In a troubling development for the cybersecurity landscape in East Asia, the infamous advanced persistent threat group known as Earth Kasha has been detected significantly increasing its operations against government agencies and public institutions in Taiwan and Japan. This latest campaign, which has raised alarms among cybersecurity experts, was first identified in March 2025. It signals a strategic shift in the groups focus and tactics as cybercriminals continually adapt to the ever-evolving digital landscape.

Earth Kasha is notorious for its sophisticated methods of cyberattack, primarily employing spear-phishing as a means to infiltrate their targets. In this new wave of attacks, there are notable modifications to their techniques, tactics, and procedures (TTPs), indicating a worrying evolution in their approach. Previously, the group relied heavily on malicious Word documents; however, they have now shifted to using Excel files that carry a newly identified malware variant named ROAMINGMOUSE. This transition marks a significant evolution in their modus operandi, demonstrating their capacity to refine and adapt their attack vectors in response to defensive measures.

The recent analysis reveals that the trigger for executing the malicious code has shifted from relying on a mouse movement event to a click event. This alteration could substantially increase the likelihood of successful infections, as users may be more inclined to click on seemingly legitimate Excel files. Furthermore, the group has incorporated an advanced command within their ANEL file, which bears resemblance to commands used in their previous operations. While the version number remains encrypted similarly to the ANEL file from their 2024 campaigns, the updated 2025 variant boasts functionalities that enhance the execution of a Beacon Object File (BOF) in memory, thus improving their ability to maintain persistence within compromised systems.

Further scrutiny of Earth Kasha's tactics suggests they may be utilizing a tool known as SharpHide to ensure the longevity and stealth of their malware. SharpHide can facilitate the launch of the NOOPDOOR backdoor through a process called Hidden Start (hstart64.exe), effectively concealing the user interface of MSBuild during autorun. This stealthy approach underscores the sophistication of Earth Kasha's tactics, emphasizing the necessity for organizations to remain vigilant and proactive in their cybersecurity efforts.

In light of these evolving threats, enterprises and organizations, particularly those managing high-value assets such as sensitive governance data, intellectual property, and crucial access credentials, must adopt a proactive and comprehensive stance on cybersecurity. Leading security experts recommend implementing a series of robust measures to mitigate the risk of becoming victims of such aggressive cyberattacks.

Some of the recommended security measures include:

  • Educating users about the potential dangers associated with clicking on external or unfamiliar OneDrive links and endorsing a zero-trust policy when engaging with such links and emails.
  • Monitoring for potential misuse of DNS over HTTPS protocols, which can be exploited by attackers to conceal their activities.
  • Disabling macros on files downloaded from the internet, as these can frequently serve as vectors for malicious code, thus posing significant risks.
  • Employing advanced endpoint detection and response tools to identify and mitigate suspicious activities within the network.

For organizations seeking to enhance their cybersecurity posture, Trend Vision One offers a robust, AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and layered protection. This holistic approach empowers enterprises to predict and prevent threats, thereby accelerating their proactive security responses across their digital environments. By integrating Trend Vision One into their security strategy, businesses can eliminate security blind spots, prioritize critical issues, and transform their security measures into a vital mechanism of innovation.

To stay ahead of rapidly evolving cyber threats, customers of Trend Vision One benefit from a wealth of Intelligence Reports and Threat Insights. These invaluable resources equip users with the essential information to anticipate cyber threats before they materialize, enabling organizations to prepare effectively for emerging risks. By gaining insights into the tactics and techniques employed by threat actors like Earth Kasha, organizations can implement necessary steps to bolster their defenses and effectively respond to potential attacks.

In conclusion, as Earth Kasha intensifies its spear-phishing operations targeting Taiwan and Japan, organizations must maintain vigilance and adopt a proactive approach. The threat landscape is continuously changing, and establishing a robust cybersecurity framework will be crucial in safeguarding sensitive data and ensuring operational integrity.