EAGLEDOOR
EAGLEDOOR is a backdoor used by the China-linked threat actor Earth Baxia in campaigns targeting government organizations and other entities in the Asia-Pacific region. Reported targets include government, telecommunications, and energy organizations in Taiwan, South Korea, the Philippines, Vietnam, and Thailand. Initial access was achieved through spear-phishing emails with decoy documents, malicious attachments or links, and exploitation of the GeoServer remote code execution vulnerability CVE-2024-36401. EAGLEDOOR was deployed alongside customized Cobalt Strike components and was delivered and executed using techniques including DLL side-loading, in-memory execution, AppDomainManager injection, and GrimResource-based payload retrieval from public cloud services such as AWS and Aliyun. The malware supports multiple communication protocols, including DNS, HTTP, TCP, and Telegram, for command and control, payload delivery, information gathering, and data exfiltration. Its Telegram-based C2 used the Bot API for file delivery, information collection, and payload execution. Related activity also involved use of curl.exe for exfiltration to attacker-controlled infrastructure, including 152.42.243.170. Trend Micro associated this activity with additional malware families including DULLDOWN, RIPCOY, and SWORDLDR.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Earth Baxia, a threat actor suspected to originate from China, has been targeting government organizations in Taiwan and other Asia-Pacific (APAC) countries, using spear-phishing emails and exploiting a vulnerability in GeoServer (CVE-2024-36401), a remote code execution (RCE) exploit. This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...they introduced a new backdoor named EAGLEDOOR, which supports multiple communication protocols for payload delivery and information gathering.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueEarth Baxia... has been targeting government organizations... using spear-phishing emails and exploiting a vulnerability in GeoServer (CVE-2024-36401), a remote code execution (RCE) exploit.
Execution
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniquesCommand and Control
4 techniquesThe latter used Telegram for command-and-control (C&C) communications and supported various protocols like DNS, HTTP, and TCP for data exfiltration.
The latter used Telegram for command-and-control (C&C) communications and supported various protocols like DNS, HTTP, and TCP for data exfiltration.
The latter used Telegram for command-and-control (C&C) communications and supported various protocols like DNS, HTTP, and TCP for data exfiltration.
This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads.
Exfiltration
1 techniqueThe latter used Telegram for command-and-control (C&C) communications and supported various protocols like DNS, HTTP, and TCP for data exfiltration.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
EAGLEDOOR is a newly identified backdoor supporting multiple C2 protocols (DNS, HTTP, TCP, Telegram). It is used for information gathering, file delivery, and executing further payloads. It is deployed via DLL side-loading and in-memory execution, with modular components for API hooking and payload execution.
A newly introduced backdoor used for payload delivery, information gathering, and command-and-control over multiple protocols including Telegram, DNS, HTTP, and TCP.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.