How does a threat actor evade detection using Microsoft Paint and Outlook? 
A newly identified cyberespionage group known as Earth Alux has been actively targeting sectors like government, telecom, logistics, and IT across countries in the Asia-Pacific and Latin America since mid-2023. According to Trend Micro researchers, the group uses a layered and adaptive toolset designed for stealth and persistence.
The attack starts with the exploitation of vulnerable public-facing services to deploy Godzilla, a web shell that acts as the entry point. Once inside, Earth Alux typically deploys either VARGEIT or COBEACON backdoors. VARGEIT is notable for spawning within benign processes such as *mspaint.exe*, allowing it to execute reconnaissance and steal data while blending into normal activity.
COBEACON, based on Cobalt Strike Beacon, is usually deployed first and delivered by MASQLOADER—an obfuscated shellcode loader. Some versions of MASQLOADER employ anti-API hooking by directly patching NTDLL.dll, a core Windows system library, to bypass endpoint detection solutions.
VARGEIT stands out for its flexible command-and-control mechanisms. It can communicate through up to 10 different channels, including DNS, ICMP, and even Microsoft Outlook via the Graph API. Communication through Outlook drafts is structured using specific prefixes ("r_" for commands, "p_" for responses), allowing attackers to maintain control without raising immediate flags.
The group also utilizes DLL side-loading techniques through loaders like RAILLOAD, accompanied by a timestomping module called RAILSETTER that ensures persistence by altering timestamps and setting scheduled tasks. To find new binaries suitable for side-loading, Earth Alux reportedly runs detection tests using open-source tools like ZeroEye and VirTest, both widely used in Chinese-speaking security circles.
Researchers suggest that the group carefully tests each component for stealth and evasion, pointing to a longer-term campaign focused on espionage rather than quick monetization. The structure and testing of tools indicate professional development practices and a commitment to remaining undetected in targeted environments.
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— 
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 
Project link on #GitHub 
https://github.com/madhuakula/kubernetes-goat
Snel je scooterrijbewijs halen? Let op waar je boekt!
