G1006: Earth Lusca
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]
Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]
Analyst context for executives and security teams
Earth Lusca matters because MITRE describes it as a suspected China-based espionage group with broad geographic and sector targeting, including government, media, education, telecommunications, cryptocurrency trading platforms, and COVID-19 research organizations. For leaders, the practical value is not the name itself but whether the organization can recognize the behaviors linked to the group: credential theft, Windows administrative utility abuse, discovery of systems and services, scheduled task persistence/execution, scripting, and use of dual-use or shared tooling such as Cobalt Strike, Mimikatz, PowerSploit, ShadowPad, and Winnti for Linux.
Executive priority
Prioritize this as a resilience and readiness issue for environments with Windows identity infrastructure, sensitive research or regulated data, telecommunications exposure, cryptocurrency operations, or operations in the countries and sectors listed by MITRE. Executives should ask whether SOC and incident response teams can prove visibility into credential-access behaviors such as LSASS access and DCSync, whether administrative tools are baselined well enough to separate normal operations from abuse, and whether audit evidence exists for identity hardening, endpoint logging, and incident containment decision-making.
Technical view
ATT&CK provides no official detection text for Earth Lusca, so defensive validation should be built from the related software and techniques. Focus on Windows identity and endpoint behaviors: Mimikatz and LSASS memory access, DCSync-like domain replication abuse, PowerShell and Visual Basic execution, WMI execution, scheduled task creation, process/service/user/network discovery, and use of native tools such as tasklist, certutil, and nltest. Also account for cross-platform and infrastructure discovery relationships where supplied, including Linux-related tooling such as Winnti for Linux and discovery techniques that include Linux, macOS, ESXi, network devices, and IaaS in their platform scope.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, WMI, Visual Basic-related execution, certutil, tasklist, nltest, and scheduled task utilities
- Windows security events and identity telemetry relevant to LSASS access, privileged logons, domain controller activity, and directory replication-style behavior
- EDR or host telemetry for credential dumping tools, post-exploitation frameworks, suspicious module loads, memory access, and abnormal parent-child process chains
- Scheduled task creation, modification, and execution logs
- Service, process, user, network configuration, and network connection discovery logs from endpoints and servers
Detection direction
- Do not rely on group-name matching; validate detections against the related behaviors and tools supplied by ATT&CK.
- Baseline legitimate administrative use of tasklist, certutil, nltest, WMI, PowerShell, and scheduled tasks so detections can distinguish routine administration from unusual execution context, timing, destination, or privilege level.
- Prioritize high-fidelity detection around credential access: LSASS memory access, known credential dumping behavior, and DCSync-like activity from non-domain-controller or unexpected privileged principals.
- Correlate discovery behaviors: process, service, user, network configuration, network connection, and remote system discovery occurring in clusters after suspicious execution should raise priority.
- Tune for shared tooling carefully. Cobalt Strike, Mimikatz, PowerSploit, ShadowPad, and Winnti-related detections can overlap with testing, red-team activity, or other threat groups; require change tickets, approved testing windows, or asset context to reduce false positives.
Mitigation priorities
- Harden identity first: restrict and monitor privileged accounts, domain replication permissions, and administrative access to systems that can expose credentials.
- Reduce credential exposure on Windows endpoints and domain controllers through least privilege, administrative tiering, and protection of sensitive authentication material.
- Constrain and monitor powerful scripting and administration paths such as PowerShell, WMI, scheduled tasks, and certificate utilities without breaking approved operations.
- Improve endpoint and server logging before relying on analytics: process command lines, script activity, scheduled tasks, service changes, and identity events should be retained and searchable.
- Maintain tested incident response playbooks for credential theft scenarios, including domain controller review, privileged account reset decisions, and containment of systems showing discovery plus credential-access behavior.
Analyst notes and limits
MITRE describes Earth Lusca as suspected China-based and notes overlap in malware commonly used by other Chinese threat groups while also citing researcher assessment that Earth Lusca techniques and infrastructure are separate. This makes attribution-sensitive handling important: use the group context to prioritize hypotheses, but base SOC escalation on observed behavior, affected assets, and confidence in telemetry.
