |
hashd72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0 | Backdoor SHA256 hashes | |
hashaa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e | Earth Lusca’s archive | |
hashfcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7 | Earth Lusca’s LNK file | |
hashfd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1 | Earth Lusca’s DLL decryptor |
Url
| Value | Description | Copy |
|---|---|---|
url39.105.121.123:9999 | — | |
url39.107.101.26:9999 | — | |
url47.94.223.124:9999 | — | |
url47.94.166.190:9999 | — | |
url59.110.136.109:9999 | — | |
url123.56.45.175:81 | — | |
url123.57.223.22:81 | — | |
url39.107.75.91:81 | — | |
url182.92.101.4:81 | — | |
url123.56.45.175:443 | — | |
url123.57.223.22:443 | — | |
url39.107.75.91:443 | — | |
url182.92.101.4:443 | — | |
url123.57.6.3:81 | — | |
url39.107.67.131:81 | — | |
url101.200.156.217:81 | — | |
url182.92.155.149:81 | — | |
url123.57.218.176:81 | — | |
url47.99.78.41:443 | — | |
url47.96.97.77:443 | — | |
url47.96.5.136:443 | — | |
url47.96.135.49:443 | — | |
url116.62.120.97:443 | — | |
url123.57.60.94:443 | — | |
url39.105.107.130:443 | — | |
url182.92.233.242:443 | — | |
url47.94.229.250:443 | — | |
url182.92.169.60:443 | — | |
url47.96.160.242:443 | — | |
url116.62.231.152:443 | — | |
url47.96.13.99:443 | — | |
url47.98.173.175:443 | — | |
url47.97.109.62:443 | — | |
url139.224.254.181:53 | — | |
url139.224.45.232:53 | — | |
url47.102.36.88:53 | — | |
url47.101.43.111:53 | — | |
url139.196.196.178:53 | — | |
url123.57.60.94:8081 | — | |
url39.105.107.130:8081 | — | |
url182.92.233.242:8081 | — | |
url47.94.229.250:8081 | — | |
url182.92.169.60:8081 | — | |
url47.100.98.234:443 | — | |
url106.14.175.235:443 | — | |
url106.15.193.24:443 | — | |
url47.100.121.195:443 | — | |
url47.100.59.42:443 | — | |
url47.100.160.164:80 | — | |
url47.101.48.168:80 | — | |
url47.101.137.187:8032 | — | |
url139.196.89.210:80 | — | |
url106.15.90.75:80 | — | |
url47.93.38.26:53 | — | |
url39.106.135.228:53 | — | |
url47.95.198.228:53 | — | |
url101.201.68.58:53 | — | |
url47.94.194.248:53 | — | |
url182.92.243.166:1433 | — | |
url47.95.168.191:80 | — | |
url47.98.121.179:443 | — | |
url47.96.106.167:443 | — | |
url116.62.142.53:443 | — | |
url121.40.70.23:443 | — | |
url118.31.53.137:443 | — | |
url47.98.50.198:80 | — | |
url39.106.40.121:53 | — | |
url101.200.63.187:53 | — | |
url101.201.35.96:53 | — | |
url39.107.231.100:53 | — | |
url47.95.12.152:53 | — | |
url47.94.20.102:443 | — | |
url101.201.69.42:443 | — | |
url47.94.202.137:443 | — | |
url47.94.193.44:443 | — | |
url47.94.227.15:443 | — | |
url47.94.143.163:443 | — | |
url39.106.13.202:443 | — | |
url47.93.47.186:443 | — | |
url59.110.226.246:443 | — | |
url47.94.200.23:443 | — |
Port
| Value | Description | Copy |
|---|---|---|
port9999 | — | |
port9999 | — | |
port9999 | — | |
port9999 | — | |
port9999 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port80 | — | |
port80 | — | |
port8032 | — | |
port80 | — | |
port80 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port1433 | — | |
port80 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port80 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain39.105.121.123 | — | |
domain39.105.121.123 | — | |
domain39.107.101.26 | — | |
domain39.107.101.26 | — | |
domain47.94.223.124 | — | |
domain47.94.223.124 | — | |
domain47.94.166.190 | — | |
domain47.94.166.190 | — | |
domain59.110.136.109 | — | |
domain59.110.136.109 | — | |
domain123.56.45.175 | — | |
domain123.56.45.175 | — | |
