OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
AI Analysis
Technical Summary
The threat actor known as Earth Lusca has been observed utilizing a backdoor named KTLVdoor to conduct multiplatform intrusions. This backdoor facilitates unauthorized access across various operating systems, enabling persistent presence and potential data exfiltration or further lateral movement within compromised environments. The intelligence is derived from open-source intelligence (OSINT) and attributed to Earth Lusca, a threat actor linked to China. The KTLVdoor backdoor is notable for its multiplatform capabilities, which suggests it can operate on different operating systems, increasing its versatility and potential impact. Although no specific affected software versions or exploits in the wild have been reported, the presence of this backdoor indicates an ongoing espionage or cyber intrusion campaign targeting entities primarily within China. The technical details classify the threat level as moderate (level 3) with an analysis rating of 2, and no patches or mitigations are currently available. The lack of known exploits in the wild and the low severity rating suggest that the threat is either emerging or currently limited in scope. However, the use of a sophisticated backdoor by a nation-state linked actor underscores the importance of vigilance and proactive defense measures.
Potential Impact
For European organizations, the direct impact of this threat may currently be limited given the primary targeting of Chinese entities. However, the multiplatform nature of the KTLVdoor backdoor means that if Earth Lusca or similar threat actors expand their operations, European organizations using affected platforms could face risks including unauthorized access, data theft, espionage, and potential disruption of services. The presence of a persistent backdoor can lead to long-term compromise, enabling attackers to move laterally within networks and potentially target sensitive intellectual property or critical infrastructure. European organizations involved in sectors with geopolitical significance or those with business ties to China may be at increased risk. Additionally, the sophistication of the threat actor suggests that detection and remediation could be challenging without specialized threat intelligence and monitoring capabilities.
Mitigation Recommendations
Given the absence of specific patches or known exploits, European organizations should focus on advanced detection and prevention strategies. These include implementing robust endpoint detection and response (EDR) solutions capable of identifying unusual behaviors associated with backdoors. Network segmentation and strict access controls can limit lateral movement if a compromise occurs. Regular threat hunting exercises focusing on indicators of compromise related to Earth Lusca and KTLVdoor should be conducted. Organizations should also maintain up-to-date threat intelligence feeds and collaborate with cybersecurity information sharing groups to stay informed about emerging tactics and indicators. Employing multi-factor authentication (MFA) and enforcing the principle of least privilege can reduce the risk of initial access and privilege escalation. Finally, organizations should ensure comprehensive logging and monitoring to detect anomalies indicative of backdoor activity.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Belgium, Poland
Indicators of Compromise
- hash: 9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99
- hash: 6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525
- hash: 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
- hash: 7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0
- hash: 12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2
- hash: 19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154
- hash: dc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641
- hash: b66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2
- hash: d095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e
- hash: 99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404
- hash: 3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345
