Home/ Threat Actors/ Earth Lusca

🇨🇳Earth Lusca

🇨🇳 Earth Lusca is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 44 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1006) ↗

14Use cases

0Articles

44Techniques

0IOCs

About this actor (MITRE)

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in C

Known aliases

Earth LuscaTAG-22Charcoal TyphoonCHROMIUMControlX

Top techniques

T1003.001 · LSASS Memory T1003.006 · DCSync T1007 · System Service Discovery

All other tracked techniques

T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1027 · Obfuscated Files or Information T1027.003 · Steganography T1033 · System Owner/User Discovery T1036.005 · Match Legitimate Resource Name or Location T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1057 · Process Discovery T1059.001 · PowerShell T1059.005 · Visual Basic T1059.006 · Python T1059.007 · JavaScript T1090 · Proxy T1098.004 · SSH Authorized Keys T1112 · Modify Registry T1140 · Deobfuscate/Decode Files or Information T1189 · Drive-by Compromise T1190 · Exploit Public-Facing Application T1204.001 · Malicious Link T1204.002 · Malicious File T1210 · Exploitation of Remote Services T1218.005 · Mshta T1482 · Domain Trust Discovery T1543.003 · Windows Service T1547.012 · Print Processors T1548.002 · Bypass User Account Control T1560.001 · Archive via Utility T1566.002 · Spearphishing Link T1567.002 · Exfiltration to Cloud Storage T1574.001 · DLL T1583.001 · Domains T1583.004 · Server T1583.006 · Web Services T1584.004 · Server T1584.006 · Web Services T1588.001 · Malware T1588.002 · Tool T1595.002 · Vulnerability Scanning T1608.001 · Upload Malware

Detection use cases (14)

Earth Lusca DLL side-loading via abused signed binaries staged outside Program Files AI · profile S Earth Lusca Exchange / IIS web-shell discovery: w3wp.exe spawning interactive recon binaries AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Package-install lifecycle script harvests local credentials and beacons to a non-baselined domain MITRE match