Threat Actor Profile
High APT
Description

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022) Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)

Confidence Score
90%
Known Aliases
Earth Lusca TAG-22 Charcoal Typhoon CHROMIUM ControlX
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (44)
T1560.001 - Archive via Utility
Collection
T1090 - Proxy
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.006 - DCSync
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1027.003 - Steganography
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1007 - System Service Discovery
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1482 - Domain Trust Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.005 - Visual Basic
Execution
T1059.006 - Python
Execution
T1059.007 - JavaScript
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1189 - Drive-by Compromise
Initial Access
T1190 - Exploit Public-Facing Application
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1210 - Exploitation of Remote Services
Lateral Movement
T1098.004 - SSH Authorized Keys
Persistence
T1543.003 - Windows Service
Persistence
T1547.012 - Print Processors
Persistence
T1574.001 - DLL
Persistence
T1548.002 - Bypass User Account Control
Privilege Escalation
T1595.002 - Vulnerability Scanning
Reconnaissance
T1583.001 - Domains
Resource Development
T1583.004 - Server
Resource Development
T1583.006 - Web Services
Resource Development
T1584.004 - Server
Resource Development
T1584.006 - Web Services
Resource Development
T1588.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Earth Lusca',
             'TAG-22',
             'Charcoal Typhoon',
             'CHROMIUM',
             'ControlX'],
 'created': '2022-07-01T20:12:30.184Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Earth Lusca](https://attack.mitre.org/groups/G1006) is a '
                'suspected China-based cyber espionage group that has been '
                'active since at least April 2019. [Earth '
                'Lusca](https://attack.mitre.org/groups/G1006) has targeted '
                'organizations in Australia, China, Hong Kong, Mongolia, '
                'Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United '
                'Arab Emirates, Nigeria, Germany, France, and the United '
                'States. Targets included government institutions, news media '
                'outlets, gambling companies, educational institutions, '
                'COVID-19 research organizations, telecommunications '
                'companies, religious movements banned in China, and '
                'cryptocurrency trading platforms; security researchers assess '
                'some [Earth Lusca](https://attack.mitre.org/groups/G1006) '
                'operations may be financially motivated.(Citation: TrendMicro '
                'EarthLusca 2022)\n'
                '\n'
                '[Earth Lusca](https://attack.mitre.org/groups/G1006) has used '
                'malware commonly used by other Chinese threat groups, '
                'including [APT41](https://attack.mitre.org/groups/G0096) and '
                'the [Winnti Group](https://attack.mitre.org/groups/G0044) '
                'cluster, however security researchers assess [Earth '
                "Lusca](https://attack.mitre.org/groups/G1006)'s techniques "
                'and infrastructure are separate.(Citation: TrendMicro '
                'EarthLusca 2022)',
 'external_references': [{'external_id': 'G1006',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1006'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Charcoal Typhoon'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'ControlX'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023) (Citation: '
                                         'Recorded Future RedHotel August '
                                         '2023)',
                          'source_name': 'CHROMIUM'},
                         {'description': '(Citation: Recorded Future TAG-22 '
                                         'July 2021)',
                          'source_name': 'TAG-22'},
                         {'description': 'Chen, J., et al. (2022). Delving '
                                         'Deep: An Analysis of Earth Lusca’s '
                                         'Operations. Retrieved July 1, 2022.',
                          'source_name': 'TrendMicro EarthLusca 2022',
                          'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'},
                         {'description': 'INSIKT GROUP. (2021, July 8). '
                                         'Chinese State-Sponsored Activity '
                                         'Group TAG-22 Targets Nepal, the '
                                         'Philippines, and Taiwan Using Winnti '
                                         'and Other Tooling. Retrieved '
                                         'September 16, 2024.',
                          'source_name': 'Recorded Future TAG-22 July 2021',
                          'url': 'https://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan'},
                         {'description': 'Insikt Group. (2023, August 8). '
                                         'RedHotel: A Prolific, Chinese '
                                         'State-Sponsored Group Operating at a '
                                         'Global Scale. Retrieved March 11, '
                                         '2024.',
                          'source_name': 'Recorded Future RedHotel August 2023',
                          'url': 'https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'}],
 'id': 'intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034',
 'modified': '2025-06-06T14:55:18.144Z',
 'name': 'Earth Lusca',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.1'}
Quick Actions
Related TTPs (44)
Archive via Utility
Collection
Proxy
Command and Control
LSASS Memory
Credential Access
DCSync
Credential Access
Obfuscated Files or Informati…
Defense Evasion
View All 44 TTPs
Back to Threat Actors
Dashboard Home