2025-04-25 Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors| Threat Intelligence Malaysia

📃Title: Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors
📅Date: 2025-04-25
🔗References:

https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: targeted
MY-relevancy: relevant
action-taken: diamond-model

🔖MISP Galaxies:

producer Trend-Micro
sector=“Government, Administration”
sector=“Telecoms”
region=“035 - South-eastern Asia”
target-information=“Malaysia”
target-information=“Philippines”
target-information=“Thailand”
target-information=“Vietnam”
malpedia=“Moriya”
malpedia=“Ladon”
malpedia=“Cobalt Strike”
malpedia=“SManager”
mitre-course-of-action=“Filter Network Traffic - M1037”
mitre-course-of-action=“Limit Access to Resource Over Network - M1035”
mitre-course-of-action=“Password Policies - M1027”
mitre-course-of-action=“Privileged Account Management - M1026”
mitre-course-of-action=“Restrict Web-Based Content - M1021”
threat-actor Earth-Kurma
mitre-attack-pattern=[‘T1567.002’, ‘T1056.001’, ‘T1620’, ‘T1021.002’, ‘T1014’]

MISP event uuid: 0ad70cee-9206-4d0d-942d-33f43175f240

Indicator of Compromise (IoCs)

type,value,comment
hostname, www.dfsg3gfsga.space, 'C&C'
hostname, www.igtsadlb2ra.pw, 'C&C'
hostname, www.ihyvcs5t.pw, 'C&C'
hostname, www.vidsec.cc, 'C&C'
ip-dst, 103.238.214.88, 'C&C'
ip-dst, 149.28.147.63, 'C&C'
ip-dst, 166.88.194.53, 'C&C'
ip-dst, 185.239.225.106, 'C&C'
ip-dst, 38.147.191.103, 'C&C'
ip-dst, 38.60.199.225, 'C&C'
ip-dst, 45.77.250.21, 'C&C'
sha256, 004adec667373bdf6146e05b9a1c6e0c63941afd38e30c2461eaecb707352466, 'TESDAT No sample in VT\r\nLast check:26/04/2025 No sample in VT\r\nLast check:26/04/2025'
sha256, 0a50587785bf821d224885cbfc65c5fd251b3e43cda90c3f49435bb3323d2a8b, 'TESDAT No sample in VT\r\nLast check:26/04/2025 No sample in VT\r\nLast check:26/04/2025'
sha256, 10898b74b612b1e95826521c5ccf36f7a238f5d181993c3c78c2098fcfdc1f3f, 'TESDAT No sample in VT\r\nLast check:26/04/2025 No sample in VT\r\nLast check:26/04/2025'
sha256, 1f3f384e29eab247ec99d97dfe6a4b67110888e4ad313b75fa9d0beceef87e93, 'KRNRAT No sample in VT\r\nLast check:26/04/2025 No sample in VT\r\nLast check:26/04/2025'
sha256, 1f5f6cc1cbf578412ea5279dbdb432eda251309695513a74de66063ab02789f1, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 37a397a2482b37d19d58588c0a897a08111b74d122c21542f1bf852ae83e1db0, 'DMLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 383aa73fe72caf268ce0874ebbcd13fc4c9e1e5c6200cdd66862de7257942cea, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 398234b692a80a424939e98a2d96a705ce3fd9d61950420b5f2af45890abc48e, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 45e1138f2b8e822cbd4573cb53104b402ae26dcddb42c70534cf024a8bc6db66, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 49ab6e2b5e378c74d196aecac4e84c969c800051167c1e33d204531fabd17990, 'KMLOG No sample in VT\r\nLast check:26/04/2025'
sha256, 4ae186ee19d0d3e246dc37ac722a27d5297d2577de59b8583c97897480290bc1, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 54e14b7742801970c578fad2ec2a193334ca8a17b60ee18dd6ec0fbfc8ce900b, 'SIMPOBOXSPY No sample in VT\r\nLast check:26/04/2025'
sha256, 612a5fcb7620deef45a021140b6c06ab9c0473dce5b7e4a54960e330a00c90f3, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 6190b13df521306bfa7ee973b864ba304ee0971865a66afbe0b4661c986099f4, 'KMLOG No sample in VT\r\nLast check:26/04/2025'
sha256, 6bbbb227d679ea00f0663c2e261d5649417d08285f9acc1fd80e806ddea08403, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 6ef3a27fdca386fe093c12146cd854d9ae6b42ca637950ca46bfd364ceab5b53, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 73afc6af6fdfcaf9832aa2975489271bad7c8ea58679f1a2ddd8f60b44cc4a13, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 75cc8474abb1d9a06cd8086fede98958653d013fb7ff89bbc32458b022a8fc94, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 823a0862d10f41524362ba8e8976ddfd4524c74075bd7f3beffa794afb54f196, 'MORIYA No sample in VT\r\nLast check:26/04/2025'
sha256, 85e78a1b0a78e5d921c89241aaadd505d66dc4df29ca7d8a81098f42487ba350, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, 876c822f333e812041af24ae80935a830ca5016f9aaf2e8319ebb6cab1f9d7d0, 'SIMPOBOXSPY No sample in VT\r\nLast check:26/04/2025'
sha256, 8ca1ffbd3cd22b9bead766ebd2a0f7b2d195b03d533bacf0cb8e1b1887af5636, 'KMLOG No sample in VT\r\nLast check:26/04/2025'
sha256, 8e6583cca6dd4a78bdc0387c7f30334ab038e5c77848f708fe578e60dd8d9e00, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'
sha256, 96b407856889c920a49f921d925118a130b904e99f9fe43a87342c680ffb9f27, 'ODRIZ No sample in VT\r\nLast check:26/04/2025'
sha256, a359a06fbc6b5cf5adf7f53c35145b28f3c8a70f6998631090021825aea08e22, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, aef3407310de48e13575c3d98b660ab7ddafb7efe3f4909682907ac286062392, 'TESDAT No sample in VT\r\nLast check:26/04/2025'
sha256, f52d9355b9efb6a1fcb32b890c5c373274df21ce38050d49416f469be95dc783, 'DUNLOADER No sample in VT\r\nLast check:26/04/2025'

Full IOCs available in Rectifyq's MISP```

Rectifyq

Explorer

2025-04-25 Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom Sectors

Indicator of Compromise (IoCs)

Graph View