- hash: c75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d
- hash: a133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848
- hash: 01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267
- hash: 1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68
- hash: 3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb
- hash: aa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3
- hash: c0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132
- hash: 1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25
- hash: d18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1
- hash: 644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703
- hash: 0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216
- hash: 18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670
- hash: d72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0
- hash: aa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e
- hash: fcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7
- hash: fd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1
- url: 39.105.121.123:9999
- port: 9999
- domain: 39.105.121.123
- text: 39.105.121.123
- domain: 39.105.121.123
- url: 39.107.101.26:9999
- port: 9999
- domain: 39.107.101.26
- text: 39.107.101.26
- domain: 39.107.101.26
- url: 47.94.223.124:9999
- port: 9999
- domain: 47.94.223.124
- text: 47.94.223.124
- domain: 47.94.223.124
- url: 47.94.166.190:9999
- port: 9999
- domain: 47.94.166.190
- text: 47.94.166.190
- domain: 47.94.166.190
- url: 59.110.136.109:9999
- port: 9999
- domain: 59.110.136.109
- text: 59.110.136.109
- domain: 59.110.136.109
- url: 123.56.45.175:81
- port: 81
- domain: 123.56.45.175
- text: 123.56.45.175
- domain: 123.56.45.175
- url: 123.57.223.22:81
- port: 81
- domain: 123.57.223.22
- text: 123.57.223.22
- domain: 123.57.223.22
- url: 39.107.75.91:81
- port: 81
- domain: 39.107.75.91
- text: 39.107.75.91
- domain: 39.107.75.91
- url: 182.92.101.4:81
- port: 81
- text: 182.92.101.4
- url: 123.56.45.175:443
- port: 443
- domain: 123.56.45.175
- text: 123.56.45.175
- domain: 123.56.45.175
- url: 123.57.223.22:443
- port: 443
- domain: 123.57.223.22
- text: 123.57.223.22
- domain: 123.57.223.22
- url: 39.107.75.91:443
- port: 443
- domain: 39.107.75.91
- text: 39.107.75.91
- domain: 39.107.75.91
- url: 182.92.101.4:443
- port: 443
- text: 182.92.101.4
- url: 123.57.6.3:81
- port: 81
- text: 123.57.6.3
- url: 39.107.67.131:81
- port: 81
- domain: 39.107.67.131
- text: 39.107.67.131
- domain: 39.107.67.131
- url: 101.200.156.217:81
- port: 81
- domain: 101.200.156.217
- text: 101.200.156.217
- domain: 101.200.156.217
- url: 182.92.155.149:81
- port: 81
- domain: 182.92.155.149
- text: 182.92.155.149
- domain: 182.92.155.149
- url: 123.57.218.176:81
- port: 81
- domain: 123.57.218.176
- text: 123.57.218.176
- domain: 123.57.218.176
- url: 47.99.78.41:443
- port: 443
- domain: 47.99.78.41
- text: 47.99.78.41
- domain: 47.99.78.41
- url: 47.96.97.77:443
- port: 443
- domain: 47.96.97.77
- text: 47.96.97.77
- domain: 47.96.97.77
- url: 47.96.5.136:443
- port: 443
- domain: 47.96.5.136
- text: 47.96.5.136
- domain: 47.96.5.136
- url: 47.96.135.49:443
- port: 443
- domain: 47.96.135.49
- text: 47.96.135.49
- domain: 47.96.135.49
- url: 116.62.120.97:443
- port: 443
- domain: 116.62.120.97
- text: 116.62.120.97
- domain: 116.62.120.97
- url: 123.57.60.94:443
- port: 443
- domain: 123.57.60.94
- text: 123.57.60.94
- domain: 123.57.60.94
- url: 39.105.107.130:443
- port: 443
- domain: 39.105.107.130
- text: 39.105.107.130
- domain: 39.105.107.130
- url: 182.92.233.242:443
- port: 443
- domain: 182.92.233.242
- text: 182.92.233.242
- domain: 182.92.233.242
- url: 47.94.229.250:443
- port: 443
- domain: 47.94.229.250
- text: 47.94.229.250
- domain: 47.94.229.250
- url: 182.92.169.60:443
- port: 443
- domain: 182.92.169.60
- text: 182.92.169.60
- domain: 182.92.169.60
- url: 47.96.160.242:443
- port: 443
- domain: 47.96.160.242
- text: 47.96.160.242
- domain: 47.96.160.242
- url: 116.62.231.152:443
- port: 443
- domain: 116.62.231.152
- text: 116.62.231.152
- domain: 116.62.231.152
- url: 47.96.13.99:443
- port: 443
- domain: 47.96.13.99
- text: 47.96.13.99
