Earth Alux is an advanced persistent threat (APT) group that has been steadily expanding its reach and capabilities. Known for its methodical tactics and advanced persistent techniques, Earth Alux primarily targets organizations in the Asia-Pacific (APAC) region and Latin America.
With a focus on espionage, data exfiltration, and long-term infiltration, Earth Alux poses a stiff challenge to industries that rely on sensitive data protection. Earth Alux employs a wide range of advanced techniques to carry out its cyber operations.
These include web shell deployment, DLL side-loading, and the use of multi-stage backdoors like VARGEIT and COBEACON. These methods help the group achieve deeper penetration into target networks while minimizing detection by traditional cybersecurity programs.
Targeted Industries and Countries

Cyble Vision Threat Library (Source: Cyble Vision)
Earth Alux’s operations are particularly focused on industries and regions that hold valuable data. The group’s primary targets include government entities, law enforcement agencies (LEAs), telecommunications companies, manufacturing firms, retail organizations, technology companies, and IT services.
In terms of geographical focus, Earth Alux has concentrated its attacks in the APAC region and Latin America. The group’s choice of targets reflects the economic and geopolitical importance of these regions. Government agencies and private sector companies in these areas often possess critical information that Earth Alux can exploit for espionage purposes.
Tactics and Techniques
Earth Alux employs various methods to infiltrate and maintain access to target systems. One of their strategies involves exploiting weaknesses in publicly accessible applications, allowing them to plant hidden backdoors known as web shells. These web shells act as secret entry points, enabling the group to stay connected to compromised systems without being detected.
Another tactic involves using disguised software components to gain unauthorized access, effectively creating stealthy entry points that blend in with legitimate system files. Additionally, Earth Alux utilizes modified tools originally designed for security testing to move within networks and maintain control over compromised systems. This layered approach allows the group to operate quietly and efficiently, making it challenging for organizations to detect and remove their presence.
Persistence, Evasion Techniques and Data Exfiltration
Earth Alux employs sophisticated methods to ensure its malware stays hidden within victim systems for long periods. They use techniques to disguise malicious files and processes, making them look like legitimate system components. This helps them avoid detection by security software. To maintain control over infected systems, they set up mechanisms that ensure the malware runs automatically whenever the system restarts. They also cleverly disguise their activities by blending them with normal system operations, which helps bypass security checks.
To communicate with compromised systems, Earth Alux relies on a complex network of communication channels. These channels are designed to blend in with regular internet traffic, making it difficult for security tools to detect or block their activities. The group also uses encrypted connections, which adds another layer of secrecy, ensuring that even if their data is intercepted, it remains unreadable. This combination of hidden operations and secure communication makes it challenging for defenders to detect, block, or dismantle their activities effectively.
The goal of Earth Alux’s cyberattacks is data exfiltration. Once inside a network, the group focuses on extracting sensitive data from compromised systems. Common targets include intellectual property, government documents, financial data, and proprietary business information.
To exfiltrate the data, Earth Alux employs compression techniques, packaging stolen data into compressed archives before sending it to cloud storage. The use of cloud services further obfuscates the exfiltration process, as the traffic may appear legitimate to network administrators.
Conclusion
Earth Alux is a highly advanced cyberespionage group that targets organizations across APAC and Latin America, employing advanced tactics to infiltrate networks and exfiltrate sensitive data without detection.
Their methods focus on stealth, persistence, and cybersecurity tools to maintain an edge in cyber operations. To fight against these kinds of groups, Cyble offers cutting-edge, AI-powered cybersecurity solutions that deliver real-time threat intelligence, proactive monitoring, and comprehensive defense strategies.
Cyble’s advanced platforms help organizations identify vulnerabilities, detect new threats, and respond to cyber risks.
Mitigation and Defense Strategies
- Implement Patch Management: Regularly update software and services to close vulnerabilities in public-facing applications, reducing the risk of exploitation.
- Deploy EDR Solutions: Use Endpoint Detection and Response tools to identify suspicious activities like DLL side-loading, scheduled tasks, and PowerShell-based attacks.
- Monitor Network Traffic: Analyze communication patterns to detect anomalous C2 traffic, focusing on common protocols like HTTP and Outlook.
- Use Intrusion Detection Systems (IDS): Employ IDS to identify advanced techniques such as masquerading and API unhooking.
- Enhance Employee Awareness: Conduct regular security training to educate employees on recognizing and avoiding social engineering tactics, including phishing attacks.
- Strengthen Incident Response: Develop and regularly update incident response plans to quickly address potential breaches and minimize damage.
MITRE Attack Techniques Associated with Earth Alux

Earth Alux MITRE ATT&CK (Source: Cyble Vision)
- Exploit Public-Facing Application (T1190): Targets web servers, databases, cloud systems, and edge devices by exploiting software flaws, misconfigurations, or weak IAM policies.
- PowerShell (T1059.001): Executes code, performs discovery, and downloads files using PowerShell and the .NET framework without relying on powershell.exe.
- Windows Service (T1543.003): Modifies or creates services to execute malicious payloads at startup, enabling rootkit installation, privilege escalation, or stealth.
- Access Token Manipulation (T1134): Steals or manipulates tokens to escalate from admin to SYSTEM.
- Windows Service (T1543.003): Uses services for privilege escalation (same as Persistence).
- Access Token Manipulation (T1134): Same as in Privilege Escalation to bypass detection.
- System Information Discovery (T1082): Gathers OS, hardware, and cloud instance details using system tools and APIs.
- Web Protocols (T1071.001): Communicates with C2 servers over standard web protocols to avoid detection.