Espionage4 malware families

earth_bluecrow

Also known asearth_bluecrow

Earth Bluecrow is a suspected Chinese APT involved in cyber espionage. The provided content states that the group has used a new controller for the BPFDoor backdoor since 2021 and was suspected in the breach of a Korean telecommunications company in April 2025. Its targeting has included organizations in the communications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt, with mention of activity in Asia and the Middle East. The group is described as using BPFDoor, a backdoor that leverages Berkeley Packet Filter for stealthy communication and can be activated by a network packet containing a magic sequence. According to the content, BPFDoor supports long-term concealment, lateral movement, and access to sensitive data within victim networks. The campaign is described as ongoing, and the initial access vector and exploited vulnerabilities were still under investigation. No additional aliases or sub-groups were provided beyond Earth Bluecrow.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

communication
finance
retail

MITRE ATT&CK

Tradecraft

10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics16 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

TA0003

Persistence

1 technique

T1547

Boot or Logon Autostart Execution

T1547.006

Kernel Modules and Extensions

TA0004

Privilege Escalation

1 technique

T1547

Boot or Logon Autostart Execution

T1547.006

Kernel Modules and Extensions

TA0005

Stealth

1 technique

T1036

Masquerading

TA0006

Credential Access

3 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001

Keylogging

T1110

Brute Force

TA0008

Lateral Movement

1 technique

T1021

Remote Services

TA0009

Collection

1 technique

T1056

Input Capture

T1056.001

Keylogging

TA0011

Command and Control

2 techniques

T1095

Non-Application Layer Protocol

T1572

Protocol Tunneling

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BPFDoorOne of the most recognized tools in its malware arsenal is a Linux backdoor called BPFDoor. "Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels. Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet."3Mar 26, 2026

CrossC2Upon gaining a successful foothold, Linux-compatible beacon frameworks such as CrossC2 are deployed to facilitate post-exploitation activities.1Mar 26, 2026

SliverAlso dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.1Mar 26, 2026

TINYSHELLAlso dropped are Sliver, TinyShell (a Unix backdoor), keyloggers, and brute-force utilities to facilitate credential harvesting and lateral movement.1Mar 26, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

ahnlab asec blogNews

May 15, 2025

April 2025 APT Group Trends

Earth Bluecrow is conducting long-term cyber espionage using BPFDoor backdoor, targeting communication, finance, and retail sectors in Asia and the Middle East.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping10

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.