- domain: 47.96.13.99
- url: 47.98.173.175:443
- port: 443
- domain: 47.98.173.175
- text: 47.98.173.175
- domain: 47.98.173.175
- url: 47.97.109.62:443
- port: 443
- domain: 47.97.109.62
- text: 47.97.109.62
- domain: 47.97.109.62
- url: 139.224.254.181:53
- port: 53
- domain: 139.224.254.181
- text: 139.224.254.181
- domain: 139.224.254.181
- url: 139.224.45.232:53
- port: 53
- domain: 139.224.45.232
- text: 139.224.45.232
- domain: 139.224.45.232
- url: 47.102.36.88:53
- port: 53
- domain: 47.102.36.88
- text: 47.102.36.88
- domain: 47.102.36.88
- url: 47.101.43.111:53
- port: 53
- domain: 47.101.43.111
- text: 47.101.43.111
- domain: 47.101.43.111
- url: 139.196.196.178:53
- port: 53
- domain: 139.196.196.178
- text: 139.196.196.178
- domain: 139.196.196.178
- url: 123.57.60.94:8081
- port: 8081
- domain: 123.57.60.94
- text: 123.57.60.94
- domain: 123.57.60.94
- url: 39.105.107.130:8081
- port: 8081
- domain: 39.105.107.130
- text: 39.105.107.130
- domain: 39.105.107.130
- url: 182.92.233.242:8081
- port: 8081
- domain: 182.92.233.242
- text: 182.92.233.242
- domain: 182.92.233.242
- url: 47.94.229.250:8081
- port: 8081
- domain: 47.94.229.250
- text: 47.94.229.250
- domain: 47.94.229.250
- url: 182.92.169.60:8081
- port: 8081
- domain: 182.92.169.60
- text: 182.92.169.60
- domain: 182.92.169.60
- url: 47.100.98.234:443
- port: 443
- domain: 47.100.98.234
- text: 47.100.98.234
- domain: 47.100.98.234
- url: 106.14.175.235:443
- port: 443
- domain: 106.14.175.235
- text: 106.14.175.235
- domain: 106.14.175.235
- url: 106.15.193.24:443
- port: 443
- domain: 106.15.193.24
- text: 106.15.193.24
- domain: 106.15.193.24
- url: 47.100.121.195:443
- port: 443
- domain: 47.100.121.195
- text: 47.100.121.195
- domain: 47.100.121.195
- url: 47.100.59.42:443
- port: 443
- domain: 47.100.59.42
- text: 47.100.59.42
- domain: 47.100.59.42
- url: 47.100.160.164:80
- port: 80
- domain: 47.100.160.164
- text: 47.100.160.164
- domain: 47.100.160.164
- url: 47.101.48.168:80
- port: 80
- domain: 47.101.48.168
- text: 47.101.48.168
- domain: 47.101.48.168
- url: 47.101.137.187:8032
- port: 8032
- domain: 47.101.137.187
- text: 47.101.137.187
- domain: 47.101.137.187
- url: 139.196.89.210:80
- port: 80
- domain: 139.196.89.210
- text: 139.196.89.210
- domain: 139.196.89.210
- url: 106.15.90.75:80
- port: 80
- domain: 106.15.90.75
- text: 106.15.90.75
- domain: 106.15.90.75
- url: 47.93.38.26:53
- port: 53
- domain: 47.93.38.26
- text: 47.93.38.26
- domain: 47.93.38.26
- url: 39.106.135.228:53
- port: 53
- domain: 39.106.135.228
- text: 39.106.135.228
- domain: 39.106.135.228
- url: 47.95.198.228:53
- port: 53
- domain: 47.95.198.228
- text: 47.95.198.228
- domain: 47.95.198.228
- url: 101.201.68.58:53
- port: 53
- domain: 101.201.68.58
- text: 101.201.68.58
- domain: 101.201.68.58
- url: 47.94.194.248:53
- port: 53
- domain: 47.94.194.248
- text: 47.94.194.248
- domain: 47.94.194.248
- url: 182.92.243.166:1433
- port: 1433
- domain: 182.92.243.166
- text: 182.92.243.166
- domain: 182.92.243.166
- url: 47.95.168.191:80
- port: 80
- domain: 47.95.168.191
- text: 47.95.168.191
- domain: 47.95.168.191
- url: 47.98.121.179:443
- port: 443
- domain: 47.98.121.179
- text: 47.98.121.179
- domain: 47.98.121.179
- url: 47.96.106.167:443
- port: 443
- domain: 47.96.106.167
- text: 47.96.106.167
- domain: 47.96.106.167
- url: 116.62.142.53:443
- port: 443
- domain: 116.62.142.53
- text: 116.62.142.53
- domain: 116.62.142.53
- url: 121.40.70.23:443
- port: 443
- domain: 121.40.70.23
- text: 121.40.70.23
- domain: 121.40.70.23
- url: 118.31.53.137:443
- port: 443
- domain: 118.31.53.137
- text: 118.31.53.137
- domain: 118.31.53.137
- url: 47.98.50.198:80
- port: 80
- domain: 47.98.50.198
- text: 47.98.50.198
- domain: 47.98.50.198
- url: 39.106.40.121:53
- port: 53
- domain: 39.106.40.121
- text: 39.106.40.121
- domain: 39.106.40.121
- url: 101.200.63.187:53
- port: 53
- domain: 101.200.63.187
- text: 101.200.63.187
- domain: 101.200.63.187
- url: 101.201.35.96:53
- port: 53
- domain: 101.201.35.96
- text: 101.201.35.96
- domain: 101.201.35.96
- url: 39.107.231.100:53
- port: 53
- domain: 39.107.231.100
- text: 39.107.231.100
- domain: 39.107.231.100
