Earth Kasha Refines Spear-Phishing Tactics in Espionage Campaign Targeting Taiwan and Japan

In a renewed cyber-espionage campaign observed in March 2025, the notorious APT group Earth Kasha, believed to operate under the larger APT10 umbrella, has sharpened its arsenal, targeting government agencies and public institutions in Taiwan and Japan. According to a detailed analysis by Trend Micro, this campaign represents a significant escalation in the group’s tactics, techniques, and procedures (TTPs).

“We assume that the motivation behind this campaign is espionage and information theft based on the victimology and post-exploitation TTPs,” Trend Micro noted, citing the group’s long-standing interest in geopolitical intelligence.

The attack chain kicks off with spear-phishing emails, often disguised as job applications or official government correspondence. The malicious payload is embedded in a macro-enabled Excel document, replacing the Word-based lure from Earth Kasha’s 2024 campaign. These files are distributed via legitimate OneDrive URLs, a tactic likely aimed at bypassing basic email security filters.

Notably, the malicious Excel file—dubbed ROAMINGMOUSE—now requires a click event (rather than a mousemove) to trigger its payload, reflecting Earth Kasha’s ongoing refinements in evasion techniques.

Once executed, ROAMINGMOUSE unpacks a series of components, including a legitimate executable from JustSystems Inc., and a malicious loader named ANELLDR. The loader decrypts and runs the ANEL backdoor in memory using AES-256-CBC and LZO.

While ANEL’s core capabilities remain consistent with prior iterations, Trend Micro observed a critical enhancement: “The ANEL file from the 2025 campaign implemented a new command to support the execution of a BOF (Beacon Object File) in memory.”

This addition suggests Earth Kasha may be aligning closer with red-team-style post-exploitation techniques, enabling more modular and flexible operations.

In cases where Earth Kasha confirms a high-value target, it deploys NOOPDOOR, a second-stage backdoor the group has used since at least 2021. The latest version of NOOPDOOR comes with a stealth upgrade: DNS over HTTPS (DoH) for encrypted C&C communications.

“NOOPDOOR generates a C&C domain through Domain Generation Algorithm (DGA)… and then tries to resolve IP over DoH to hide suspicious domain name resolutions.”

By leveraging public DoH services such as Google and Cloudflare, Earth Kasha attempts to blend in with legitimate traffic, complicating detection efforts.

The campaign also makes use of SharpHide, an open-source tool, to ensure persistence by masking NOOPDOOR’s activity through hidden autorun processes and UI suppression techniques.

Earth Kasha’s campaign signals not just technical evolution, but also a strategic shift in targeting. Moving beyond research institutions and think tanks, the group is now zeroing in on government entities, amplifying the geopolitical stakes—especially amid increasing regional tensions in East Asia.

“Considering that Earth Kasha’s origin is believed to be China, a potential espionage campaign targeting Taiwan and Japan has significant geopolitical implications,” Trend Micro concluded.

Related Posts:

• ANEL Backdoor Reactivated in Earth Kasha Cyber-Espionage Campaign
• JPCERT/CC Warns: MirrorFace LODEINFO & NOOPDOOR Malware Targeting Industry
• Earth Kasha Expands Operations: New LODEINFO Malware Hits Government and High-Tech
• Cuckoo Spear Threat Alert: APT10 Targets Japan’s Critical Infrastructure
• Threat Actor Deploys LummaC2 and Rhadamanthys Stealers in Attacks on Taiwanese Facebook Accounts