earth_empusa
Earth Empusa is a China-aligned threat actor also known as POISON CARP and Evil Eye. Trend Micro attributed the Android spyware family ActionSpy to this group. In the first quarter of 2020, Earth Empusa targeted users in Tibet and Turkey and later expanded targeting to Taiwan; the reported campaigns also targeted victims related to Uyghurs across Android and iOS devices. The group has used both watering hole and phishing attacks. Researchers observed Earth Empusa compromising Uyghur-related sites, as well as sites in Turkey and Taiwan, and injecting tooling including ScanBox and the BeEF framework. ScanBox was used for reconnaissance, including collection of visitor information such as keypresses, operating system, browser, and plugin details. Earth Empusa also operated an iOS exploit-chain framework that selectively delivered exploits based on the HTTP User-Agent header, and during early 2020 it upgraded this capability to target iOS 12.3, 12.3.1, and 12.3.2. In Android operations, Earth Empusa used phishing pages disguised as download pages for popular Tibetan or Uyghur-related apps. ActionSpy impersonated the legitimate Uyghur video app Ekran and used VirtualApp to run an embedded legitimate Ekran APK inside a virtual environment. The malware was protected by Bangcle, stored configuration encrypted with DES, and communicated with command-and-control servers over HTTP using RSA-encrypted traffic. It collected extensive device information and supported surveillance functions including location tracking, contacts, call logs, SMS, browser bookmarks, installed apps, running processes, file listing and upload, audio recording, camera capture, screenshots, WeChat directory access, WeChat file theft, and chat log theft. ActionSpy also abused Android Accessibility services by masquerading as a memory-cleaning service and prompting users to enable Accessibility. Once enabled, it monitored events from WeChat, QQ, WhatsApp, and Viber, parsed nicknames, chat contents, and chat times, stored them locally in SQLite, and exfiltrated chat logs to command-and-control infrastructure. Researchers assessed that ActionSpy has existed since at least 2017 based on certificate signing time and older samples.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Academia & Research
- Independent Media
Where they target
Geographies tied to known operations.
- 🇹🇷 Türkiye
- 🇹🇼 Taiwan
Tradecraft
23 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Observables
30 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.