In a newly released report, Trend Research has unveiled the operations of an advanced persistent threat (APT) group, dubbed Earth Kurma, which has been targeting government and telecommunications entities across Southeast Asia since November 2020. Focused primarily on cyberespionage and data exfiltration, Earth Kurma’s tactics reveal a sophisticated blend of custom toolsets, stealthy rootkits, and public cloud services to exfiltrate sensitive data.
“Since June 2024, we uncovered a sophisticated APT campaign targeting multiple countries in Southeast Asia, including the Philippines, Vietnam, and Malaysia,” Trend researchers stated. “Our analysis revealed that they primarily focused on government sectors, showing particular interest in data exfiltration.”
According to Trend, Earth Kurma’s toolsets include TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA — the latter two being rootkits used for stealthy persistence.
“Earth Kurma also developed rootkits such as KRNRAT and MORIYA to hide their activities,“ Trend noted.
Notably, forensic analysis uncovered overlaps with other known APT groups, including ToddyCat and Operation TunnelSnake, though Trend concluded: “Differences in the attack patterns prevent us from conclusively attributing these campaigns and operations to the same threat actors. Hence, we named this new APT group ‘Earth Kurma.’”
While the initial infection vectors remain unclear, Earth Kurma’s lateral movement involved a blend of open-source and customized tools, including:
- NBTSCAN and ICMPinger for network reconnaissance.
- Ladon (wrapped with a reflective loader) to scan infrastructures covertly.
- WMIHACKER for executing commands remotely over port 135.
- KMLOG — a simple but effective keylogger that stored stolen keystrokes inside fake ZIP files.
To ensure persistence, Earth Kurma employed sophisticated loaders such as DUNLOADER, TESDAT, and DMLOADER, which ultimately deployed payloads like Cobalt Strike beacons and stealth rootkits.
“In the persistence stage, the actors deployed different loaders to maintain their foothold, including DUNLOADER, TESDAT and DMLOADER.”
Earth Kurma’s most striking hallmark is its use of two powerful rootkits:
- MORIYA: Functions as a TCP traffic interceptor, capable of injecting malicious payloads into network responses while remaining invisible. It also boasts AES-encrypted payload injections into svchost.exe processes, using direct system calls to bypass detection.
“The MORIYA variant we found has an additional shellcode injection capability. At the end of its execution, it tries to load a payload file… and injects it into the process of svchost.exe.”
- KRNRAT: A full-fledged stealth backdoor built upon multiple open-source projects, capable of process manipulation, file hiding, traffic concealment, and even shellcode injection via specific IOCTL commands.
“KRNRAT is a full-featured backdoor with various capabilities, including process manipulation, file hiding, shellcode execution, traffic concealment, and C&C communication.”
Once valuable documents (such as .pdf, .docx, .xls, etc.) were harvested, Earth Kurma archived them with WinRAR (protected by passwords) and used tools like SIMPOBOXSPY and ODRIZ to stealthily upload the stolen data to Dropbox and OneDrive.
In a sophisticated maneuver, they even leveraged the Distributed File System Replication (DFSR) feature of Active Directory servers to automatically synchronize stolen archives across domain controllers:
“The stolen archives can be automatically synchronized to all DC servers, enabling exfiltration through any one of them.”
Despite surface-level similarities with ToddyCat and Operation TunnelSnake — such as the shared usage of MORIYA and SIMPOBOXSPY — definitive attribution remains elusive. Trend concluded: “Thus, we cannot conclusively link Earth Kurma to ToddyCat.”
Earth Kurma’s operational security, modular malware architecture, and targeted victimology suggest a highly organized, possibly state-backed entity focused on strategic intelligence gathering in the Southeast Asian region.