- url: 47.95.12.152:53
- port: 53
- domain: 47.95.12.152
- text: 47.95.12.152
- domain: 47.95.12.152
- url: 47.94.20.102:443
- port: 443
- domain: 47.94.20.102
- text: 47.94.20.102
- domain: 47.94.20.102
- url: 101.201.69.42:443
- port: 443
- domain: 101.201.69.42
- text: 101.201.69.42
- domain: 101.201.69.42
- url: 47.94.202.137:443
- port: 443
- domain: 47.94.202.137
- text: 47.94.202.137
- domain: 47.94.202.137
- url: 47.94.193.44:443
- port: 443
- domain: 47.94.193.44
- text: 47.94.193.44
- domain: 47.94.193.44
- url: 47.94.227.15:443
- port: 443
- domain: 47.94.227.15
- text: 47.94.227.15
- domain: 47.94.227.15
- url: 47.94.143.163:443
- port: 443
- domain: 47.94.143.163
- text: 47.94.143.163
- domain: 47.94.143.163
- url: 39.106.13.202:443
- port: 443
- domain: 39.106.13.202
- text: 39.106.13.202
- domain: 39.106.13.202
- url: 47.93.47.186:443
- port: 443
- domain: 47.93.47.186
- text: 47.93.47.186
- domain: 47.93.47.186
- url: 59.110.226.246:443
- port: 443
- domain: 59.110.226.246
- text: 59.110.226.246
- domain: 59.110.226.246
- url: 47.94.200.23:443
- port: 443
- domain: 47.94.200.23
- text: 47.94.200.23
- domain: 47.94.200.23
- link: https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html
- text: During our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions. KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning. The malware's configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis. The scale of the attack campaign is significant, with over 50 C&C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors.
- text: Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
- text: Blog
- file: Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion _ Trend Micro (US).pdf
OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
Description
OSINT - Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion
AI-Powered Analysis
Technical Analysis
The threat actor known as Earth Lusca has been observed utilizing a backdoor named KTLVdoor to conduct multiplatform intrusions. This backdoor facilitates unauthorized access across various operating systems, enabling persistent presence and potential data exfiltration or further lateral movement within compromised environments. The intelligence is derived from open-source intelligence (OSINT) and attributed to Earth Lusca, a threat actor linked to China. The KTLVdoor backdoor is notable for its multiplatform capabilities, which suggests it can operate on different operating systems, increasing its versatility and potential impact. Although no specific affected software versions or exploits in the wild have been reported, the presence of this backdoor indicates an ongoing espionage or cyber intrusion campaign targeting entities primarily within China. The technical details classify the threat level as moderate (level 3) with an analysis rating of 2, and no patches or mitigations are currently available. The lack of known exploits in the wild and the low severity rating suggest that the threat is either emerging or currently limited in scope. However, the use of a sophisticated backdoor by a nation-state linked actor underscores the importance of vigilance and proactive defense measures.
Potential Impact
For European organizations, the direct impact of this threat may currently be limited given the primary targeting of Chinese entities. However, the multiplatform nature of the KTLVdoor backdoor means that if Earth Lusca or similar threat actors expand their operations, European organizations using affected platforms could face risks including unauthorized access, data theft, espionage, and potential disruption of services. The presence of a persistent backdoor can lead to long-term compromise, enabling attackers to move laterally within networks and potentially target sensitive intellectual property or critical infrastructure. European organizations involved in sectors with geopolitical significance or those with business ties to China may be at increased risk. Additionally, the sophistication of the threat actor suggests that detection and remediation could be challenging without specialized threat intelligence and monitoring capabilities.
