160/68 Wednesday, April 30, 2025
Trend Research has uncovered a new advanced persistent threat (APT) group dubbed “Earth Kurma”, which is actively targeting government agencies and telecommunications organizations in the Philippines, Vietnam, Thailand, and Malaysia. The group employs custom malware, rootkits, and cloud storage services such as Dropbox and OneDrive to exfiltrate sensitive data, steal credentials, and maintain persistent access—while leveraging advanced evasion techniques to avoid detection. Researchers believe Earth Kurma has managed to remain undetected in victim networks for extended periods.
Earth Kurma’s tactics include the use of tools such as NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger for lateral movement and network reconnaissance. The group also deploys a custom keylogger (KMLOG) and uses in-memory loaders like DUNLOADER, TESDAT, and DMLOADER to run payloads without leaving traces on disk. To ensure long-term access and stealthy data exfiltration, the group installs rootkits such as KRNRAT and MORIYA, using obfuscated communication that mimics legitimate files. In some attacks, the group leveraged the syssetup.dll library to facilitate rootkit installation.
Trend Micro reports that Earth Kurma has been active since at least 2020, and some of its tools resemble those used by other known APT groups such as Operation TunnelSnake and ToddyCat. However, distinct attack patterns suggest that Earth Kurma may operate independently. The group continues to conduct campaigns across Southeast Asia, exhibiting strong capabilities in tool customization, code reuse, and infrastructure hijacking, making it a persistent and potent regional threat.