domain123.57.223.22 | — | |
domain123.57.223.22 | — | |
domain39.107.75.91 | — | |
domain39.107.75.91 | — | |
domain123.56.45.175 | — | |
domain123.56.45.175 | — | |
domain123.57.223.22 | — | |
domain123.57.223.22 | — | |
domain39.107.75.91 | — | |
domain39.107.75.91 | — | |
domain39.107.67.131 | — | |
domain39.107.67.131 | — | |
domain101.200.156.217 | — | |
domain101.200.156.217 | — | |
domain182.92.155.149 | — | |
domain182.92.155.149 | — | |
domain123.57.218.176 | — | |
domain123.57.218.176 | — | |
domain47.99.78.41 | — | |
domain47.99.78.41 | — | |
domain47.96.97.77 | — | |
domain47.96.97.77 | — | |
domain47.96.5.136 | — | |
domain47.96.5.136 | — | |
domain47.96.135.49 | — | |
domain47.96.135.49 | — | |
domain116.62.120.97 | — | |
domain116.62.120.97 | — | |
domain123.57.60.94 | — | |
domain123.57.60.94 | — | |
domain39.105.107.130 | — | |
domain39.105.107.130 | — | |
domain182.92.233.242 | — | |
domain182.92.233.242 | — | |
domain47.94.229.250 | — | |
domain47.94.229.250 | — | |
domain182.92.169.60 | — | |
domain182.92.169.60 | — | |
domain47.96.160.242 | — | |
domain47.96.160.242 | — | |
domain116.62.231.152 | — | |
domain116.62.231.152 | — | |
domain47.96.13.99 | — | |
domain47.96.13.99 | — | |
domain47.98.173.175 | — | |
domain47.98.173.175 | — | |
domain47.97.109.62 | — | |
domain47.97.109.62 | — | |
domain139.224.254.181 | — | |
domain139.224.254.181 | — | |
domain139.224.45.232 | — | |
domain139.224.45.232 | — | |
domain47.102.36.88 | — | |
domain47.102.36.88 | — | |
domain47.101.43.111 | — | |
domain47.101.43.111 | — | |
domain139.196.196.178 | — | |
domain139.196.196.178 | — | |
domain123.57.60.94 | — | |
domain123.57.60.94 | — | |
domain39.105.107.130 | — | |
domain39.105.107.130 | — | |
domain182.92.233.242 | — | |
domain182.92.233.242 | — | |
domain47.94.229.250 | — | |
domain47.94.229.250 | — | |
domain182.92.169.60 | — | |
domain182.92.169.60 | — | |
domain47.100.98.234 | — | |
domain47.100.98.234 | — | |
domain106.14.175.235 | — | |
domain106.14.175.235 | — | |
domain106.15.193.24 | — | |
domain106.15.193.24 | — | |
domain47.100.121.195 | — | |
domain47.100.121.195 | — | |
domain47.100.59.42 | — | |
domain47.100.59.42 | — | |
domain47.100.160.164 | — | |
domain47.100.160.164 | — | |
domain47.101.48.168 | — | |
domain47.101.48.168 | — | |
domain47.101.137.187 | — | |
domain47.101.137.187 | — | |
domain139.196.89.210 | — | |
domain139.196.89.210 | — | |
domain106.15.90.75 | — | |
domain106.15.90.75 | — | |
domain47.93.38.26 | — | |
domain47.93.38.26 | — | |
domain39.106.135.228 | — | |
domain39.106.135.228 | — | |
domain47.95.198.228 | — | |
domain47.95.198.228 | — | |
domain101.201.68.58 | — | |
domain101.201.68.58 | — | |
domain47.94.194.248 | — | |
domain47.94.194.248 | — | |
domain182.92.243.166 | — | |
domain182.92.243.166 | — | |
domain47.95.168.191 | — | |
domain47.95.168.191 | — | |
domain47.98.121.179 | — | |
domain47.98.121.179 | — | |
domain47.96.106.167 | — | |
domain47.96.106.167 | — | |
domain116.62.142.53 | — | |
domain116.62.142.53 | — | |
domain121.40.70.23 | — | |
domain121.40.70.23 | — | |
domain118.31.53.137 | — | |
domain118.31.53.137 | — | |
domain47.98.50.198 | — | |
domain47.98.50.198 | — | |
domain39.106.40.121 | — | |
domain39.106.40.121 | — | |
domain101.200.63.187 | — | |
domain101.200.63.187 | — | |
domain101.201.35.96 | — | |
domain101.201.35.96 | — | |
domain39.107.231.100 | — | |
domain39.107.231.100 | — | |
domain47.95.12.152 | — | |
domain47.95.12.152 | — | |
domain47.94.20.102 | — | |
