Earth Lusca
Aliases: TAG-22, Charcoal Typhoon, CHROMIUM, ControlX
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated. Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.
Open interactive actor investigation
ATT&CK techniques
Web ServicesT1027.003
SteganographyT1608.001
Upload MalwareT1098.004
SSH Authorized KeysT1003.006
DCSyncT1059.005
Visual BasicT1189
Drive-by CompromiseT1018
Remote System DiscoveryT1584.006
Web ServicesT1059.007
JavaScriptT1210
Exploitation of Remote ServicesT1036.005
Match Legitimate Name or LocationT1140
Deobfuscate/Decode Files or InformationT1583.001
DomainsT1033
System Owner/User DiscoveryT1547.012
Print ProcessorsT1059.001
PowerShellT1059.006
PythonT1057
Process DiscoveryT1053
Scheduled Task/JobT1574.002
DLL Side-LoadingT1112
Modify RegistryT1047
Windows Management InstrumentationT1003.001
LSASS MemoryT1218.005
MshtaT1482
Domain Trust DiscoveryT1567.002
Exfiltration to Cloud StorageT1548.002
Bypass User Account ControlT1588.002
ToolT1007
System Service DiscoveryT1204.002
Malicious FileT1190
Exploit Public-Facing ApplicationT1090
ProxyT1027
Obfuscated Files or InformationT1543.003
Windows ServiceT1566.002
Spearphishing LinkT1560.001
Archive via UtilityT1583.004
ServerT1049
System Network Connections DiscoveryT1595.002
Vulnerability ScanningT1016
System Network Configuration DiscoveryT1588.001
MalwareT1584.004
ServerT1204.001
Malicious Link
Correlated CTI and IR reports
Israel Threat Actors CTI · explicit report mentionAI in Offensive Operations: How Threat Actors Use Artificial Intelligence
1200km CTI repository · explicit report mentionCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mentionCTI Research: Sandworm / APT44
1200km CTI repository · explicit report mentionCTI Research: {{REPORT_TITLE}}
1200km CTI repository · explicit report mentionCyber Threat Intelligence Dossier: Iranian and Hamas-Aligned Operations Targeting Israeli and Allied Ecosystems (2023-2026)
Israel Threat Actors CTI · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionA Practical Guide to String Analyzer Extract and Analyze Strings from Binaries Without the
1200km Medium · authored report mention