Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G1006

Earth Lusca

Aliases

TAG-22, Charcoal Typhoon

Type

State-sponsored cyberespionage group. Also for financial gain.

Target

Cryptocurrency, Government, Human Rights Organizations, Media

Malware

Cobalt Strike, WinDealer, Custom loaders

Country

China China

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Earth Lusca

Who is Earth Lusca?

Earth Lusca is a skilled threat actor, linked to China. Active since at least 2020, the group has two main goals: cyberespionage for the Chinese state and financial gain. Their financially motivated attacks often target gambling and cryptocurrency companies.

Their targets are global and diverse. They include government agencies, schools, pro-democracy groups in Hong Kong, and COVID-19 researchers. This wide range of targets suggests the group is well-funded and has multiple missions.

Common Tactics and Tools

Earth Lusca uses common social engineering to break into networks. They have two primary methods:

  1. Spear-phishing: Sending targeted emails with malicious links or attachments.
  2. Watering hole attacks: Hacking websites their targets often visit or creating fake copies. They then inject malicious code to infect visitors.

Once inside a network, the group uses many tools. They heavily favor the Cobalt Strike post-exploitation framework.

  • Cobalt Strike: A powerful penetration testing tool. Earth Lusca abuses it for command and control, network movement, and data theft.
  • WinDealer: A custom backdoor. The group uses it in espionage campaigns to maintain access and steal data from high-value targets.
  • Custom loaders: The group uses its own loaders to deploy tools like Cobalt Strike. They often use techniques like XOR encryption to hide their code from security software.

How to Defend Against Earth Lusca

The group is skilled, but they use common attack methods. This means strong security basics are the best defense.

  • Scrutinize emails and links: Train users to spot and report suspicious emails. Always verify links before clicking.
  • Patch public-facing applications: Regularly patch all internet-facing systems, like web servers and VPNs. This closes security gaps and prevents website compromises.
  • Implement web filtering: Use security tools to block malicious websites and detect harmful code injections.
  • Utilize Endpoint Detection and Response (EDR): Deploy an EDR tool to detect and respond to post-exploitation tools like Cobalt Strike.
  • Adopt an Assume Breach mindset: Attackers are becoming adept at bypassing endpoint security. Strong network security is vital. Use Network Detection and Response (NDR), like Lumu, to monitor traffic and detect intruders as they move through your network.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.