From 38d0804f9c4a4df1960b5aef4dc72fc87fdc96e0 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 20 Mar 2024 10:23:42 -0700
Subject: [PATCH] [threat-actors] Add Earth Krahang

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 26922b1..9ccf9e3 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15367,6 +15367,18 @@
       },
       "uuid": "d4004926-bf12-4cfe-b141-563c8ffb304a",
       "value": "Earth Kapre"
+    },
+    {
+      "description": "Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governments. Earth Krahang has been linked to another China-linked actor, Earth Lusca, and is believed to be part of a specialized task force for cyber espionage against government institutions.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs",
+          "https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html"
+        ]
+      },
+      "uuid": "8cfc9653-51bc-40f1-a267-78a1b8c763f6",
+      "value": "Earth Krahang"
     }
   ],
   "version": 304