Earth Berberoka

Earth Berberoka, also known as GamblingPuppet, is an adversarial collective referenced in reporting as having deployed the Linux backdoor Xnote in attacks targeting online gambling sites. Supporting content also describes a broader, years-long campaign attributed by Palo Alto Networks Unit 42 to cluster CL-UNK-1068, assessed with moderate-to-high confidence to be primarily cyber espionage, targeting high-value organizations across South, Southeast, and East Asia in the aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors. The reported tradecraft spans Windows and Linux and includes exploitation of web servers to deploy web shells such as Godzilla and ANTSWORD, lateral movement, theft of IIS and web application files, browser data, office documents, and SQL backup files, and exfiltration by archiving data with WinRAR, Base64-encoding it with certutil, and printing the encoded output through a web shell. The toolkit described in the content includes Xnote, FRP for persistence, PrintSpoofer, the custom scanner ScanPortPlus, the .NET reconnaissance tool SuperDump, batch scripts for host discovery, and credential-theft tooling including Mimikatz, LsaRecorder, DumpItForLinux with Volatility, and SQL Server Management Studio Password Export Tool. The content directly links Earth Berberoka/GamblingPuppet to Xnote deployment against online gambling sites; broader attribution of the full CL-UNK-1068 activity to Earth Berberoka is not explicitly stated in the provided material.