A China-linked state-sponsored threat actor known as Earth Estries has been targeting telecommunications companies in Southeast Asia with a novel backdoor called Ghostspider, according to Trend Micro.
Trend Micro describes Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor and UNC2286) as one of the most aggressive Chinese hacking groups, active since 2023. The group's recent operations have targeted over 20 organizations across sectors such as telecommunications, technology, consulting, chemical, and transportation industries, as well as government and non-profit organizations.
The group's latest attacks involve Ghostspider, a sophisticated backdoor implant capable of establishing secure communications with attacker-controlled servers via a custom protocol protected by Transport Layer Security (TLS). This allows it to fetch and execute additional modules for extended functionality, enabling Earth Estries to maintain persistence and conduct long-term espionage.
Additionally, the group has deployed MASOL RAT (also known as Backdr-NQ), a cross-platform backdoor targeting Linux systems within government networks in Southeast Asia.
Initial access is achieved by leveraging N-day vulnerabilities in widely used software such as Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887), Fortinet FortiClient EMS (CVE-2023-48788), Sophos Firewall (CVE-2022-3236), Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, collectively known as ProxyLogon).
After gaining access, Earth Estries uses living-off-the-land binaries and scripts to move laterally within networks, deploying a wide range of malware for reconnaissance, data theft, and persistence. The group’s arsenal includes Deed RAT (SNAPPYBEE),a suspected successor to ShadowPad; Demodex rootkit; the Crowdoor, SparrowDoor, HemiGate, TrillClient, and Zingdoor backdoors.
Earth Estries employs a complex command-and-control (C&C) infrastructure operated by distinct teams. Many of its tactics, techniques, and procedures (TTPs) overlap with those of other Chinese APT groups, indicating the potential use of shared tools from malware-as-a-service providers.
While the group primarily focuses on Southeast Asia, its targets has extended globally, including the US, the Middle East, the Asia-Pacific region, and South Africa. The US government has identified over 150 victims, with telecommunications companies particularly affected.