domain47.94.20.102 | — | |
domain101.201.69.42 | — | |
domain101.201.69.42 | — | |
domain47.94.202.137 | — | |
domain47.94.202.137 | — | |
domain47.94.193.44 | — | |
domain47.94.193.44 | — | |
domain47.94.227.15 | — | |
domain47.94.227.15 | — | |
domain47.94.143.163 | — | |
domain47.94.143.163 | — | |
domain39.106.13.202 | — | |
domain39.106.13.202 | — | |
domain47.93.47.186 | — | |
domain47.93.47.186 | — | |
domain59.110.226.246 | — | |
domain59.110.226.246 | — | |
domain47.94.200.23 | — | |
domain47.94.200.23 | — |
Text
| Value | Description | Copy |
|---|---|---|
text39.105.121.123 | — | |
text39.107.101.26 | — | |
text47.94.223.124 | — | |
text47.94.166.190 | — | |
text59.110.136.109 | — | |
text123.56.45.175 | — | |
text123.57.223.22 | — | |
text39.107.75.91 | — | |
text182.92.101.4 | — | |
text123.56.45.175 | — | |
text123.57.223.22 | — | |
text39.107.75.91 | — | |
text182.92.101.4 | — | |
text123.57.6.3 | — | |
text39.107.67.131 | — | |
text101.200.156.217 | — | |
text182.92.155.149 | — | |
text123.57.218.176 | — | |
text47.99.78.41 | — | |
text47.96.97.77 | — | |
text47.96.5.136 | — | |
text47.96.135.49 | — | |
text116.62.120.97 | — | |
text123.57.60.94 | — | |
text39.105.107.130 | — | |
text182.92.233.242 | — | |
text47.94.229.250 | — | |
text182.92.169.60 | — | |
text47.96.160.242 | — | |
text116.62.231.152 | — | |
text47.96.13.99 | — | |
text47.98.173.175 | — | |
text47.97.109.62 | — | |
text139.224.254.181 | — | |
text139.224.45.232 | — | |
text47.102.36.88 | — | |
text47.101.43.111 | — | |
text139.196.196.178 | — | |
text123.57.60.94 | — | |
text39.105.107.130 | — | |
text182.92.233.242 | — | |
text47.94.229.250 | — | |
text182.92.169.60 | — | |
text47.100.98.234 | — | |
text106.14.175.235 | — | |
text106.15.193.24 | — | |
text47.100.121.195 | — | |
text47.100.59.42 | — | |
text47.100.160.164 | — | |
text47.101.48.168 | — | |
text47.101.137.187 | — | |
text139.196.89.210 | — | |
text106.15.90.75 | — | |
text47.93.38.26 | — | |
text39.106.135.228 | — | |
text47.95.198.228 | — | |
text101.201.68.58 | — | |
text47.94.194.248 | — | |
text182.92.243.166 | — | |
text47.95.168.191 | — | |
text47.98.121.179 | — | |
text47.96.106.167 | — | |
text116.62.142.53 | — | |
text121.40.70.23 | — | |
text118.31.53.137 | — | |
text47.98.50.198 | — | |
text39.106.40.121 | — | |
text101.200.63.187 | — | |
text101.201.35.96 | — | |
text39.107.231.100 | — | |
text47.95.12.152 | — | |
text47.94.20.102 | — | |
text101.201.69.42 | — | |
text47.94.202.137 | — | |
text47.94.193.44 | — | |
text47.94.227.15 | — | |
text47.94.143.163 | — | |
text39.106.13.202 | — | |
text47.93.47.186 | — | |
text59.110.226.246 | — | |
text47.94.200.23 | — | |
textDuring our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions.
KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.
The malware's configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis.
The scale of the attack campaign is significant, with over 50 C&C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors. | — | |
textEarth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion | — | |
textBlog | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html | — |
File
| Value | Description | Copy |
|---|---|---|
fileEarth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion _ Trend Micro (US).pdf | — |
Threat ID: 68359ca25d5f0974d01fcc40
Added to database: 5/27/2025, 11:06:10 AM
Last enriched: 7/5/2025, 10:55:07 PM
Last updated: 8/9/2025, 3:44:17 AM
Views: 12
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.