3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Earth Lusca

Earth Lusca

ID: a6a407ce481ea49c085b66db7a3b8dea75636
Cybercrime Malware Dev
Threat types: Intrusion, Cyber Espionage, Financial Activity
China AUS, CHN, FRA, DEU, HKG, MNG, NPL, NGA, PHL, THA, ARE, USA, VNM
Updated: 2026-01-13
Created: 2025-10-22
Progress: 51% Completeness: 52% Freshness: 50%
Operation zone: Australia, China, France, Germany, Hong Kong, Mongolia, Nepal, Nigeria, Philippines, Thailand, United Arab Emirates, United States, Vietnam
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Earth Lusca (G1006) — China-nexus espionage actor active since 2019, using watering holes and spearphishing with Cobalt Strike/ShadowPad/Winnti loaders and newer backdoors (SprySOCKS, KTLVdoor) against governments, telecoms, academia, NGOs; opportunistic financial activity also reported.


Technique Technique name Tactics Evidence
T1189 Drive-by Compromise TA0001
  • 2022-01-17 — Trend Micro details watering-hole use delivering loaders/beacons to targeted visitors. · ref
T1566 Phishing TA0001
  • 2024-02-26 — Election-themed spearphishing lures observed targeting Taiwan prior to polls. · ref
T1105 Ingress Tool Transfer TA0011
  • 2022-01-17 — Ingress of toolsets including Cobalt Strike, ShadowPad, and Winnti over C2/web channels. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2022-01-17 — Reports describe exfiltration of collected data over established C2/web channels. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2022-01-17 — Living-off-the-land post-exploitation via interpreters/LOLBins described in campaign analysis (assessed). · ref
T1113 Screen Capture TA0009
  • 2023-09-18 — SprySOCKS Linux backdoor used alongside Cobalt Strike for deeper staging and collection (supports screen/IO capabilities per family design). · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-09-04 — KTLVdoor (Go, Windows/Linux) provides command execution, file ops, remote scanning via C2 tasking. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T18:10:59+00:00
Earth Lusca — China-Nexus Espionage & Opportunistic Financial Activity (G1006)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Earth Lusca is a Chinese-speaking threat group tracked by MITRE as G1006 and by others under labels including Charcoal Typhoon/CHROMIUM/TAG-22/ControlX/RedHotel/Bronze University. The actor has targeted governments, telecoms, academia, NGOs/civil society, and (opportunistically) cryptocurrency businesses since at least 2019, using watering-hole and spearphishing lures, plus a rotating toolset (e.g., Cobalt Strike, ShadowPad, Winnti-family loaders, FunnySwitch/Doraemon, and newer backdoors such as SprySOCKS and KTLVdoor). Campaigns have also leveraged geopolitical themes (e.g., Taiwan elections 2024) and multi-platform payloads (Windows/Linux). We assess capability as medium-high with sustained operational tempo and infrastructure discipline; primary aim is intelligence collection, with financially motivated forays noted by multiple sources. Confidence: high on TTPs/targets, high on PRC nexus.


Research places Earth Lusca within the broader China-nexus ecosystem: overlaps in malware/tooling with APT41/Winnti clusters are observed, yet analysts treat Earth Lusca’s infrastructure and tradecraft as distinct. Public mappings list alternative vendor names (e.g., Bronze University/Charcoal Typhoon/RedHotel) capturing partial views of the same cluster.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.