Monday , July 13 2026
hacker

Trend Micro report
Earth Krahang hackers breach 70 orgs in 23 countries

The APT group ‘Earth Krahang’ has hacked 70 organizations and attacked at least 116 in 45 countries. Trend Micro researchers have been monitoring a campaign targeting government organizations since early 2022.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

The group targeted 116 organizations in 35 countries and confirmed at least 70 compromises, including organizations linked to world governments. Victims also include education, telecommunications, finance, IT, and sports sectors. The highest number of victims are in Asia, but cases are also in the Americas, Europe, and Africa.

Earth Krahang‘s Intrusion Tactics:
The first step is to search the Internet for public servers that are connected to government organizations. To find weaknesses, the attacker can use various open source tools like sqlmap, nuclei, xray, vscan, pocsuite, and wordpressscan. The attacker focuses on two specific vulnerabilities: CVE-2023-32315, a command execution vulnerability in the real-time collaboration server Openfire with a CVSS rating of 7.5, and CVE-2022-21587, a critical command execution issue rated 9.8 in Oracle’s E-Business Suite’s Web Applications Desktop Integrator.
Figure 2. The Python script used by Earth Krahang to send spear-phishing emails to other governments via a stolen government account (redacted)
Once the group gains access to a public server, they use open source software to search for sensitive files, passwords (especially for email), and other valuable resources, such as neglected subdomains that could lead to more unattended servers. They also use brute force attacks, such as using a list of common passwords to break into Microsoft Exchange servers through Outlook on the Web.
“While it may seem like open source should be easy to detect,” says Jon Clay, vice president of threat intelligence at Trend Micro, “the reality is that there are many TTPs here that have to be found and detected. Also, the use of defense evasion tactics by this adversary can be utilized to ensure the victims are unable to defend.”

Earth Krahang’s Exploitation and Stealth Tactics:

By the end of all this (and much more), the attacker can perform two primary actions: drop backdoors on compromised servers, and hijack email accounts.

The attackers use real email accounts to trick victims into thinking they are safe. By using legitimate accounts and sending emails with convincing subject lines and malicious attachments, they can deceive people.

Figure 3. The Python script used by Earth Krahang to exfiltrate the victim’s mailbox

Whether via email or a vulnerability in a Web server, Earth Krahang’s various targets end up downloading one or multiple backdoors.

In its first attacks around 2022, the group used “RESHELL,” a basic custom .NET tool to gather information, drop files, and run system commands, with AES-encrypted command-and-control (C2) communication.
In 2023, the group started using “XDealer,” a new tool with advanced features like keylogging, taking screenshots, and stealing from the clipboard. XDealer works on both Windows and Linux and some of its loaders have real code-signing certificates, including certificates from a human resources company and a game development company that were likely stolen to make it harder to detect the malware. Trend Micro provided this information.

Earth Krahang has also made use of ancient threats like PlugX and ShadowPad, and it frequently deploys Cobalt Strike in combination with another open source tool (RedGuard) that prevents cybersecurity analysts from pinning down its C2 infrastructure.

Due to the straightforward nature of the threat actor, it is crucial to follow standard best practices for protection against these TTPs. Organizations should strengthen their email security against spear phishing, regularly update and patch systems to defend against known vulnerabilities, and implement network segmentation to restrict an attacker’s movement within their networks. Additionally, monitoring for abnormal network traffic and unusual access patterns can aid in early detection of such campaigns.

 

Check Also

CrowdStrike

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI …