Earth Lusca
G100639 reportsAnalyst assessment — key judgments
- Signature techniques: T1588.006 (Vulnerabilities), T1589.001 (Credentials), T1059.001 (PowerShell).
- Primary targeting: US, CN, BR, EG.
- Vulnerabilities exploited: 15 CVE(s) cited across multiple reports (e.g. CVE-2025-55182, CVE-2026-45586, CVE-2024-21762, CVE-2025-8088).
- Steady activity: 8 report(s) in last 30d vs 6 prior (+33%).
- Recent movement: 8 new technique(s), 158 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 25% of 140 observed techniques (105 gap(s)).
- Assessment confidence: medium (62).
Activity & trend
Movement — last 30 days
Vulnerabilities in this actor's reporting · 862
- CVE-2025-55182KEV3 rpt
- CVE-2026-455863 rpt
- CVE-2024-21762KEV2 rpt
- CVE-2025-8088KEV2 rpt
- CVE-2026-11645KEV2 rpt
- CVE-2026-21513KEV2 rpt
- CVE-2026-33825KEV2 rpt
- CVE-2026-41091KEV2 rpt
- CVE-2025-549572 rpt
- CVE-2026-212622 rpt
- CVE-2026-251872 rpt
- CVE-2026-261272 rpt
- CVE-2026-410892 rpt
- CVE-2026-491602 rpt
- CVE-2026-505072 rpt
- CVE-2016-4437KEV1 rpt
- CVE-2017-7921KEV1 rpt
- CVE-2019-6693KEV1 rpt
- CVE-2020-1472KEV1 rpt
- CVE-2021-22054KEV1 rpt
- CVE-2021-22681KEV1 rpt
- CVE-2021-26855KEV1 rpt
- CVE-2021-27877KEV1 rpt
- CVE-2021-27878KEV1 rpt
- CVE-2021-30952KEV1 rpt
Overview
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)
Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
ATT&CK technique matrix
- T1588.006 · Vulnerabilitiesconf 7722
- T1589.001 · Credentialsconf 7517
- T1059.001 · PowerShellconf 7511
- T1059.007 · JavaScriptconf 7510
- T1213.002 · Sharepointconf 758
- T1684 · Social Engineeringconf 757
- T1053.005 · Scheduled Taskconf 705
- T1021.007 · Cloud Servicesconf 825
- T1027.015 · Compressionconf 755
- T1684.001 · Impersonationconf 754
- AML.T0073 · Impersonationconf 754
- T1204.002 · Malicious Fileconf 703
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|