This image has an empty alt attribute; its file name is Ncert-Advisory-Template-v2-2.jpg

Based on a report issued by Trend Micro, malicious campaigns target organizations globally including the Philippine government. The adversary was dubbed as Earth Lusca, a financially motivated elusive threat actor based in China, that uses traditional social engineering such as spear phishing and watering holes.

Telemetry data gathered by Trend Micro revealed that Earth Lusca staged attacks against entities that could be of strategic interest to the Chinese government, including —

  • Gambling companies in Mainland China
  • Government institutions in Taiwan, Thailand, Philippines, Vietnam, United Arab Emirates, Mongolia, and Nigeria
  • Educational institutions in Taiwan, Hong Kong, Japan, and France
  • News media in Taiwan, Hong Kong, Australia, Germany, and France
  • Pro-democracy and human rights political organizations and movements in Hong Kong
  • Covid-19 research organizations in the United States
  • Telecom companies in Nepal
  • Religious movements that are banned in Mainland China
  • Various cryptocurrency trading platforms


A. Nature of Attack

The threat group has been identified using three primary vectors to infect its target.

1) Spear Phishing

Through spear phishing, Earth Lusca sends phishing emails to their target containing a link with the attached malicious LNK file or an executable file that will lead to downloading Cobalt Strike to the targeted device.

2) Watering Hole

A watering hole attack is a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site. Using this method, they injected malicious JavaScript code either to the compromised websites of their targets or they set up fake web pages copied from legitimate websites.

3) Server Vulnerabilities

Earth Lusca has observed exploiting vulnerabilities such as Microsoft Exchange ProxyShell and Oracle GlassFish. Exploiting the vulnerabilities of an application/device is the first step in gaining access to the targeted device.


B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  •  Having an anti-virus software and/or host-based detection tool running with the latest version is a must.
  • Regularly check and apply the latest patch of software especially to public-facing applications.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Having a good backup of the system before patching is a good practice, in case there are anomalies and issues encountered.
  •  In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
  • For additional information, kindly refer to the official Advisory (