Are Chinese Hackers Exploiting GeoServer Vulnerabilities in Asia-Pacific?

In a growing concern for cybersecurity across the Asia-Pacific region, Chinese hackers are reportedly exploiting vulnerabilities in GeoServer, an open-source Java server designed for geospatial data management. GeoServer, widely used for sharing, processing, and editing geospatial data, has become an attractive target for a serious threat posed by an Advanced Persistent Threat (APT) group identified as “Earth Baxia.” Earth Baxia has been targeting various sectors including government agencies, telecommunications, and energy companies, particularly in countries such as Taiwan, the Philippines, South Korea, Vietnam, and Thailand. The core of this sophisticated attack appears to revolve around a Remote Code Execution (RCE) vulnerability identified as CVE-2024-36401 in GeoServer, which allows these hackers to compromise systems significantly.

Sophisticated Attack Vectors and Tactics

Earth Baxia’s attack methodology includes a detailed and intricate infection chain that showcases the group’s advanced capabilities in cyber espionage. Typically, the attack begins with spear-phishing emails containing malicious Microsoft Script (MSC) files, which act as the initial payload delivery mechanism. Once the target interacts with these files, the hackers deploy additional payloads through renowned cloud services such as Amazon Web Services (AWS) and Aliyun. This phase often includes complex tactics for payload deployment like AppDomainManager injection and a technique known as GrimResource, both of which facilitate the download and execution of malicious content onto the compromised system.

Earth Baxia also employs customized Cobalt Strike components to reinforce their attacks. Notably, they use a shellcode loader referred to as “SWORDLDR” and a novel backdoor named “EAGLEDOOR.” These elements are crucial for maintaining a foothold within the targeted systems. EAGLEDOOR stands out due to its multi-protocol communication capabilities, making it particularly difficult to detect and mitigate. It supports communication over DNS, HTTP, TCP, and even the encrypted messaging service Telegram. EAGLEDOOR’s persistence is largely attributed to DLL side-loading techniques using files named “Systemsetting.dll” and “Systemsetting.exe,” ensuring the malware remains embedded within the system.

Advanced Techniques and Obfuscation

EAGLEDOOR’s sophistication extends beyond its communication capabilities. Its persistence mechanisms and advanced obfuscation techniques illustrate Earth Baxia’s high level of technical acumen. For instance, EAGLEDOOR utilizes API hooking through a file named “Hook.dll” and conducts its primary operations via another file named “Eagle.dll.” By altering standard API behaviors, the malware can effectively conceal its activities. Additionally, sophisticated encryption methods, such as Base64 and AES, are employed to further obfuscate operations and evade traditional cybersecurity defenses, making it challenging for cybersecurity teams to pinpoint and neutralize the threat.

During data exfiltration, Earth Baxia archives the targeted information before uploading it to remote servers using tools like curl.exe. This process ensures that the exfiltrated data remains secure and undetected during transmission. The group has also demonstrated adaptability in their attack strategies by using various initial access methods, including MSC and LNK files, to introduce their full suite of malicious tools. In one notable example, they used the site “Static.krislab.site” to distribute decoy documents and Cobalt Strike components, such as “Edge.exe,” “msedge.dll,” and “Logs.txt,” which were executed via PowerShell commands.

Explore more

Compliance Drives Regulated B2B Influencer Marketing in 2026

The shifting landscape of digital authority has fundamentally transformed how enterprise-level organizations engage with industry experts and thought leaders across global markets. As the professional world moves deeper into this period of technological saturation, the superficial tactics of the past have been replaced by a rigorous commitment to transparency and legal precision. In earlier years, the simple inclusion of a

Transforming Voice of the Customer Into Predictive Action

Corporate boardrooms often overflow with real-time dashboards and complex analytics, yet many organizations still find themselves blindsided by sudden shifts in customer loyalty and market demand. While the technology to capture feedback has become ubiquitous, the structural ability to interpret and act upon that data in a meaningful timeframe remains remarkably rare for the average enterprise. Most traditional systems are

How Will Databricks CustomerLake Redefine Agentic Marketing?

The ongoing evolution of the digital landscape has forced a radical reconsideration of how enterprises capture, process, and ultimately utilize the vast oceans of consumer data generated every second of the day. Modern marketing departments have long struggled with the paradox of having too much information but not enough actionable insight to drive meaningful consumer interactions in real time. The

How Can Small Banks Compete With Global Financial Giants?

Nikolai Braiden has seen the evolution of financial architecture from its early blockchain roots to the current wave of institutional modernization, and today he joins us to dissect a pivotal shift in venture capital. With BankTech Ventures recently deploying $15 million into AI and stablecoin solutions, the landscape for regional banking is undergoing a profound transformation. Braiden’s perspective as an

Bullski Presale Tops the List of Best Meme Coins for 2026

The current cryptocurrency market in 2026 has transitioned into a highly sophisticated arena where institutional standards and community-driven viral momentum converge to create unique financial opportunities. Investors are no longer satisfied with speculative assets lacking fundamental safeguards, leading to a significant shift toward projects that prioritize technical transparency and structured growth. In this evolving landscape, the Bullski presale has emerged