Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Earth Baxia #1020

Merged
merged 3 commits into from
Sep 25, 2024
Merged

Add Earth Baxia #1020

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8108d2b
chg: [threat-actor] add earth baxia
r0ny123 Sep 24, 2024
483f532
chg: [threat-actor] fix typo
r0ny123 Sep 24, 2024
17c4d15
chg: [doc] README updated
r0ny123 Sep 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements

[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.

Category: *actor* - source: *MISP Project* - total: *736* elements
Category: *actor* - source: *MISP Project* - total: *737* elements

[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]

Expand Down
14 changes: 14 additions & 0 deletions clusters/threat-actor.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16688,6 +16688,20 @@
},
"uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e",
"value": "HikkI-Chan"
},
{
"description": "Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.",
"meta": {
"country": "CN",
"refs": [
"https://www.tgsoft.it/news/news_archivio.asp?id=1568",
"https://jp.security.ntt/tech_blog/appdomainmanager-injection",
"https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt"
]
},
"uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7",
"value": "Earth Baxia"
}
],
"version": 313
Expand Down
Loading