Skip to main content
Mallory
Back to threat actors
Espionage🇨🇳 CN9 malware familiesExploits CVEs in the wild

Earth Krahang

Also known asEarth Krahang

Earth Krahang is a China-linked cyber espionage intrusion set monitored since early 2022 that has targeted government entities worldwide, with a strong operational focus on Southeast Asia and additional victims in Europe, the Americas, and Africa. Reporting cited in the content states the actor targeted 116 entities across 35 countries, with approximately 70 confirmed victims in 23 countries, and primarily focused on government ministries, especially foreign affairs organizations; later reporting also links a campaign named PONDSNAKE, targeting government organizations and financial institutions including insurance and securities firms, to Earth Krahang with medium-to-high confidence. Observed initial access methods include spear-phishing and exploitation of public-facing servers, including repeated abuse of Openfire CVE-2023-32315 and Oracle Web Applications Desktop Integrator CVE-2022-21587. The actor has used compromised government web servers and government email accounts to host payloads, proxy attack traffic, and send spear-phishing emails to other government entities, leveraging intergovernmental trust. Reported lures included geopolitical and government-themed subjects. Earth Krahang also harvested large numbers of email addresses, brute-forced Exchange and other mail services to obtain credentials, and exfiltrated victim email, including via Outlook on the web, ActiveSync, and Zimbra APIs. The group’s tooling includes PlugX, ShadowPad, ReShell/RESHELL, XDealer/DinodasRAT, Cobalt Strike, SnakeC2, NEOBEACON, VShell, and SoftEther VPN. RESHELL is described as a .NET backdoor packed with ConfuserEX that supports information collection, file dropping, command execution, and AES-encrypted C2. Since 2023, the actor reportedly shifted from RESHELL to XDealer/DinodasRAT and used both Windows and Linux variants. In PONDSNAKE, operators deployed SnakeC2 variants, NEOBEACON using OneDrive and Microsoft Graph API for C2, Cobalt Strike, VShell, and SoftEther VPN. Additional observed tradecraft includes DLL side-loading, scheduled-task persistence, enabling RDP via registry changes, credential dumping with Mimikatz or ProcDump, SAM access, network scanning with Fscan, lateral execution with WMIC, and use of privilege-escalation tools and exploits including BadPotato, SweetPotato, GodPotato, PrinterNotifyPotato, CVE-2021-4034, CVE-2021-22555, and CVE-2016-5195. The actor also used RedGuard to protect Cobalt Strike infrastructure and renamed SoftEther components to masquerade as legitimate files. The content states Earth Krahang has strong overlaps with Earth Lusca (also known as RedHotel), and Trend Micro assessed Earth Krahang and Earth Lusca are likely managed by the same threat actor and connected to the Chinese government contractor I-Soon. JSAC2026 reporting likewise described Earth Lusca and Earth Krahang activity as reportedly linked to i-Soon. Attribution to China is directly stated in the content; the primary assessed objective is cyber espionage.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
  • Academia & Research
  • Telecommunication Services
  • Financial Services
  • Insurance
  • Non-Governmental Organizations

Where they're from

Attributed origin per open-source reporting.

  • CN
MITRE ATT&CK

Tradecraft

58 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics88 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
3 techniques
T1590
Gather Victim Network Information
T1592
Gather Victim Host Information
T1595
Active Scanning
T1595.001
Scanning IP Blocks
T1595.002
Vulnerability Scanning
T1595.003
Wordlist Scanning
TA0042
Resource Development
4 techniques
T1584
Compromise Infrastructure
T1584.004
Server
T1586
Compromise Accounts
T1586.002
Email Accounts
T1588
Obtain Capabilities
T1588.001
Malware
T1588.003
Code Signing Certificates
T1608
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
T1608.005
Link Target
TA0001
Initial Access
5 techniques
T1078
Valid Accounts
T1078.003
Local Accounts
T1133×3
External Remote Services
T1190×3
Exploit Public-Facing Application
T1199
Trusted Relationship
T1566
Phishing
T1566.001×3
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
6 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
T1059.006
Python
T1203
Exploitation for Client Execution
T1204
User Execution
T1204.002
Malicious File
T1569
System Services
T1569.002
Service Execution
TA0003
Persistence
6 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078
Valid Accounts
T1078.003
Local Accounts
T1112
Modify Registry
T1133×3
External Remote Services
T1505
Server Software Component
T1505.003
Web Shell
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0004
Privilege Escalation
4 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1068
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1078.003
Local Accounts
T1543
Create or Modify System Process
T1543.003
Windows Service
TA0005
Stealth
3 techniques
T1036
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1036.007
Double File Extension
T1078
Valid Accounts
T1078.003
Local Accounts
T1140
Deobfuscate/Decode Files or Information
TA0112
Defense Impairment
1 technique
T1112
Modify Registry
TA0006
Credential Access
3 techniques
T1003
OS Credential Dumping
T1003.001
LSASS Memory
T1003.002
Security Account Manager
T1110
Brute Force
T1110.003
Password Spraying
T1539
Steal Web Session Cookie
TA0007
Discovery
5 techniques
T1007
System Service Discovery
T1033
System Owner/User Discovery
T1057
Process Discovery
T1069
Permission Groups Discovery
T1069.002
Domain Groups
T1087
Account Discovery
T1087.001
Local Account
T1087.002
Domain Account
TA0008
Lateral Movement
3 techniques
T1021
Remote Services
T1021.006
Windows Remote Management
T1210
Exploitation of Remote Services
T1534
Internal Spearphishing
TA0009
Collection
2 techniques
T1114×2
Email Collection
T1119
Automated Collection
TA0011
Command and Control
6 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1090
Proxy
T1102
Web Service
T1105
Ingress Tool Transfer
T1572
Protocol Tunneling
T1573
Encrypted Channel
TA0010
Exfiltration
1 technique
T1020
Automated Exfiltration
ARSENAL

