A China-linked advanced persistent threat (APT) group, known as Earth Estries, has been identified as the operator behind a widespread cyber espionage campaign using a previously undocumented backdoor named GHOSTSPIDER. This malware has primarily targeted telecommunications companies across Southeast Asia, although the campaign has extended to over 20 organizations, spanning various sectors such as telecommunications, government agencies, non-profits, and technology. The group’s aggressive tactics have led to the compromise of entities in countries like Afghanistan, Brazil, India, Indonesia, and the United States, with an emphasis on long-term infiltration and surveillance.
The GHOSTSPIDER malware is just one tool in a broad arsenal used by Earth Estries, which also deploys other backdoors like MASOL RAT, Deed RAT, and the Demodex rootkit. These tools are used to facilitate access to critical networks by exploiting known vulnerabilities, including flaws in Ivanti Connect Secure, Microsoft Exchange Server, and Sophos Firewalls. The group has shown a pattern of targeting vulnerabilities in high-value systems, often leveraging N-day flaws to gain access before deploying their custom malware to further entrench their presence within compromised networks.
Once inside a network, GHOSTSPIDER communicates with attacker-controlled infrastructure using custom protocols secured by Transport Layer Security (TLS), making it difficult to detect. This stealthy malware fetches additional modules as needed, allowing Earth Estries to scale its espionage capabilities and maintain persistent access to the compromised systems. The attack flow typically begins with edge device compromises and extends into cloud environments, highlighting the group’s highly sophisticated and multi-layered approach to espionage, designed to evade traditional cybersecurity defenses.
The attacks from Earth Estries signal a significant evolution in China’s cyber espionage operations, with a shift from isolated intrusions to long-term data collection campaigns targeting Managed Service Providers (MSPs), Internet Service Providers (ISPs), and platform providers. This change represents a maturation of China’s cyber capabilities, which now focus on strategic, bulk data collection rather than one-off attacks. The ongoing nature of these attacks underscores the need for heightened vigilance and more robust security measures, particularly within critical infrastructure sectors vulnerable to APT groups.