Mitigation Recommendations
Given the absence of specific patches or known exploits, European organizations should focus on advanced detection and prevention strategies. These include implementing robust endpoint detection and response (EDR) solutions capable of identifying unusual behaviors associated with backdoors. Network segmentation and strict access controls can limit lateral movement if a compromise occurs. Regular threat hunting exercises focusing on indicators of compromise related to Earth Lusca and KTLVdoor should be conducted. Organizations should also maintain up-to-date threat intelligence feeds and collaborate with cybersecurity information sharing groups to stay informed about emerging tactics and indicators. Employing multi-factor authentication (MFA) and enforcing the principle of least privilege can reduce the risk of initial access and privilege escalation. Finally, organizations should ensure comprehensive logging and monitoring to detect anomalies indicative of backdoor activity.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 2
- Uuid
- f1d154e7-f660-4146-8140-5985f0d69aa8
- Original Timestamp
- 1725448717
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash9ceb37c55a1e55afe50e2b892d3756e5c89ee71131245f5da72c1b8dd0005b99 | Backdoor SHA256 hashes | |
hash6eec892054e6cb1addbde2fa92d3ccb5d56d37aa992f81f9106aaf124b9d3525 | Backdoor SHA256 hashes | |
hash20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951 | Backdoor SHA256 hashes | |
hash7ff329e0a20a96dd4d0e8b42a216ade348161566250b7e39e166031c881f34d0 | Backdoor SHA256 hashes | |
hash12435ae8d190c4a0cae64009416f17195dbb7f7ca732b69e6178e9dd4c66fcb2 | Backdoor SHA256 hashes | |
hash19f94c523d4488a50584dd3d96500820e4f479cadcef4d14a1dd7cf939cd3154 | Backdoor SHA256 hashes | |
hashdc4277e5f6e76ef3f5c0da8a6703acd69a017747aac0413f7248911e51214641 | Backdoor SHA256 hashes | |
hashb66dab4fbdae54eea59313fd218abc96a54c0bbf0ab774dbe8776de9322510b2 | Backdoor SHA256 hashes | |
hashd095e636400ee633ae22488bba77d53f584f1ff279fd604bb6e60c0211d1957e | Backdoor SHA256 hashes | |
hash99027cf9f6fcce91d1d08a8cc15043912e51aff82804d4678c7b453e55899404 | Backdoor SHA256 hashes | |
hash3d753a9e8e6ab22a498f7c6702910ea3e77ca8ef524f8435ac4614a9d4cbf345 | Backdoor SHA256 hashes | |
hashc75c5d7b4bdedcf5c6e78305d62f6830f4766c4517cf650a36493e19574c507d | Backdoor SHA256 hashes | |
hasha133b1839bad5616b51915f2dfe420be36e05ee5c5f1c8e81220177b14c12848 | Backdoor SHA256 hashes | |
hash01ef286f55d1a15f308f2bed102bec0916d799d8e883a48117cecfe713a74267 | Backdoor SHA256 hashes | |
hash1887185af63849aea9cdd7855b638110447842f178fca9cd81b76c72acd16e68 | Backdoor SHA256 hashes | |
hash3dcad2fdebd68390ea4a80398593cfc3360ef51291b853cb3e9a607915ec74cb | Backdoor SHA256 hashes | |
hashaa7bc130c5340364f61074f7c98651e80db3b08396a4fb449f614e0889acfdd3 | Backdoor SHA256 hashes | |
hashc0b1deaa2598936c284684b50a652f98771a129e882f382ac011d5ab984fd132 | Backdoor SHA256 hashes | |
hash1185fa967aa989d5e072577e493d2b307c48181480129d4c45337da64d5bfd25 | Backdoor SHA256 hashes | |
hashd18019064e5903dcf7c29921c10a7a90176cccd55d9cf3ba1e3e9805c1364df1 | Backdoor SHA256 hashes | |
hash644b88ce37d8ccb9258df6fcd74c6b485323dcfd9feb0f961252e6c311241703 | Backdoor SHA256 hashes | |
hash0b2e9328d82a045ce00f6b1b449ae32d8997f631f691350ea39d85c78eb66216 | Backdoor SHA256 hashes | |
hash18e2b7df374a838a57ebf3186b13a26e523cf964afde50b7ba765ed4d5509670 | Backdoor SHA256 hashes | |
hashd72ea22e6f35e848a2e5870863e410f0434013ad43c3f5b6935168fc07c7d7b0 | Backdoor SHA256 hashes | |
hashaa5ff64cadabd2d8aba7963c2372270bbfdafa155f85a9a9ec2b57674cf8173e | Earth Lusca’s archive | |