Associated malware families

9 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeCobalt Strike was also frequently used during the initial stage of an attack. Interestingly, we found that instead of the typical Cobalt Strike usage, Earth Krahang adds additional protection to their C&C server through the adoption of the open-source project RedGuard.2May 31, 2026
PlugXUsing our telemetry data, we found that the threat actor also dropped PlugX and ShadowPad samples in victim environments.2May 31, 2026
ReShellEarth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom backdoors, RESHELL and XDealer, were employed during the initial stage of attack.2May 31, 2026
ShadowPadUsing our telemetry data, we found that the threat actor also dropped PlugX and ShadowPad samples in victim environments.2May 31, 2026
DinodasRATEarth Krahang ... deliver bespoke malware such as PlugX, ShadowPad, ReShell, and DinodasRAT (aka XDealer).1May 26, 2026

4 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

5 CVEs this actor has used in observed campaigns. 5 of them exploited in the wild.

CVE-2016-5195Dirty COWIn the wildEvidence1

Using tools such as BadPotato, SweetPotato, GodPotato, or PrinterNotifyPotato for privilege escalation on Windows systems. Exploiting CVE-2021-4034, CVE-2021-22555, and CVE-2016-5195 for privilege escalation on Linux systems

CVE-2021-22555Linux Kernel Netfilter Heap Out-of-Bounds Write Privilege EscalationIn the wildEvidence1

Using tools such as BadPotato, SweetPotato, GodPotato, or PrinterNotifyPotato for privilege escalation on Windows systems. Exploiting CVE-2021-4034, CVE-2021-22555, and CVE-2016-5195 for privilege escalation on Linux systems

CVE-2021-4034PwnKit local privilege escalation in polkit pkexecIn the wildEvidence1

Using tools such as BadPotato, SweetPotato, GodPotato, or PrinterNotifyPotato for privilege escalation on Windows systems. Exploiting CVE-2021-4034, CVE-2021-22555, and CVE-2016-5195 for privilege escalation on Linux systems

CVE-2022-21587Unauthenticated Arbitrary File Upload RCE in Oracle Web Applications Desktop IntegratorIn the wildEvidence1

The threat actor abused the following vulnerabilities multiple times: CVE-2022-21587: command execution on Oracle Web Applications Desktop Integrator

CVE-2023-32315Openfire Admin Console Authentication Bypass via Setup Environment Path TraversalIn the wildEvidence1

The threat actor abused the following vulnerabilities multiple times: CVE-2023-32315: command execution on OpenFire

IOCS

Observables

5 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

5 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
jpcert blogNews
Feb 20, 2026
JSAC2026 -Day 1- - JPCERT/CC Eyes | JPCERT Coordination Center official Blog

Espionage activity cluster reportedly linked to i-Soon; attributed (medium-to-high confidence) to the PONDSNAKE campaign targeting government and financial institutions, using exploitation/spear-phishing for initial access and deploying multiple C2 and remote admin tools.

Read more
vulncheck blogNews
Jul 31, 2025
Still Up. Still Evil.

Uses attack-oriented proxies such as SoftEther for persistent access and covert operations.

Read more
the hacker newsNews
Mar 27, 2024
Two Chinese APT Groups Ramp Up Cyber Espionage Against ASEAN Countries

Chinese espionage-focused threat actor with a strong Southeast Asia focus, targeting a wide range of entities globally via spear-phishing and exploitation of public-facing servers to deploy multiple malware families and steal sensitive data.

Read more
trend micro researchNews
Mar 18, 2024
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks

Cyberespionage-focused intrusion set targeting government entities worldwide, especially in Southeast Asia, using exploitation of public-facing servers, spear-phishing, compromised government infrastructure, email credential brute forcing, and mailbox exfiltration.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping58

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal9

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs5

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables5

Domains, IPs, and hashes tied to this actor, refreshed continuously.