Earth Alux

Earth Alux is a China-linked espionage threat actor also tracked as Jewelbug, Ink Dragon, REF7707, and CL-STA-0049. Reporting in the provided content describes these names as overlapping clusters, and in some cases as the same actor. The group has been active since at least March 2023 and has targeted government, defense, telecommunications, education, aviation, technology, logistics, manufacturing, and IT services organizations. Victim geography mentioned in the content includes Southeast Asia, South America, the broader APAC region, Latin America, Taiwan, Russia, and more recently European government targets. The actor’s operations are focused on long-term access, espionage, and information theft. Reported tradecraft includes exploitation of internet-exposed web applications and IIS servers, deployment of multiple ASPX web shells, credential theft, lateral movement, scheduled-task persistence, DLL side-loading, process injection, and use of renamed legitimate binaries for defense evasion. A recurring hallmark is abuse of Microsoft Console Debugger cdb.exe renamed on disk, including execution of shellcode and injection into processes such as mspaint.exe; the content also notes injection into MSPaint, calc.exe, and notepad.exe. Additional behaviors described include LSASS dumping, extraction of registry hives and NTDS.dit, use of RDP/SMB and WMI for lateral movement, and exfiltration of compressed data to cloud services including OneDrive, Yandex Cloud, and cloud storage buckets. Malware and tooling associated with Earth Alux in the content include FINALDRAFT/Squidoor, NetDraft/NosyDoor as a .NET variant of FINALDRAFT, VARGEIT, COBEACON, RAILLOAD, RAILSETTER, ShadowPad, Cobalt Strike, KillAV, EchoDrv, ZeroEye, CloneExportTable, and a new backdoor using Microsoft Graph API and OneDrive for command and control. FINALDRAFT/Squidoor is described as a modular Windows and Linux backdoor supporting multiple C2 methods including Outlook API, Microsoft Graph API, DNS tunneling, ICMP tunneling, and SMB named pipes. Check Point also reported a custom ShadowPad IIS Listener used to convert compromised IIS servers into a relay mesh for command and control, and abuse of predictable or mismanaged ASP.NET machine keys for ViewState deserialization attacks against IIS and SharePoint servers. The content specifically describes Earth Alux as a sophisticated espionage actor targeting government, technology, logistics, manufacturing, telecommunications, and IT services sectors primarily in APAC and Latin America, using webshells, process injection, DLL side-loading, and credential theft for information theft. It also notes highly active operations in 2024-2025, including intrusions into a South American government environment, a Taiwanese software company, and a Russian IT service provider, where access to code repositories and build systems created potential supply-chain risk.