Earth Kasha Targets Taiwan and Japan in Espionage Campaign Using Enhanced Malware Arsenal

APT group Earth Kasha, assessed to have operational ties to the Chinese state-sponsored threat group menuPass (aka APT10, Cicada, Stone Panda), continues its espionage operations with a newly observed campaign targeting government and public sector entities in Taiwan and Japan. According to Trend Micro's Senior Threat Researcher Hara Hiroaki, the group has been active since at least 2017 and initiated the recently observed March 2025 campaign with a tighter focus compared to previous activity in 2024. Recent attacks targeted research organizations, political think tanks, and institutions involved in international relations. The latest operations involve the deployment of an updated version of the ANEL backdoor, featuring new capabilities for in-memory execution of Beacon Object Files (BOF). As Hiroaki warns, “Considering that Earth Kasha’s origin is believed to be China, a potential espionage campaign targeting Taiwan and Japan has significant geopolitical implications.”

The campaign begins with a spear-phishing email embedded with a malicious OneDrive URL designed to download a ZIP archive containing a macro-enabled Excel dropper named ROAMINGMOUSE. Once executed, the Excel file base64-decodes the archive and expands its contents, which include a legitimate signed executable, the ANELLDR malicious loader (JSFC.dll), and the encrypted ANEL backdoor. The method of execution varies based on the presence of security tools. If no security software like McAfee is detected, ROAMINGMOUSE leverages "WmiPrvSE.exe" to launch the executable via "explorer.exe", followed by DLL sideloading to load the malicious JSFC.dll. In environments with McAfee present, execution is triggered via a batch file placed in the startup directory, foregoing the use of WMI.

Following the initial setup, the ANEL backdoor performs reconnaissance, including process enumeration (tasklist /v) and user account discovery (net user, net localgroup administrators). As assessed by Trend Micro, “The adversary appears to investigate the victim by looking through screenshots, running process lists, and domain information,” often halting operations if the infected host does not meet targeting criteria. If the victim is deemed valuable, Earth Kasha proceeds to deploy the second-stage backdoor NOOPDOOR. Installation involves running "MSBuild.exe" to execute the "ctac.xml" project file and using "msiexec.exe" to persist NOOPDOOR with Hidden Start "hstart64.exe" to suppress visibility.

In its latest variant, NOOPDOOR has been enhanced with DNS over HTTPS (DoH) support to obscure C2 communications. As Hiroaki reports, the malware embeds public DoH-capable DNS resolvers such as Google and Cloudflare to mask domain resolution during beaconing activity. This method allows Earth Kasha to evade traditional DNS monitoring while maintaining secure communication channels. Trend Micro also observed the attackers removing the ANEL staging directories post-deployment (rd /s /q) to reduce forensic artifacts. The group’s continued reliance on NOOPDOOR, combined with upgrades to ANEL and their adaptive post-exploitation techniques, demonstrates their intent to maintain long-term access and data theft operations within high-value targets. Organizations operating in affected regions are advised to enforce zero-trust policies on external links, monitor for misuse of DoH, and enhance visibility across execution behaviors such as abuse of native tools and unauthorized macro execution.