Earth Baku, an advanced persistent threat actor, has broadened its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries like Italy, Germany, UAE, and Qatar. The group leverages public-facing applications like IIS servers as entry points, deploying sophisticated malware toolsets such as the Godzilla webshell, StealthVector, StealthReacher, and SneakCross. StealthVector and StealthReacher are customized loaders that stealthily launch backdoor components, while SneakCross is a modular backdoor utilizing Google services for command-and-control activities. During post-exploitation, Earth Baku employs tools like a customized iox tool, Rakshasa, and Tailscale for persistence, along with MEGAcmd for data exfiltration. Author: AlienVault
Related Tags:
Tailscale
Rakshasa
SneakCross
StealthReacher
stealthvector
South Georgia and the South Sandwich Islands
Georgia
Cobalt Strike – S0154
cybercrime
Associated Indicators:
21FC0F50D545C0A373380934DC61C423C8A31D8C3E6EAE4F8A35149AD9962D88
3E52C310C6556367FF9E18448BC41719E603D1CBBDAFDCBA736C6565529617B6
EC5A96F42AECCDF9A3AE4C3650689606C8539FD65C0B47F30887AFECB901BE43
CDCBD9C25E06AC6DA5497FA19459D0007449EC1A3E6BC591334DB6FB3598AECB
7E63C6B9AB3B32BEFFBC1EB23D6CA7CC59616B0722F0DD4F0D893C0A1724F5D7
166B6DCDAC31F4BF51E4B20A7C3F7D4F7017CA0C30FA123D5591E25C3FA66107
0FADDBE1713455E3FC9777EC45ADF07B28E24F4C3DDCA37586C2AA6B539898C0
A50F85C71B69563BA42BF04C937E1063244CA4957231D3ADAC76F1C96AB42D3C
C6A3A1EA84251AED908702A1F2A565496D583239C5F467F5DCD0CFC5BFB1A6DB