A China-linked advanced persistent threat (APT) group, Earth Alux, has been identified as the orchestrator of a series of cyberespionage attacks targeting critical industries across the Asia-Pacific (APAC) and Latin American regions.
Leveraging its sophisticated malware toolkit, including the VARGEIT backdoor, the group has successfully infiltrated organizations in sectors such as government, technology, logistics, manufacturing, telecommunications, and retail.
Deployment of VARGEIT: A Multi-Stage Backdoor
Earth Alux employs the VARGEIT malware as its primary tool for maintaining long-term access to compromised systems.
This backdoor is used at multiple stages of the attack lifecycle, from initial infiltration to advanced persistence.
It is deployed through various sophisticated methods, including debugger scripts and DLL side-loading techniques.
The group also utilizes additional tools like RAILLOAD and RAILSETTER to enhance stealth and ensure persistence by modifying file timestamps and creating scheduled tasks.
The VARGEIT backdoor exhibits advanced capabilities such as injecting malicious tools into legitimate processes like mspaint.exe to perform reconnaissance, data collection, and exfiltration without leaving file-based traces.
Communication between the malware and its command-and-control (C&C) servers is encrypted using multi-channel configurations, including HTTP, reverse TCP/UDP, and Outlook-based channels via Microsoft Graph API.
According to the Report, this ensures secure data transmission while evading detection by conventional security systems.
Initially detected in APAC countries like Thailand, the Philippines, Malaysia, and Taiwan during 2023, Earth Alux expanded its operations to Latin America in mid-2024, with Brazil being a notable target.
The group’s focus on high-value industries underscores its intent to extract sensitive information that could disrupt operations or lead to financial losses for its victims.
Advanced Techniques for Evasion and Persistence
Earth Alux demonstrates a commitment to refining its tools through rigorous testing.
The group employs detection-evasion techniques such as anti-API hooking in its MASQLOADER component and timestomping via RAILSETTER.
Additionally, they use open-source tools like ZeroEye for identifying vulnerable DLLs suitable for side-loading and VirTest for bypassing security software detections.
The attackers also conduct network reconnaissance using mspaint.exe processes to map organizational structures and identify valuable targets within compromised environments.
Collected data is compressed into encrypted archives before being exfiltrated to attacker-controlled cloud storage buckets.
Organizations are urged to adopt proactive cybersecurity measures to mitigate the risks posed by Earth Alux’s advanced tactics.
Recommendations include:
- Regularly patching systems to eliminate vulnerabilities exploited during initial access.
- Monitoring for unusual activities such as unexpected network traffic or reduced system performance.
- Implementing comprehensive threat detection solutions capable of identifying stealthy malware like VARGEIT.
As Earth Alux continues to evolve its techniques, vigilance remains critical for organizations operating in targeted sectors to safeguard their sensitive data and infrastructure from this persistent adversary.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
 group, Earth Alux, has been identified as the orchestrator of a series.){kind=link}