THREATOPS Actor Dossier
LIVE ← Dashboard

Earth Lusca

G100639 reports
aliases · Earth Lusca · TAG-22 · Charcoal Typhoon · CHROMIUM · ControlX
Export dossier:
39
Reports
12
Techniques
8
Tactics
16
Countries
25%
Hunt coverage
5
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1588.006 (Vulnerabilities), T1589.001 (Credentials), T1059.001 (PowerShell).
  • Primary targeting: US, CN, BR, EG.
  • Vulnerabilities exploited: 15 CVE(s) cited across multiple reports (e.g. CVE-2025-55182, CVE-2026-45586, CVE-2024-21762, CVE-2025-8088).
  • Steady activity: 8 report(s) in last 30d vs 6 prior (+33%).
  • Recent movement: 8 new technique(s), 158 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 25% of 140 observed techniques (105 gap(s)).
  • Assessment confidence: medium (62).

Activity & trend

SteadyLast 30d: 8 vs 6 prior (+33%)· first reported 2024-11-15 · last 2026-07-10
5
7d
8
30d
18
90d
39
All
1.4
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1689T1087.002T1586.002T1585.002T1136.002T1134.003T1087.004T1136.003
Dropped (90d+)
T1590.005T1047T1583.008T1219T1207T1021.006T1555.004T1558.003T1583.002T1584.002T1569T1556.006
Targeting gained
INRU
Targeting lost
CNDEFRMXPLTR
New infrastructure
f224144c99002bcd3c06ed86c169429d4be1e5dchttps://rubygems.orghttps://attacker.example/leakhttp://127.0.0.1:14567/https://denizhalil.com/2026/06/12/cve-20https://labs.watchtowr.com/why-use-app-lhttps://www.pwndefend.com/2026/06/09/cve8c4a30f1f7d1ba896a8593f0331202ae6f66e88912078fa347d7e4f80e9bd3d0https://scottaaronson.blog/?p=9718https://csrc.nist.gov/projects/pqc-dig-shttps://falcon-sign.info/

Vulnerabilities in this actor's reporting · 862

Overview

Analyst triage
Intelligence summary

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected