If you thought your cloud storage was just for family photos and embarrassing PowerPoint slides, think again. There’s a new Advanced Persistent Threat (APT) group on the block—Earth Kurma—and they’re using Dropbox and OneDrive not for backup, but for break-ins.
Since June 2024, government and telecom sectors across the Philippines, Vietnam, Thailand, and Malaysia have been under silent siege. The attackers aren’t smashing windows—they’re sliding in through system files, injecting shellcode, and exfiltrating files like it’s just another day at the (hacked) office.
“Cybersecurity joke of the day: Why did the hacker store exfiltrated data on Dropbox? Because even spies believe in the cloud.”
Who Is Earth Kurma and Why Should We Be Worried?
According to Trend Micro, Earth Kurma is not just “advanced”—they’re a stealthy, persistent, and professionally paranoid group likely active since November 2020. They’re packing:
- Custom rootkits like KRNRAT and Moriya
- Stealthy data-stealing tools like TESDAT and SIMPOBOXSPY
- A full Living-off-the-Land (LotL) toolkit including WMIHACKER, NBTSCAN, and ICMPinger
Their malware hides in memory, their packets ride TCP streams, and their archives are password-protected with WinRAR (because zip just isn’t cool anymore).
Espionage in the Cloud: A Modern Hacker’s Dropbox Strategy
Earth Kurma doesn’t smuggle stolen secrets in duffel bags—they archive them in a folder named “tmp”, encrypt the package, and:
- Upload it to Dropbox via SIMPOBOXSPY
- Or to OneDrive via a tool called ODRIZ
The result? Real-time, cloud-based espionage. The hackers even use access and refresh tokens—because who has time to log in when you’re exfiltrating secrets?
“When a hacker says they use ‘cloud-native tools,’ they’re not talking about Azure certifications.”
From Shadowy Loaders to Svchost.exe: A Deep Dive Into Their Toolkit
Here’s how Earth Kurma gets their tentacles into your system:
- Initial access: Still unknown, but likely phishing or unpatched vulnerabilities
- Lateral movement: Tools like FRPC and Ladon (popular with China-linked APTs)
- Credential harvesting: KMLOG keylogger
- Payload delivery: TESDAT, DMLOADER, and DUNLOADER
Once inside, they inject malware into svchost.exe, maintain access with rootkits, and extract documents with extensions like .pdf, .docx, .xlsx, .pptx. Basically, if it’s an important-looking file, it’s gone.
Ties to Other Threat Actors (Because Why Work Alone?)
There are signs of code and infrastructure overlaps with ToddyCat, another known APT group. Even Ladon, an open-source framework, ties them loosely to China-linked TA428 (a.k.a. Vicious Panda).
APT life lesson: if your malware doesn’t have a cool code name, shared GitHub repo, and dropbox token integration, are you even trying?
Final Thought: APTs Now Offer Rootkits-as-a-Service, Powered by OneDrive
Earth Kurma is adaptable, patient, and deeply technical. They can live quietly in your network, borrow your cloud services, and blend into system processes with a grace most of us wish we had on Zoom calls.
And while the initial access point remains a mystery, one thing is clear: their exit strategy is elegant, encrypted, and cloud-synced.
Stay patched, watch your logs, and maybe double-check who’s logging in to your Dropbox.