Earth Alux

Earth Alux is a China-linked espionage threat actor also tracked as CL-STA-0049, Ink Dragon, Jewelbug, and REF7707. Reporting in the provided content describes the cluster as active since at least March 2023 and targeting government, defense, telecommunications, education, aviation, technology, logistics, manufacturing, and IT services organizations, primarily across Southeast Asia/APAC and South America/Latin America, with additional activity reported against Taiwan, Russia, and more recently European government targets. The actor’s operations focus on long-term access, information theft, persistence, and lateral movement. Initial access in the cited reporting commonly involved exploitation of internet-exposed web applications, especially Microsoft IIS and SharePoint, including deployment of ASPX web shells and abuse of predictable or mismanaged ASP.NET machine keys for ViewState deserialization. Earth Alux has also been associated with webshell-based access more broadly. The group is strongly associated with the FINALDRAFT backdoor, also called Squidoor, including Windows and Linux variants. FINALDRAFT is described as a modular remote administration tool supporting multiple command-and-control methods, including Microsoft Graph API/Outlook-based C2, DNS tunneling, ICMP tunneling, HTTP, and other channels. Related malware and tooling mentioned in the content include PATHLOADER, GUIDLOADER, NetDraft/NosyDoor as a .NET variant of FINALDRAFT, VARGEIT, COBEACON, RAILLOAD, RAILSETTER, and NANOREMOTE. The actor has also used ShadowPad in some intrusions. Tradecraft described in the content includes abuse of renamed legitimate binaries, especially Microsoft Console Debugger cdb.exe renamed as fontdrvhost.exe or similar, to load shellcode from disk and inject into legitimate processes such as mspaint.exe, calc.exe, and notepad.exe. Additional techniques include DLL side-loading, process injection, scheduled-task persistence, credential theft and dumping, LSASS and registry hive access, exfiltration of NTDS.dit, use of LOLBins such as certutil, BITSAdmin, curl, diskshadow, and WMIC, and use of cloud or legitimate services for staging or C2, including Microsoft Graph, OneDrive, Firebase, Pastebin, and cloud storage buckets. The content also notes exfiltration via Yandex Cloud in a Russian intrusion. Notable victimology in the provided reporting includes a South American foreign ministry, other South American government entities, Southeast Asian organizations, a Taiwanese software company, a Russian IT service provider, and government and telecommunications victims across Europe, Asia, and Africa. The Russian IT provider intrusion reportedly lasted five months and involved access to code repositories and software build systems, creating potential supply-chain risk.