TL;DR

The Earth Kurma APT group is actively targeting government and telecommunications organizations in Southeast Asia using sophisticated malware and evasion techniques. This campaign, which includes countries like the Philippines, Vietnam, Thailand, and Malaysia, focuses on data exfiltration and espionage. The group employs custom malware, rootkits, and cloud services to maintain prolonged access and steal sensitive information.

Earth Kurma APT: Advanced Cyber Threats Targeting Southeast Asia

Trend Research has uncovered a sophisticated campaign by the Earth Kurma APT group targeting government and telecommunications sectors in Southeast Asia. This advanced persistent threat (APT) group employs custom malware, rootkits, and cloud storage services for espionage, credential theft, and data exfiltration, posing a significant risk to businesses with their advanced evasion techniques.

Targeted Countries and Sectors

Earth Kurma has specifically targeted the following countries:

• Philippines
• Vietnam
• Thailand
• Malaysia

Organizations in these regions face potential compromise of sensitive government and telecommunications data. Researchers suspect that the attackers have maintained prolonged, undetected access to their networks.

“Since June 2024, we uncovered a sophisticated APT campaign targeting multiple countries in Southeast Asia, including the Philippines, Vietnam, and Malaysia. We have named the threat actors behind this campaign “Earth Kurma.” Our analysis revealed that they primarily focused on government sectors, showing particular interest in data exfiltration.” ¹

Earth Kurma’s Tactics and Tools

Earth Kurma is believed to be a new APT group that has been active since 2020, focusing on data theft via cloud services like Dropbox. The group utilizes custom tools such as TESDAT, SIMPOBOXSPY, and rootkits like KRNRAT and MORIYA. Although there are overlaps with other known APT groups, attribution remains inconclusive.

Infection Chain and Malware

Earth Kurma employs various tools for lateral movement, network scanning, and malware deployment:

• NBTSCAN
• Ladon
• FRPC
• WMIHACKER
• ICMPinger
• KMLOG (a custom keylogger saving logs as disguised ZIP files)

The group uses WMI and SMB commands to move laterally and maintain stealth across victim infrastructures.

Persistence and Data Exfiltration

In the persistence stage, Earth Kurma deploys loaders like DUNLOADER, TESDAT, and DMLOADER to run payloads in memory and exfiltrate data via Dropbox and OneDrive. The attackers employ rootkits like KRNRAT and MORIYA to evade detection.

“As for attribution, we found overlaps between Earth Kurma’s tools and those of other known APT groups. The MORIYA rootkits in this campaign share the same code base as the ones used in Operation TunnelSnake, while SIMPOBOXSPY and the exfiltration script link closely to another APT group called ToddyCat.” ¹

Between 2022 and 2024, Earth Kurma used loaders to deliver Cobalt Strike beacons and later deployed MORIYA and KRNRAT rootkits to maintain persistence and exfiltrate data stealthily via memory injections and disguised cloud communications. The attackers used a living-off-the-land binary called “syssetup.dll” to install the rootkits.

Ongoing Threat and Adaptability

Earth Kurma remains highly active, continuing to target countries around Southeast Asia. They have the capability to adapt to victim environments and maintain a stealthy presence. The group can reuse the same code base from previously identified campaigns to customize their toolsets, sometimes even utilizing the victim’s infrastructure to achieve their goals.

“Earth Kurma remains highly active, continuing to target countries around Southeast Asia. They have the capability to adapt to victim environments and maintain a stealthy presence.” ¹

Conclusion

The Earth Kurma APT group poses a significant threat to government and telecommunications organizations in Southeast Asia. Their use of sophisticated malware, rootkits, and cloud services for data exfiltration highlights the need for robust cybersecurity measures to detect and mitigate such advanced threats. Organizations in the targeted sectors should remain vigilant and implement comprehensive security strategies to protect against these persistent and evolving cyber attacks.

Additional Resources

For further insights, check:

• Trend Micro Report on Earth Kurma APT Campaign
• Security Affairs Article on Operation TunnelSnake
• Security Affairs Article on ToddyCat APT Group

References

1. Security Affairs (2025). “Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia”. Security Affairs. Retrieved 2025-04-28. ↩︎ ↩︎² ↩︎³