Attacks by Chinese state-sponsored threat operation Earth Baku have expanded to healthcare, education, government, media, telecommunications, and technology organizations in Europe, the Middle East, and Africa since late 2022 after being initially targeted at the Indo-Pacific region, The Hacker News reports.
More recent intrusions by the APT41-linked threat group — which were confirmed to hit Italy, Qatar, and the United Arab Emirates and suspected to compromise Romania and Georgia — involved the targeting of internet information services and other public-facing apps to facilitate the distribution of advanced payloads, an analysis from Trend Micro revealed. After launching the updated StealthVector loader dubbed "StealthReacher" to deliver the modular SneakCross payload, Earth Baku proceeds with the distribution of the Rakshasa and iox tools, as well as the Tailscale VPN service for post-exploitation activities while enabling data exfiltration via the MEGAcmd command-line utility, reported Trend Micro researchers.