
Earth Baku 2.0: Revealing the Advanced Tactics Behind the APT Group’s Next-Gen Cyberespionage Campaign
Earth Baku, an APT group linked to APT41, has expanded its operations beyond the Indo-Pacific to target Europe, the Middle East, and Africa, including countries like Italy, Germany, UAE, and Qatar. The group's recent tactics involve exploiting public-facing applications, particularly IIS servers, to gain initial entry for cyber attacks. Their sophisticated and persistent methods pose a significant challenge to global cybersecurity, highlighting the need for robust defensive measures.
Domains | Source | Last Update |
---|---|---|
parça.cdn78544.ru | SOCRadar | 2024-08-28 |
www.mircoupdate.https443.net | SOCRadar | 2024-08-28 |
www.sitennews.com | SOCRadar | 2024-08-28 |
www.cdn7854.workers.dev | SOCRadar | 2024-08-28 |
Hashes | Source | Last Update |
---|---|---|
7463700ec5768d4af6549028465f978059611555aa8e22e2b7c664b1cdbfa9ae | SOCRadar | 2024-08-28 |
d72f202c1d684c9a19f075290a60920f | SOCRadar | 2024-08-28 |
cdcbd9c25e06ac6da5497fa19459d0007449ec1a3e6bc591334db6fb3598aecb | SOCRadar | 2024-08-28 |
8d8161a7fcd835781820e4921039525975f9324d | SOCRadar | 2024-08-28 |
5b46b63e31f307757cedf305005ce9990a07cbf4 | SOCRadar | 2024-08-28 |
28072e4a3bc3376aba096045824f4c34 | SOCRadar | 2024-08-28 |
4141c4b827ff67c180096ff5f2cc1474 | SOCRadar | 2024-08-28 |
bcac2cbda36019776d7861f12d9b59c4 | SOCRadar | 2024-08-28 |
ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74 | SOCRadar | 2024-08-28 |
66fb63e6e49c2c201a0b6204e1d0269812a4b662 | SOCRadar | 2024-08-28 |
72070b165d1f11bd4d009a81bf28a3e5 | SOCRadar | 2024-08-28 |
144550355b3dfb67a0ef65dc7f69470b4faf4ca1 | SOCRadar | 2024-08-28 |
8405d742405d3a6d3bda6bc49630dd5f3604a3d6ae27cbd533e425f8abbaafdc | SOCRadar | 2024-08-28 |
073b35ecbd1833575fbfb1307654fc532fd938482e09426cfb0541ad87a04f75 | SOCRadar | 2024-08-28 |
73eaba82ef1c502448e533007e92b1afa879b09f85f28b71648668ea62839ff5 | SOCRadar | 2024-08-28 |
e5f1360d4c299bb32e33e081115f2b520251a983af2ebc649b4b9b70308246fe | SOCRadar | 2024-08-28 |
d3fdf103e8585192452bb43e902f009c7bc066a3 | SOCRadar | 2024-08-28 |
e9625ce47b87085b66e0ee6e17ecb333 | SOCRadar | 2024-08-28 |
3872c38625ca62de3bcbe29740c1a0b8921fcf48 | SOCRadar | 2024-08-28 |
2fce25afb8a29fcd526f61ba30f14dcc7ecfad3e | SOCRadar | 2024-08-28 |
f062183da590aba5e911d2392bc29181 | SOCRadar | 2024-08-28 |
7e63c6b9ab3b32beffbc1eb23d6ca7cc59616b0722f0dd4f0d893c0a1724f5d7 | SOCRadar | 2024-08-28 |
54a0dd2003a6dfc5fd035ba3aabb9fd96b5bd09e | SOCRadar | 2024-08-28 |
c33247bc3e7e8cb72133e47930e6ddad | SOCRadar | 2024-08-28 |
ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf | SOCRadar | 2024-08-28 |
21fc0f50d545c0a373380934dc61c423c8a31d8c3e6eae4f8a35149ad9962d88 | SOCRadar | 2024-08-28 |
e4360c0aa995e6e896b22bb7725a6c9b189be8606e7cbbc8b6e80c606358649d | SOCRadar | 2024-08-28 |
ee7faba27a2c5f7acb5b06e94aa318e0 | SOCRadar | 2024-08-28 |
7f24bc080281d250ec88493e5803e488721a17c9382cd54ba8dfbcb785f23a88 | SOCRadar | 2024-08-28 |
c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db | SOCRadar | 2024-08-28 |
a50f85c71b69563ba42bf04c937e1063244ca4957231d3adac76f1c96ab42d3c | SOCRadar | 2024-08-28 |
f0953ed4a679b987a2da955788737602 | SOCRadar | 2024-08-28 |
ec5a96f42aeccdf9a3ae4c3650689606c8539fd65c0b47f30887afecb901be43 | SOCRadar | 2024-08-28 |
a555bb5b6b0e9edf49c4f6bfc8638f155dc1986a | SOCRadar | 2024-08-28 |
2cc76a0434a1d489c1547c7021a3dd68499141c3 | SOCRadar | 2024-08-28 |
22a50cea6ad67a7e8582d2cd4cdc3eaaf57c0fbe8cd062a9b15710166e255a86 | SOCRadar | 2024-08-28 |
166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107 | SOCRadar | 2024-08-28 |
