China-Aligned APTs Launch “Premier Pass-as-a-Service,” Sharing Access in Coordinated Global Espionage
Ddos 
A new Trend Research report has revealed an alarming shift in cyberespionage tactics among China-aligned APT groups, highlighting unprecedented levels of collaboration and resource sharing between threat actors such as Earth Estries and Earth Naga. The report introduces a new term — “Premier Pass-as-a-Service” — to describe this advanced model of access brokerage and inter-group cooperation.
Trend researchers describe “Premier Pass-as-a-Service” as “the emerging trend of advanced collaboration tactics between multiple China-aligned APT groups, notably Earth Estries and Earth Naga, that are making modern cyberespionage campaigns even more complex.”
The report details how Earth Estries, acting as an access broker, handed over compromised assets to Earth Naga (also known as Flax Typhoon, RedJuliett, or Ethereal Panda) to continue exploitation and data exfiltration. This model represents what Trend calls a “Premier Pass,” enabling one threat group to directly pass privileged access to another, thus bypassing the lengthy phases of reconnaissance and initial intrusion.
“By sharing access, Earth Estries and Earth Naga further complicate detection and attribution efforts,” the researchers note, emphasizing that these joint operations “challenge traditional methods by involving multiple intrusion sets.”
Both groups have persistently targeted critical sectors including telecommunications, government agencies, and defense-linked manufacturers across multiple regions. According to Trend’s victimology analysis, “Earth Estries and Earth Naga’s coordinated cyberespionage campaigns have recently focused on retail and government-related organizations in APAC.”
The report lists confirmed joint operations between late 2024 and mid-2025, including:
- A retail company in the APAC region (November 2024)
- A government agency in Southeast Asia (March 2025)
- Multiple telecommunications providers in APAC and NATO countries (April–July 2025)
Trend researchers confirmed that “Earth Estries operated as an access broker in some campaigns,” providing network footholds to Earth Naga for extended exploitation.
The investigation revealed overlapping toolsets between both groups, with Earth Estries deploying its proprietary CrowDoor backdoor, and Earth Naga using the ShadowPad malware — a hallmark of several China-nexus espionage operations.
The infection timeline reconstructed by Trend shows that in early 2025, Earth Estries compromised a vulnerable internal web server and deployed CrowDoor to establish persistence. Later, in March 2025, ShadowPad was deployed within the same environment via multiple vectors, including Cobalt Strike SMB beacons and compromised credentials, signaling clear operational overlap between the two groups.
“The ShadowPad C&C server is linked to known Earth Naga infrastructure. This marks the second observed instance of Earth Estries deploying a known Earth Naga backdoor within a victim’s internal network,” the report states.
These coordinated toolsets suggest not just shared targets, but a deliberate exchange of access and infrastructure.
To clarify the growing complexity of inter-APT cooperation, Trend Research introduced a four-tier framework categorizing collaborative attack types — ranging from “shared infection vectors” (loose coordination) to “provision of operational boxes” (strict coordination).
The report identifies the Earth Estries–Earth Naga case as a Type C collaboration, where “one group helps another deploy its malware in a target network,” and notes that Type D — “provision of an operational box” — represents “the most advanced collaboration model observed to date.”
This framework underscores the shifting reality that APT operations may now function as coalitions, blurring attribution boundaries and complicating response efforts for defenders.
The emergence of “Premier Pass-as-a-Service” redefines how intelligence analysts and defenders must approach attribution and detection. Traditional methods that rely on TTP overlaps or malware signatures may now fail to accurately distinguish between groups operating under shared access frameworks.
Donate