hashfcf0cf8a19fa16792771310462d36f3c059ed7d36ef90899316313f4626d24d7 | Earth Lusca’s LNK file | |
hashfd3205edef38248c059898274f5818abbcb757adb707ca47580d4b16772a38d1 | Earth Lusca’s DLL decryptor |
Url
| Value | Description | Copy |
|---|---|---|
url39.105.121.123:9999 | — | |
url39.107.101.26:9999 | — | |
url47.94.223.124:9999 | — | |
url47.94.166.190:9999 | — | |
url59.110.136.109:9999 | — | |
url123.56.45.175:81 | — | |
url123.57.223.22:81 | — | |
url39.107.75.91:81 | — | |
url182.92.101.4:81 | — | |
url123.56.45.175:443 | — | |
url123.57.223.22:443 | — | |
url39.107.75.91:443 | — | |
url182.92.101.4:443 | — | |
url123.57.6.3:81 | — | |
url39.107.67.131:81 | — | |
url101.200.156.217:81 | — | |
url182.92.155.149:81 | — | |
url123.57.218.176:81 | — | |
url47.99.78.41:443 | — | |
url47.96.97.77:443 | — | |
url47.96.5.136:443 | — | |
url47.96.135.49:443 | — | |
url116.62.120.97:443 | — | |
url123.57.60.94:443 | — | |
url39.105.107.130:443 | — | |
url182.92.233.242:443 | — | |
url47.94.229.250:443 | — | |
url182.92.169.60:443 | — | |
url47.96.160.242:443 | — | |
url116.62.231.152:443 | — | |
url47.96.13.99:443 | — | |
url47.98.173.175:443 | — | |
url47.97.109.62:443 | — | |
url139.224.254.181:53 | — | |
url139.224.45.232:53 | — | |
url47.102.36.88:53 | — | |
url47.101.43.111:53 | — | |
url139.196.196.178:53 | — | |
url123.57.60.94:8081 | — | |
url39.105.107.130:8081 | — | |
url182.92.233.242:8081 | — | |
url47.94.229.250:8081 | — | |
url182.92.169.60:8081 | — | |
url47.100.98.234:443 | — | |
url106.14.175.235:443 | — | |
url106.15.193.24:443 | — | |
url47.100.121.195:443 | — | |
url47.100.59.42:443 | — | |
url47.100.160.164:80 | — | |
url47.101.48.168:80 | — | |
url47.101.137.187:8032 | — | |
url139.196.89.210:80 | — | |
url106.15.90.75:80 | — | |
url47.93.38.26:53 | — | |
url39.106.135.228:53 | — | |
url47.95.198.228:53 | — | |
url101.201.68.58:53 | — | |
url47.94.194.248:53 | — | |
url182.92.243.166:1433 | — | |
url47.95.168.191:80 | — | |
url47.98.121.179:443 | — | |
url47.96.106.167:443 | — | |
url116.62.142.53:443 | — | |
url121.40.70.23:443 | — | |
url118.31.53.137:443 | — | |
url47.98.50.198:80 | — | |
url39.106.40.121:53 | — | |
url101.200.63.187:53 | — | |
url101.201.35.96:53 | — | |
url39.107.231.100:53 | — | |
url47.95.12.152:53 | — | |
url47.94.20.102:443 | — | |
url101.201.69.42:443 | — | |
url47.94.202.137:443 | — | |
url47.94.193.44:443 | — | |
url47.94.227.15:443 | — | |
url47.94.143.163:443 | — | |
url39.106.13.202:443 | — | |
url47.93.47.186:443 | — | |
url59.110.226.246:443 | — | |
url47.94.200.23:443 | — |
Port
| Value | Description | Copy |
|---|---|---|
port9999 | — | |
port9999 | — | |
port9999 | — | |
port9999 | — | |
port9999 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port81 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port8081 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port80 | — | |
port80 | — | |
port8032 | — | |
port80 | — | |
port80 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port1433 | — | |
port80 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port80 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port53 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — | |
port443 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain39.105.121.123 | — | |
domain39.105.121.123 | — | |
domain39.107.101.26 | — | |
domain39.107.101.26 | — | |
domain47.94.223.124 | — | |
domain47.94.223.124 | — | |
domain47.94.166.190 | — | |
domain47.94.166.190 | — | |
domain59.110.136.109 | — | |
domain59.110.136.109 | — | |
domain123.56.45.175 | — | |
