Summary:
In March 2025, Earth Kasha, an advanced persistent threat (group linked to China and considered part of the broader APT10 umbrella—launched a spear-phishing campaign targeting government agencies and public institutions in Taiwan and Japan. This operation appears to be part of an ongoing cyberespionage effort, building upon previous campaigns observed in 2024. The threat actors used lures such as job application resumes and government cooperation reports to trick recipients into opening phishing emails containing OneDrive links. These links downloaded ZIP archives with macro-enabled Excel documents (dubbed ROAMINGMOUSE), signaling a shift from Earth Kasha’s 2024 use of Word documents. The malicious macros were triggered through user clicks instead of mouse movements, further refining the group’s social engineering methods.


Once activated, ROAMINGMOUSE decoded a base64-encoded ZIP file and dropped multiple components on the victim’s machine, including a legitimate application signed by JustSystems Inc., a malicious loader, and an encrypted payload containing the ANEL backdoor. These files were placed in obfuscated directories. The dropper then used Windows Management Instrumentation to launch the legitimate application, exploiting DLL sideloading to execute the malicious dll loader and decrypt the ANEL payload in memory using AES-256-CBC and LZO. A fallback method was observed when McAfee software was present: ROAMINGMOUSE instead created a batch file in the Startup folder to execute the payload.


The ANEL backdoor has been seen in previous Earth Kasha campaigns, but the 2025 variant introduces a new command that enables the execution of Beacon Object Files in memory an evolution that suggests the adoption of more modular and evasive post-exploitation techniques. ANEL still uses its traditional combination of ChaCha20, XOR, and LZO for C2 communications, but now encrypts its internal version number for additional obfuscation.


Analyst comments:
NOOPDOOR, exclusive to Earth Kasha since at least 2021, was updated in this campaign to use DNS over HTTPS (DoH) for domain name resolution, masking suspicious network traffic. It used embedded DoH-compatible DNS servers (such as Google and Cloudflare) and domain generation algorithms (DGA) to construct C2 domains based on the system’s date and time. This method allowed the malware to perform IP lookups in encrypted HTTPS packets, making detection more difficult. Finally, Earth Kasha removed traces of the infection by deleting the dropped directories containing ROAMINGMOUSE and ANEL components.


Suggested Corrections:
Enterprises and organizations, especially those with high-value assets like sensitive data relating to governance, as well as intellectual property, infrastructure data, and access credentials should continue to be vigilant and implement proactive security measures to prevent falling victim to cyberattacks. We recommend the following measures so enterprises can help secure against the TTPs discussed in this blog:

• Educate users on the risks of selecting and opening external or unrecognized OneDrive links and implement a zero-trust policy when interacting with such links and files on unrecognized emails.
• Monitor potential abuse of DNS over HTTPS.
• Disable macros downloaded from the internet.
• Maximize endpoint detection response tools to detect suspicious activity.

Link(s):
https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html