From 8108d2b1fec4af863e42e34760b1441074e97542 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Tue, 24 Sep 2024 05:06:44 +0000 Subject: [PATCH 1/3] chg: [threat-actor] add earth baxia --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5dfa613..76e932d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16688,6 +16688,20 @@ }, "uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e", "value": "HikkI-Chan" + }, + { + "description": "Earth Baxia is a threat actor opearting ot of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.", + "meta": { + "country": "CN", + "refs": [ + "https://www.tgsoft.it/news/news_archivio.asp?id=1568", + "https://jp.security.ntt/tech_blog/appdomainmanager-injection", + "https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/i/earth-baxia-uses-spear-phishing-and-geoserver-exploit-to-target-apac/IOCs%20-%20Earth%20Baxia%20Uses%20Spear-Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt" + ] + }, + "uuid": "d0c2cd99-64d5-406f-abd7-16b9e27966a7", + "value": "Earth Baxia" } ], "version": 313 From 483f532613836e2adcdfd712c853abe3ab97daa4 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Tue, 24 Sep 2024 05:07:30 +0000 Subject: [PATCH 2/3] chg: [threat-actor] fix typo --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 76e932d..69e020d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16690,7 +16690,7 @@ "value": "HikkI-Chan" }, { - "description": "Earth Baxia is a threat actor opearting ot of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.", + "description": "Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.", "meta": { "country": "CN", "refs": [ From 17c4d15eec0f833f0838568b15ffd58e81bfa4d2 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Tue, 24 Sep 2024 05:21:54 +0000 Subject: [PATCH 3/3] chg: [doc] README updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3be9919..7e3dcb7 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *736* elements +Category: *actor* - source: *MISP Project* - total: *737* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]