13c1c6752006667697cd4f72a2f1b8616af2b60e | SOCRadar | 2024-08-28 |
07aa971f0791b06dd442d4c7a49c1d3d27a1cbb16602f731e870b5ef50edf69e | SOCRadar | 2024-08-28 |
c02accc26a389397fb172f83258baa8a974986ffd706ba708a3b0a679f61be56 | SOCRadar | 2024-08-28 |
ba6d77f358b4fa00dda5d0e2fdd21c761d154f95 | SOCRadar | 2024-08-28 |
7586e58a569c2a07d0b3a710616f48833a040bf3fc57628bbdec7fcb462d565a | SOCRadar | 2024-08-28 |
bc85062de0f70afd44bb072b0b71a8cc | SOCRadar | 2024-08-28 |
83de8917bf0ac1d670acf27431015215db872b7291979312dd65e30d99806abb | SOCRadar | 2024-08-28 |
1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3 | SOCRadar | 2024-08-28 |
f42867e74bbc41767bffacc0de7bfa5e | SOCRadar | 2024-08-28 |
0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0 | SOCRadar | 2024-08-28 |
3e52c310c6556367ff9e18448bc41719e603d1cbbdafdcba736c6565529617b6 | SOCRadar | 2024-08-28 |
Ipv4s | Source | Last Update |
---|---|---|
212.87.212.115 | SOCRadar | 2024-08-28 |
78.108.216.20 | SOCRadar | 2024-08-28 |
5.182.207.28 | SOCRadar | 2024-08-28 |
Cves | Source | Last Update |
---|
Emails | Source | Last Update |
---|
Domains | Insert Date |
---|
MITIGATION
Application Layer Protocol: Web Protocols
Account Discovery
Valid Accounts
REMEDIATION
Application Layer Protocol: Web Protocols
Account Discovery
CONCLUSION
Earth Baku has notably expanded its operations, extending from the Indo-Pacific region to target Europe and the MEA since late 2022. This campaign showcases the group’s advanced techniques, including the exploitation of public-facing applications like IIS servers for initial access, followed by the deployment of sophisticated malware such as the Godzilla webshell for control. The use of advanced loaders like StealthVector and StealthReacher to stealthily launch backdoor components, along with the modular backdoor SneakCross, highlights the group's evolving tactics.
Additionally, Earth Baku employs various tools during post-exploitation, including a customized iox tool, Rakshasa, and TailScale for persistence, as well as MEGAcmd for efficient data exfiltration. These developments underscore the group’s increasing sophistication and present significant challenges for cybersecurity defenses.
To counter such advanced threats, organizations need robust cybersecurity measures. Implementing the principle of least privilege, regularly updating systems, enforcing strict patch management, and developing proactive incident response strategies are essential steps. The 3-2-1 backup rule also ensures data integrity, even in the event of an attack.
Organizations should consider deploying advanced security technologies such as SOCRadar's Extended Threat Intelligence, which offers continuous attack surface identification and comprehensive prevention, detection and response capabilities. Backed by advanced threat research, intelligence and artificial intelligence, this feature significantly improves the overall security posture. In addition, the Extended Detection and Response (XDR) service provides expert threat monitoring, correlation and analysis, delivering powerful protection without overburdening IT teams, enabling organisations to scale securely with the cloud.
File Name | Description | Actions |
---|---|---|
Earth Baku Report 2.pdf | We state with confidence that Earth Longzhi is related to or is a subgroup of APT41 based on the following reasons: | |
Earth Baku Report.pdf | This research paper covers the technical details of a new cyberespionage campaign that we believe can be traced back to the notorious advanced persistent threat (APT) group Earth Baku |
APT Name | Aliases | Target Countries | Source Countries | Total IOCs |
---|