The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns

    Friday, October 24, 2025 In: Threat Research Print

    Date: 10/24/2025

    Severity: Medium

    Summary

    The report explores the growing collaboration between China-aligned APT groups, particularly Earth Estries and Earth Naga, in a trend dubbed “Premier Pass-as-a-Service.” This model involves one group, like Earth Estries, acting as an access broker for another, such as Earth Naga, to enable continued exploitation of targets. Their cooperation complicates detection and attribution and has been observed targeting government, telecommunications, and retail sectors across the APAC region. A four-tier framework is introduced to classify and better understand these evolving, cooperative cyberespionage tactics.

    Indicators of Compromise (IOC) List

    URLs/Domains

    myoffice.techralsolution.com

    helpdesk.athenatechlabs.com

    updata.mgil01.workers.dev

    back-trust-aurora.cluster-ctrjumtpbmf.mnl-east-2.timcorpnet.com

    afddd9d14453d4f9-1e185df7e4.ap-southeast-mnl.timcorpnet.com

    IP Address

    45.92.158.50

    Hash

    bd6988826d26c986912a07837c69775359cdb05b4db9ad300052e81391d5678d

    b053e8694ab492b0051d4c18f56d9da7e4ce13b3cd2daa023a031e8e58b36a22

    21442da01117afc571c25f3944c3f05796f73920af850027ac75a17e45942eb2

    fe216710b8579c314008bbda96a5e302bd75e3543c57a2f4318cf490470858d6

    b5b2cba6da79e608a7009bfa702d56eeba23b26d159646b250f5a32222b6395b

    4a0a776fb69f90837eb03ad394273e187f0466fd8293268e5d4896bd2722e356

    1bd50c76cbe79111d3df12f812b4ac4a53a3f8fba3266a04721d964a5c125323

    68525e41f3faaa1b03dc8cbdd4f428d1f9f0242421f704862461c4ac350afb71

    843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c

    cc008024faf71eed6f2e7bc4efeea1df2238fd5947bf369015edb6efd46bd906

    07b1f5d83b83f9fb38efbee596b508099bfe4b986f3701a6cf1e093b65a27eeb

    2b617962b5691f27bd6c48700496710b9a82326a89499308dfdb7b505a585e6f

    c76009638e6e36785fcaea9eb25214c5a0d25eb4fa49d725984ef44d953228b9

    000f30792da01647cf040c0734bfa968af24b430e8bfa0886b1b4fe8b1caa753

    ac29c2dbec74dd4c05fa4ea4544c2e619f62cfe3b874746d94a13cf7ce3cbeff

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "updata.mgil01.workers.dev" or siteurl like "updata.mgil01.workers.dev" or url like "updata.mgil01.workers.dev" or domainname like "myoffice.techralsolution.com" or siteurl like "myoffice.techralsolution.com" or url like "myoffice.techralsolution.com" or domainname like "helpdesk.athenatechlabs.com" or siteurl like "helpdesk.athenatechlabs.com" or url like "helpdesk.athenatechlabs.com" or domainname like "back-trust-aurora.cluster-ctrjumtpbmf.mnl-east-2.timcorpnet.com" or siteurl like "back-trust-aurora.cluster-ctrjumtpbmf.mnl-east-2.timcorpnet.com" or url like "back-trust-aurora.cluster-ctrjumtpbmf.mnl-east-2.timcorpnet.com" or domainname like "afddd9d14453d4f9-1e185df7e4.ap-southeast-mnl.timcorpnet.com" or siteurl like "afddd9d14453d4f9-1e185df7e4.ap-southeast-mnl.timcorpnet.com" or url like "afddd9d14453d4f9-1e185df7e4.ap-southeast-mnl.timcorpnet.com"

    Detection Query 2 :

    dstipaddress IN ("45.92.158.50") or srcipaddress IN ("45.92.158.50")

    Detection Query 3 :

    sha256hash IN ("ac29c2dbec74dd4c05fa4ea4544c2e619f62cfe3b874746d94a13cf7ce3cbeff","bd6988826d26c986912a07837c69775359cdb05b4db9ad300052e81391d5678d","b053e8694ab492b0051d4c18f56d9da7e4ce13b3cd2daa023a031e8e58b36a22","21442da01117afc571c25f3944c3f05796f73920af850027ac75a17e45942eb2","fe216710b8579c314008bbda96a5e302bd75e3543c57a2f4318cf490470858d6","b5b2cba6da79e608a7009bfa702d56eeba23b26d159646b250f5a32222b6395b","4a0a776fb69f90837eb03ad394273e187f0466fd8293268e5d4896bd2722e356","1bd50c76cbe79111d3df12f812b4ac4a53a3f8fba3266a04721d964a5c125323","68525e41f3faaa1b03dc8cbdd4f428d1f9f0242421f704862461c4ac350afb71","843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c","cc008024faf71eed6f2e7bc4efeea1df2238fd5947bf369015edb6efd46bd906","07b1f5d83b83f9fb38efbee596b508099bfe4b986f3701a6cf1e093b65a27eeb","2b617962b5691f27bd6c48700496710b9a82326a89499308dfdb7b505a585e6f","c76009638e6e36785fcaea9eb25214c5a0d25eb4fa49d725984ef44d953228b9","000f30792da01647cf040c0734bfa968af24b430e8bfa0886b1b4fe8b1caa753")

    Reference:

    https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html


    Tags

    Threat ActorAPTChinaEarth EstriesEarth NagaPaaSGovernment Services and FacilitiesCommunicationsCommercial Facilities

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.