The supplied ATT&CK object has no official detection text, no group-level tactics, and no group-level platforms. The practical guidance here is derived from the official description, aliases, external references, and listed relationships to software and techniques. Local asset exposure, logging quality, approved administrative activity, and incident evidence are required before concluding Earth Lusca-related activity.
Earth Lusca
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]
Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1583.006 | Web Services Sub-technique | Earth Lusca has established GitHub accounts to host their malware.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1027.003 | Steganography Sub-technique | Earth Lusca has used steganography to hide shellcode in a BMP image file.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1098.004 | SSH Authorized Keys Sub-technique | Earth Lusca has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1003.006 | DCSync Sub-technique | Earth Lusca has used a |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Earth Lusca used VBA scripts.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1189 | Drive-by Compromise | Earth Lusca has performed watering hole attacks.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1018 | Remote System Discovery | Earth Lusca used the command |
| Enterprise | T1584.006 | Web Services Sub-technique | Earth Lusca has compromised Google Drive repositories.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1210 | Exploitation of Remote Services | Earth Lusca has used Mimikatz to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472).CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Earth Lusca used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Earth Lusca has used certutil to decode a string into a cabinet file.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1583.001 | Domains Sub-technique | Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1033 | System Owner/User Discovery | Earth Lusca collected information on user accounts via the |
| Enterprise | T1547.012 | Print Processors Sub-technique | Earth Lusca has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Earth Lusca has used PowerShell to execute commands.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1059.006 | Python Sub-technique | Earth Lusca used Python scripts for port scanning or building reverse shells.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1057 | Process Discovery | Earth Lusca has used Tasklist to obtain information from a compromised host.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Earth Lusca used the command |
| Enterprise | T1574.001 | DLL Sub-technique | Earth Lusca has placed a malicious payload in `%WINDIR%\SYSTEM32\oci.dll` so it would be sideloaded by the MSDTC service.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1112 | Modify Registry | Earth Lusca modified the registry using the command |
| Enterprise | T1047 | Windows Management Instrumentation | Earth Lusca used a VBA script to execute WMI.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1218.005 | Mshta Sub-technique | Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1482 | Domain Trust Discovery | Earth Lusca has used Nltest to obtain information about domain controllers.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | Earth Lusca has acquired and used a variety of open source tools.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1007 | System Service Discovery | Earth Lusca has used Tasklist to obtain information from a compromised host.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Earth Lusca required users to click on a malicious file for the loader to activate.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1190 | Exploit Public-Facing Application | Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1090 | Proxy | Earth Lusca adopted Cloudflare as a proxy for compromised servers.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | Earth Lusca used Base64 to encode strings.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Earth Lusca created a service using the command |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1583.004 | Server Sub-technique | Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1049 | System Network Connections Discovery | Earth Lusca employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log “Microsoft-Windows-TerminalServices-RDPClient/Operational” (Event ID 1024) to obtain network information from RDP connections. Earth Lusca has also used netstat from a compromised system to obtain network connection information.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | Earth Lusca used the command |
| Enterprise | T1588.001 | Malware Sub-technique | Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1584.004 | Server Sub-technique | Earth Lusca has used compromised web servers as part of their operational infrastructure.CitationTrendMicro EarthLusca 2022 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.CitationTrendMicro EarthLusca 2022 |
Groups, software, and campaigns
S0002: Mimikatz
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0057: Tasklist
S0160: certutil
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0430: Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[1]
S0359: Nltest
S0590: NBTscan
S0596: ShadowPad
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 7e211d515960… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro EarthLusca 2022
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Open source URL -
[2]
CHROMIUM
(Citation: Microsoft Threat Actor Naming July 2023) (Citation: Recorded Future RedHotel August 2023)
-
[3]
Charcoal Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)
-
[4]
ControlX
(Citation: Microsoft Threat Actor Naming July 2023)
-
[5]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[6]
Recorded Future RedHotel August 2023
Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.
Open source URL -
[7]
Recorded Future TAG-22 July 2021
INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024.
Open source URL -
[8]
TAG-22
(Citation: Recorded Future TAG-22 July 2021)
-
[9]
mitre-attack G1006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.