Conclusion and Security Recommendations

The notorious cyber threat group known as Earth Kasha continues to pose a significant risk as it embarks on a new campaign targeting government agencies and public institutions in both Taiwan and Japan. This alarming activity was detected as recently as March 2025, indicating that the group is not only active but evolving its tactics to enhance its attack vector.

Earth Kasha utilizes spear-phishing techniques that have proven effective in past operations, but their latest campaign shows a notable shift in their tactics, techniques, and procedures (TTPs). For instance, instead of utilizing a Word document as a delivery mechanism, the group's latest malicious Excel file now carries the identifier ROAMINGMOUSE, showcasing their adaptability. Additionally, the trigger for their malicious routines has transitioned from a mouse movement event to a simple click event, indicating a strategy aimed at increasing user engagement and, ultimately, the success rate of their phishing attempts.

Within the framework of this new campaign, we observed a specific file known as the ANEL file, which encrypts its version number similarly to previous iterations from Earth Kasha's activities in 2024. However, the 2025 version demonstrates significant advancements, including the implementation of a new command designed to execute a Beacon Object File (BOF) directly in memory. This technique allows for more sophisticated operations and could potentially complicate detection efforts.

Moreover, it appears that the group may have leveraged a tool called SharpHide for persistence. This allows them to launch a subsequent backdoor known as NOOPDOOR through a hidden process (hstart64.exe) and conceal the user interface of MSBuild upon system autorun. This combination of tactics not only enhances their ability to remain undetected but also underscores the sophisticated nature of their campaigns.

Given the increasing sophistication and persistence of Earth Kasha, it is imperative for enterprises and organizationsespecially those housing high-value assets such as sensitive governance data, intellectual property, and critical infrastructure informationto remain vigilant. Implementing proactive security measures is essential to mitigate the risk of falling victim to these advanced cyberattacks.

To bolster defenses against the TTPs outlined in this article, we recommend several key security measures:

  • Educate users about the dangers of interacting with external or unrecognized OneDrive links, and adopt a zero-trust policy when engaging with such links and files originating from unknown email sources.
  • Monitor for potential abuse of DNS over HTTPS to detect unusual activity.
  • Disable macros in documents downloaded from the internet to prevent malicious code execution.
  • Utilize endpoint detection response (EDR) tools to identify and respond to suspicious activities effectively.

Additionally, proactive security can be achieved with the help of Trend Vision One. This cutting-edge, AI-powered enterprise cybersecurity platform centralizes the management of cyber risk exposure, security operations, and offers robust layered protection. By adopting a holistic approach, Trend Vision One empowers organizations to predict and prevent threats, thereby accelerating proactive security outcomes across their digital environments.

Trend Vision One also provides customers with access to a wide range of Intelligence Reports and Threat Insights. These insights enable organizations to stay ahead of potential cyber threats by preparing for emerging risks, equipping them with comprehensive information about threat actors, their malicious activities, and methodologies. By utilizing this intelligence, businesses can take proactive measures to safeguard their environments, mitigate risks effectively, and respond to threats promptly.

For those interested in tracking such threats, the Trend Vision One Intelligence Reports App offers tracking capabilities to identify indicators of compromise (IoCs). This includes relevant hunting queries and specific event IDs associated with malware detection.

In conclusion, given the persistent nature of the Earth Kasha group, enterprises must remain proactive in their cybersecurity measures and leverage advanced tools to protect their sensitive information and infrastructures.