domain123.56.45.175 | — | |
domain123.57.223.22 | — | |
domain123.57.223.22 | — | |
domain39.107.75.91 | — | |
domain39.107.75.91 | — | |
domain123.56.45.175 | — | |
domain123.56.45.175 | — | |
domain123.57.223.22 | — | |
domain123.57.223.22 | — | |
domain39.107.75.91 | — | |
domain39.107.75.91 | — | |
domain39.107.67.131 | — | |
domain39.107.67.131 | — | |
domain101.200.156.217 | — | |
domain101.200.156.217 | — | |
domain182.92.155.149 | — | |
domain182.92.155.149 | — | |
domain123.57.218.176 | — | |
domain123.57.218.176 | — | |
domain47.99.78.41 | — | |
domain47.99.78.41 | — | |
domain47.96.97.77 | — | |
domain47.96.97.77 | — | |
domain47.96.5.136 | — | |
domain47.96.5.136 | — | |
domain47.96.135.49 | — | |
domain47.96.135.49 | — | |
domain116.62.120.97 | — | |
domain116.62.120.97 | — | |
domain123.57.60.94 | — | |
domain123.57.60.94 | — | |
domain39.105.107.130 | — | |
domain39.105.107.130 | — | |
domain182.92.233.242 | — | |
domain182.92.233.242 | — | |
domain47.94.229.250 | — | |
domain47.94.229.250 | — | |
domain182.92.169.60 | — | |
domain182.92.169.60 | — | |
domain47.96.160.242 | — | |
domain47.96.160.242 | — | |
domain116.62.231.152 | — | |
domain116.62.231.152 | — | |
domain47.96.13.99 | — | |
domain47.96.13.99 | — | |
domain47.98.173.175 | — | |
domain47.98.173.175 | — | |
domain47.97.109.62 | — | |
domain47.97.109.62 | — | |
domain139.224.254.181 | — | |
domain139.224.254.181 | — | |
domain139.224.45.232 | — | |
domain139.224.45.232 | — | |
domain47.102.36.88 | — | |
domain47.102.36.88 | — | |
domain47.101.43.111 | — | |
domain47.101.43.111 | — | |
domain139.196.196.178 | — | |
domain139.196.196.178 | — | |
domain123.57.60.94 | — | |
domain123.57.60.94 | — | |
domain39.105.107.130 | — | |
domain39.105.107.130 | — | |
domain182.92.233.242 | — | |
domain182.92.233.242 | — | |
domain47.94.229.250 | — | |
domain47.94.229.250 | — | |
domain182.92.169.60 | — | |
domain182.92.169.60 | — | |
domain47.100.98.234 | — | |
domain47.100.98.234 | — | |
domain106.14.175.235 | — | |
domain106.14.175.235 | — | |
domain106.15.193.24 | — | |
domain106.15.193.24 | — | |
domain47.100.121.195 | — | |
domain47.100.121.195 | — | |
domain47.100.59.42 | — | |
domain47.100.59.42 | — | |
domain47.100.160.164 | — | |
domain47.100.160.164 | — | |
domain47.101.48.168 | — | |
domain47.101.48.168 | — | |
domain47.101.137.187 | — | |
domain47.101.137.187 | — | |
domain139.196.89.210 | — | |
domain139.196.89.210 | — | |
domain106.15.90.75 | — | |
domain106.15.90.75 | — | |
domain47.93.38.26 | — | |
domain47.93.38.26 | — | |
domain39.106.135.228 | — | |
domain39.106.135.228 | — | |
domain47.95.198.228 | — | |
domain47.95.198.228 | — | |
domain101.201.68.58 | — | |
domain101.201.68.58 | — | |
domain47.94.194.248 | — | |
domain47.94.194.248 | — | |
domain182.92.243.166 | — | |
domain182.92.243.166 | — | |
domain47.95.168.191 | — | |
domain47.95.168.191 | — | |
domain47.98.121.179 | — | |
domain47.98.121.179 | — | |
domain47.96.106.167 | — | |
domain47.96.106.167 | — | |
domain116.62.142.53 | — | |
domain116.62.142.53 | — | |
domain121.40.70.23 | — | |
domain121.40.70.23 | — | |
domain118.31.53.137 | — | |
domain118.31.53.137 | — | |
domain47.98.50.198 | — | |
domain47.98.50.198 | — | |
domain39.106.40.121 | — | |
domain39.106.40.121 | — | |
domain101.200.63.187 | — | |
domain101.200.63.187 | — | |
domain101.201.35.96 | — | |
domain101.201.35.96 | — | |
domain39.107.231.100 | — | |
domain39.107.231.100 | — | |
domain47.95.12.152 | — | |
domain47.95.12.152 | — | |
domain47.94.20.102 | — | |
domain47.94.20.102 | — | |
domain101.201.69.42 | — | |
