Chinese hackers, identified as the advanced persistent threat (APT) group Earth Baxia, have exploited a critical vulnerability in OSGeo GeoServer (CVE-2024-36401) to launch cyber-espionage campaigns across the Asia-Pacific (APAC) region. The attacks, detected in July 2024 by Trend Micro, targeted government and energy sectors in Taiwan, the Philippines, South Korea, Vietnam, and Thailand. Using spear-phishing emails and decoy documents in Simplified Chinese, the group infiltrated key industries, underscoring the persistent threat from state-sponsored hackers in the region.
The multi-stage attack chain began with phishing emails containing malicious ZIP files. Once opened, these files initiated the download of next-stage malware, including Cobalt Strike and a previously undiscovered backdoor, codenamed EAGLEDOOR. The malware enables information gathering, data exfiltration, and the deployment of additional payloads. Earth Baxia also used advanced injection techniques, such as GrimResource and AppDomainManager, to evade detection and maintain persistence within the victim networks.
The campaign shares notable similarities with tactics used by APT41, another Chinese APT group, including the use of cloud-based command-and-control (C2) domains that mimic Amazon Web Services, Microsoft Azure, and Trend Micro. The attackers leveraged these legitimate-looking domains to hide their malicious activities, making detection more difficult. Researchers noted that the overlap in infrastructure between Earth Baxia and APT41 suggests potential collaboration or shared resources.
The EAGLEDOOR malware supports multiple communication methods, including DNS, HTTP, TCP, and Telegram, with its core functionality relying on the Telegram Bot API for file upload, download, and payload execution. By exploiting widely used cloud services and employing sophisticated techniques, Earth Baxia’s operations highlight the increasing complexity of cyber threats in the APAC region, targeting critical industries and sensitive government data.
