Earth Baxia

MISP

Type:
Unknown

Country:
CN

First seen:
Unknown

Details:

Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.

References (4)

tgsoft.it - News Archivio
jp.security.ntt - Appdomainmanager Injection
trendmicro.com - Earth Baxia Spear Phishing And Geoserver Exploit
trendmicro.com - IOCs%20 %20Earth%20Baxia%20Uses%20Spear Phishing%20and%20GeoServer%20Exploit%20to%20Target%20APAC.txt

Metadata

ID:	737
Created:	13/01/2026 17:48
Updated:	07/03/2026 16:00