domain101.201.69.42 | — | |
domain47.94.202.137 | — | |
domain47.94.202.137 | — | |
domain47.94.193.44 | — | |
domain47.94.193.44 | — | |
domain47.94.227.15 | — | |
domain47.94.227.15 | — | |
domain47.94.143.163 | — | |
domain47.94.143.163 | — | |
domain39.106.13.202 | — | |
domain39.106.13.202 | — | |
domain47.93.47.186 | — | |
domain47.93.47.186 | — | |
domain59.110.226.246 | — | |
domain59.110.226.246 | — | |
domain47.94.200.23 | — | |
domain47.94.200.23 | — |
Text
| Value | Description | Copy |
|---|---|---|
text39.105.121.123 | — | |
text39.107.101.26 | — | |
text47.94.223.124 | — | |
text47.94.166.190 | — | |
text59.110.136.109 | — | |
text123.56.45.175 | — | |
text123.57.223.22 | — | |
text39.107.75.91 | — | |
text182.92.101.4 | — | |
text123.56.45.175 | — | |
text123.57.223.22 | — | |
text39.107.75.91 | — | |
text182.92.101.4 | — | |
text123.57.6.3 | — | |
text39.107.67.131 | — | |
text101.200.156.217 | — | |
text182.92.155.149 | — | |
text123.57.218.176 | — | |
text47.99.78.41 | — | |
text47.96.97.77 | — | |
text47.96.5.136 | — | |
text47.96.135.49 | — | |
text116.62.120.97 | — | |
text123.57.60.94 | — | |
text39.105.107.130 | — | |
text182.92.233.242 | — | |
text47.94.229.250 | — | |
text182.92.169.60 | — | |
text47.96.160.242 | — | |
text116.62.231.152 | — | |
text47.96.13.99 | — | |
text47.98.173.175 | — | |
text47.97.109.62 | — | |
text139.224.254.181 | — | |
text139.224.45.232 | — | |
text47.102.36.88 | — | |
text47.101.43.111 | — | |
text139.196.196.178 | — | |
text123.57.60.94 | — | |
text39.105.107.130 | — | |
text182.92.233.242 | — | |
text47.94.229.250 | — | |
text182.92.169.60 | — | |
text47.100.98.234 | — | |
text106.14.175.235 | — | |
text106.15.193.24 | — | |
text47.100.121.195 | — | |
text47.100.59.42 | — | |
text47.100.160.164 | — | |
text47.101.48.168 | — | |
text47.101.137.187 | — | |
text139.196.89.210 | — | |
text106.15.90.75 | — | |
text47.93.38.26 | — | |
text39.106.135.228 | — | |
text47.95.198.228 | — | |
text101.201.68.58 | — | |
text47.94.194.248 | — | |
text182.92.243.166 | — | |
text47.95.168.191 | — | |
text47.98.121.179 | — | |
text47.96.106.167 | — | |
text116.62.142.53 | — | |
text121.40.70.23 | — | |
text118.31.53.137 | — | |
text47.98.50.198 | — | |
text39.106.40.121 | — | |
text101.200.63.187 | — | |
text101.201.35.96 | — | |
text39.107.231.100 | — | |
text47.95.12.152 | — | |
text47.94.20.102 | — | |
text101.201.69.42 | — | |
text47.94.202.137 | — | |
text47.94.193.44 | — | |
text47.94.227.15 | — | |
text47.94.143.163 | — | |
text39.106.13.202 | — | |
text47.93.47.186 | — | |
text59.110.226.246 | — | |
text47.94.200.23 | — | |
textDuring our monitoring of the Chinese-speaking threat actor Earth Lusca, we discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions.
KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.
The malware's configuration and communication involve sophisticated encryption and obfuscation techniques to hinder malware analysis.
The scale of the attack campaign is significant, with over 50 C&C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or shared with other threat actors. | — | |
textEarth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion | — | |
textBlog | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html | — |
File
| Value | Description | Copy |
|---|---|---|
fileEarth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion _ Trend Micro (US).pdf | — |
Threat ID: 682acdbebbaf20d303f0e865
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 7/2/2025, 7:10:47 AM
Last updated: 7/29/2025, 6:29:36 PM
Views: 11
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.