earth_empusa
Earth Empusa is a China-aligned threat actor also referred to in the provided content as POISON CARP and Evil Eye. Trend Micro reported the group targeting users in Tibet and Turkey during the first quarter of 2020 and later expanding to Taiwan, with campaigns also tied to Uyghur-related victims. The group has used both watering hole and phishing attacks to compromise Android and iOS devices. In the Android intrusion set described in the content, Earth Empusa was attributed with use of the undocumented spyware family ActionSpy, detected by Trend Micro as AndroidOS_ActionSpy.HRX. ActionSpy impersonated the legitimate Uyghur video app Ekran, used VirtualApp to run an embedded legitimate Ekran APK, and was protected with Bangcle. It stored configuration data encrypted with DES, generated the decryption key in native code, communicated with command-and-control servers over HTTP using RSA-encrypted traffic, and sent heartbeat requests every 30 seconds with device information. Its capabilities included collection of location, geographic area, contacts, call logs, SMS, browser bookmarks, installed apps, running processes, file listings, file upload, audio recording, camera capture, screenshots, WeChat directory access, WeChat file theft, and chat log theft. It also abused Android Accessibility services, masquerading as a memory cleaning service, to monitor VIEW_SCROLLED and WINDOW_CONTENT_CHANGED events and steal chat content from WeChat, QQ, WhatsApp, and Viber. The content also links Earth Empusa to phishing pages disguised as download pages for Tibetan or Uyghur-related applications and to copied Uyghur-related news pages injected with BeEF and, in later cases, both BeEF and ScanBox. Trend Micro reported that Earth Empusa used ScanBox for reconnaissance, collecting visitor information such as keypresses, operating system, browser, and plugin details. On iOS, the group operated a watering hole exploit chain that checked the HTTP User-Agent and delivered exploit code only to targeted versions; during the first quarter of 2020, it was upgraded to target iOS 12.3, 12.3.1, and 12.3.2. Researchers observed these malicious injections on multiple Uyghur-related sites and also on sites in Turkey and Taiwan, indicating widening targeting. The provided content also notes that Trend Micro previously believed Earth Empusa was associated with POISON CARP, while Meta distinguished Earth Empusa as independent from POISON CARP.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
23 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Observables
30 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a distinct intrusion set previously believed associated with POISON CARP, but not connected here to Earth Minotaur.
Conducting mobile espionage campaigns against Uyghur-, Tibetan-, and related targets using phishing pages and watering hole attacks to compromise Android and iOS devices, including delivery of the ActionSpy Android spyware and iOS exploit chains.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.