A sophisticated Chinese state-sponsored hacking group, Earth Estries, has emerged as a significant cybersecurity threat, targeting critical infrastructure worldwide. The group has successfully infiltrated over 20 organizations across 13 countries, with a particular focus on Southeast Asia and the United States.
Impact and Scope
The campaign has compromised approximately 150 U.S. telecommunications companies, alongside government networks, technology firms, and other strategic sectors. This widespread attack demonstrates a systematic approach to data collection and cyber espionage.
Technical Arsenal
Earth Estries deploys an advanced suite of malware tools, including:
• GHOSTSPIDER – A newly discovered backdoor
• MASOL RAT – Linux-based backdoor
• Demodex rootkit
• Deed RAT
The group exploits vulnerabilities in popular security platforms such as Ivanti Connect Secure, Fortinet FortiClient, Sophos Firewall, and Microsoft Exchange Server, utilizing sophisticated TLS-protected communication protocols and modular attack infrastructure.
Operational Profile
Operating since 2020, Earth Estries (also known as FamousSparrow and GhostEmperor) demonstrates advanced operational security and maintains distinct regional teams. The group’s activities represent a strategic shift in Chinese cyber operations, moving from targeted attacks to comprehensive infrastructure compromise.
This campaign highlights China’s evolving cyber capabilities and its focus on long-term espionage, particularly targeting global telecommunications infrastructure and government networks.