A cyberespionage group known as Earth Hundun has been actively targeting the technology and government sectors in the Asia-Pacific region for several years. One of the group’s key tools is the Waterbear malware, which has undergone numerous versions since 2009 and is known for its complexity and evasion mechanisms to avoid detection.
In 2022, Earth Hundun began using the latest version of Waterbear, called Deuterbear, which includes anti-memory scanning and decryption routines. This new iteration has raised concerns as it is considered a different malware entity from the original Waterbear.
Recent cyberattacks have surged targeting organizations in various sectors, including technology, research, and government. Waterbear has been linked to Earth Hundun, a group that focuses on gathering intelligence from technology and government organizations in the Asia-Pacific region.
The Waterbear backdoor is known for its sophisticated anti-debug, anti-sandbox, and antivirus-hindering techniques. The constant updates from its developers have made it even more difficult to detect, with enhancements in its loader, downloader, and communication protocol.
Despite solutions for older versions of Waterbear, the group persists in enhancing its infection flows until a successful compromise. Some downloaders have been observed using command-and-control (C&C) servers with internal IP addresses, indicating a deep knowledge of their victims’ networks and the use of multilayered jump servers to evade detection.
These tactics highlight the advanced nature of Earth Hundun’s cyberattacks, which are aimed at maintaining stealthy presence and control within compromised environments.
