Earth Baxia
Earth Baxia is a China-linked threat actor, also tracked as APT41, Wicked Panda, and Grass Typhoon. The content describes it as likely based in China and as one of several APT groups working on behalf of the People's Republic of China. Reported targeting includes government organizations in Taiwan and other Asia-Pacific countries, as well as government, telecommunications, and energy entities in Taiwan, South Korea, the Philippines, Vietnam, and Thailand. Additional mentions state that groups such as Earth Baxia have targeted the Philippine military, Japanese military, Taiwanese government agencies, and a U.S. federal agency. The reported intrusion methods include spear-phishing emails with decoy documents, malicious attachments or links, and exploitation of the GeoServer remote code execution vulnerability CVE-2024-36401. The group was reported to deploy customized Cobalt Strike payloads with altered signatures for evasion and a backdoor named EAGLEDOOR. EAGLEDOOR is described as supporting DNS, HTTP, TCP, and Telegram-based command-and-control, payload delivery, information gathering, and data exfiltration. Associated malware and tooling mentioned in the content include DULLDOWN, RIPCOY, and SWORDLDR. Techniques directly mentioned in the content include GrimResource, .NET AppDomainManager hijacking/injection, DLL side-loading, process injection, in-memory execution, use of public cloud services such as AWS and Aliyun to host malicious files, and use of curl for data exfiltration. Phishing payloads were described as ZIP attachments containing MSC or LNK files, and legitimate executables such as Edge.exe were used for DLL side-loading. The content also notes low-confidence overlaps between Earth Baxia and the SHADOW-EARTH-045 / PeckBirdy activity based on infrastructure overlaps, including use of IP address 47.238.184.9. Those links are explicitly described as weak or low confidence and should not be treated as firm attribution. Separately, Trend Micro reported technical overlaps between Earth Baxia activity and a Charon ransomware campaign, but stated it could not definitively attribute that operation to Earth Baxia.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Government & Administration
- Transportation
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Delivered scripts observed include CVE-2020-16040 exploitation for Chrome, social engineering pop-ups, Electron JS backdoor delivery, and TCP reverse shell establishment.
Earth Baxia, a threat actor suspected to originate from China, has been targeting government organizations in Taiwan and other Asia-Pacific (APAC) countries, using spear-phishing emails and exploiting a vulnerability in GeoServer (CVE-2024-36401), a remote code execution (RCE) exploit. This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads.
Observables
11 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
China-aligned activity cluster referenced as overlapping with campaigns using the PeckBirdy JScript-based C2 framework; described in the context of Asia-focused intrusions (financially motivated web injection and espionage-oriented targeting).
Potentially linked (low confidence) to SHADOW-EARTH-045 activity involving credential-harvesting via injected login pages and delivery/execution of PeckBirdy.
Possible (weakly evidenced) linkage to infrastructure used in the Shadow-Earth-045 campaign targeting Asian government entities via web injection and PeckBirdy delivery for credential harvesting and remote access.
China-aligned actor referenced via infrastructure overlap: an IP used in SHADOW-EARTH-045 was previously linked to Earth Baxia.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.