VARGEIT

VARGEIT is a custom backdoor/payload associated with the China-linked espionage threat actor Earth Alux, also tracked as Ink Dragon, Jewelbug, CL-STA-0049, and REF7707. Reporting describes it as part of a broader intrusion toolkit alongside RAILLOAD, RAILSETTER, COBEACON/Cobalt Strike, and later FINALDRAFT, with Check Point assessing VARGEIT and FINALDRAFT to be different development stages of the same malware family, and VARGEIT as the earlier variant. In observed campaigns, the actor commonly gains initial access by exploiting internet-exposed web applications and deploying web shells, then delivers VARGEIT as a follow-on payload. VARGEIT has been used to establish persistence, steal credentials, maintain command and control, and support post-exploitation activities including discovery, lateral movement, defense evasion, and data exfiltration. The surrounding tradecraft includes abuse of renamed legitimate binaries such as cdb.exe disguised as fontdrvhost.exe to execute shellcode, process injection into legitimate Windows processes including MSPaint, calc.exe, and notepad.exe, DLL side-loading, browser credential theft, and exfiltration of compressed data to cloud storage. Targeting linked to operations using VARGEIT includes government, technology, logistics, manufacturing, telecommunications, IT services, and retail organizations, primarily in APAC and Latin America, with later reporting also tying the broader cluster to victims in Europe, Asia, Africa, and South America. High-confidence behavioral indicators mentioned in the reporting include suspicious DLL loading, unusual process paths, credential-access activity, and abnormal network connections originating from trusted Windows binaries.