April 1, 2025 — Houston, TX

Impress IT Solutions is alerting businesses to an alarming new wave of multi-stage cyber intrusions linked to a China-based threat group known as Earth Alux. This sophisticated cyberespionage campaign is targeting industries across government, tech, logistics, manufacturing, telecommunications, IT services, and retail—primarily in the APAC and LATAM regions, but the tactics are global in reach and of serious concern for U.S.-based organizations.

“We stay ahead of threats like Earth Alux so our clients don’t have to worry,” said the cybersecurity lead at Impress IT Solutions. “This threat actor’s tactics are highly evasive, and we’re actively monitoring for signs of intrusion across client environments.”

The Attack Chain: Sophisticated & Stealthy

The Earth Alux campaign begins by exploiting internet-facing applications, using them to install a Godzilla web shell, which acts as a beachhead to deploy powerful malware like VARGEIT and COBEACON.

• VARGEIT operates stealthily, loading tools into innocent-looking processes like mspaint.exe to carry out reconnaissance, data collection, and exfiltration.
• It supports lateral movement and network mapping using fileless techniques, making detection difficult.
• COBEACON, a Cobalt Strike variant, is used early in the attack chain and delivered via MASQLOADER or RSBINJECT, a Rust-based shellcode launcher.

Impress IT Solutions emphasizes that these tactics mirror those used in high-level red team simulations, but are being used by real-world threat actors with malicious intent.

Evading Detection with Precision

The attackers are also employing cutting-edge evasion methods:

• MASQLOADER bypasses endpoint protections by defeating API hooking techniques in Windows’ ntdll.dll.
• VARGEIT facilitates additional payloads like RAILLOAD, delivered via DLL side-loading, and RAILSETTER, which manipulates system timestamps and creates persistence mechanisms via scheduled tasks.

“These attackers are performing stealth tests, including ZeroEye scans and VirTest evaluations, to ensure their malware is invisible to traditional detection tools,” Impress IT explained.

Why Houston Businesses Should Care

While the Earth Alux campaign has largely been seen in Asia and Latin America, its techniques are not region-bound. Organizations in Houston and the U.S. can face similar attacks via reused toolkits, shared codebases, or secondary campaigns.

“We’ve seen time and time again that what starts overseas often finds its way here,” said a security analyst at Impress IT Solutions. “We use advanced monitoring, behavioral analytics, and managed detection and response to stay ahead of evolving threats like this.”

How Impress IT Solutions Protects Clients

• Proactive patching and configuration hardening of internet-facing apps
• Endpoint Detection & Response (EDR) to catch stealthy, fileless malware
• Threat intelligence feeds that include global actors like Earth Alux
• Managed detection & response (MDR) to investigate suspicious lateral movement
• Zero trust principles to prevent unauthorized privilege escalation

“Earth Alux is just one example of why cyber hygiene, visibility, and response are essential,” Impress IT concluded. “Our clients trust us to keep their infrastructure safe—even against actors operating at a nation-state level.”

Cyber Security

Protect your IT environment with enterprise-grade security solutions designed to prevent, detect, and respond to cyber threats.