Hunting off the Red Banner

Detecting Premier Pass-as-a-Service:
A Blue Team Hunting Guide for APT Collaboration

Published on October 22, 2025 | By Focused Hunts

The emergence of the Premier Pass-as-a-Service (PaaS) model represents a dangerous evolution in advanced persistent threat (APT) operations, shifting the threat landscape from isolated attacks to coordinated, multi-group intrusions. Unlike simple initial access brokers who sell a single compromised entry point, PaaS involves one APT, like Earth Estries, providing a second group, such as Earth Naga, with a fully provisioned, persistent "operational box" deep inside the target environment, making eradication exceptionally challenging.

This sophisticated threat model is best understood through the analogy of a "Ghost in the Machine." While your security controls might be focused on stopping the front-door burglary, the PaaS model means a trusted insider, already placed and validated, is handing a ghost key to a second operator inside your network perimeter. This bypasses many traditional perimeter defenses and internal segmentation checks by leveraging the initial trust established by the first actor.

For CISOs and Directors, the core business risk is not merely breach notification, but sustained, undetected cyber espionage targeting critical intellectual property and government-related data. The high complexity of attribution, due to two distinct threat groups sharing access and infrastructure, creates organizational paralysis, delaying incident response and complicating regulatory compliance. This model dramatically increases financial consequences by extending the dwell time, maximizing data exfiltration, and turning an isolated incident into a prolonged, costly operational compromise across sensitive sectors like telecommunications and government services.

Hunting Controls & Observations

Defensive teams should focus on monitoring for the subtle behavioral indicators associated with the provisioning and usage of an internal "operational box" across the following telemetry sources:

  • Endpoint (EDR/AV): Look for the execution of legitimate tools, such as the VSCode Remote Tunnel binary, being run as a service or with uncommon command-line parameters to establish a persistent connection.
  • Identity/IAM: Monitor for the creation of new, non-standard service accounts or the modification of existing, low-privilege accounts being granted unexpected access or logon types (e.g., Interactive or Service Logons).
  • Email Security & Proxy Logs: Focus on proxy logs for unusual high-volume outbound connections from unexpected hosts to known generic cloud infrastructure IP ranges (AWS, Azure, Google Cloud) that are not associated with corporate services.
  • Firewall / NetFlow: Analyze NetFlow data for consistent, low-volume, high-entropy connections utilizing standard web ports (443, 80) to non-corporate destinations, suggesting encrypted command-and-control (C2) tunneling.
  • Cloud Audit Logs: Search for API calls related to the creation or modification of cloud-native resources that could be used for covert C2 or data staging, such as new Azure Function Apps or AWS EC2 instances that are quickly provisioned and terminated.
  • Windows Security Log: Closely monitor Event IDs 4697 (Service Installation) and 4624 (Successful Logon) for local service installations using unusual account types or local logons from suspicious lateral movement sources.

Behavioral Indicators of Attack

The "Premier Pass" hand-off is characterized by a distinct shift in activity, moving from initial compromise to establishing long-term, multi-actor C2 infrastructure, visible through these behavioral indicators:

  • Suspicious execution of dual-use remote administration or tunneling tools (e.g., VSCode Remote Tunnel, RDP clients, SSH clients) outside of standard IT administration hosts or user profiles.
  • Process behavior observation where a non-browser process initiates outbound network connections to high-reputation, generic cloud service IPs on ports 443 or 80, indicating a potential covert tunnel.
  • Registry or system change involving the creation of new Windows services or scheduled tasks by unprivileged accounts, designed to execute persistent implants or remote access binaries like code.exe.
  • Network behavior characterized by the consistent beaconing to a single, foreign IP or domain over a prolonged period, often disguised as legitimate traffic through TLS encryption and using a common user agent.
  • Unusual command-line patterns leveraging native binaries (Living Off The Land Binaries - LOLBAS) for file staging or basic reconnaissance immediately preceding the deployment of the second threat actor's payload.

MITRE Enterprise ATT&CK Tactics and Techniques

The PaaS model leverages a complex attack methodology that spans multiple stages of the adversary lifecycle, focusing heavily on enabling and sustaining multi-actor access. The critical alignment with the MITRE ATT&CK framework can be found in the Enterprise Matrix.

  • Command and Control (TA0011 – T1572 Protocol Tunneling): This is the defining tactic, where the access broker (Earth Estries) uses tools like the VSCode Remote Tunnel to create a persistent, outbound tunnel to a remote server, establishing the 'operational box' for the secondary actor (Earth Naga).
  • Persistence (TA0003 – T1053 Scheduled Task/Job): Attackers use scheduled tasks or new Windows services to ensure their remote access tool (e.g., a tunnel client) automatically runs on system reboot, guaranteeing the Premier Pass remains valid for future use.
  • Execution (TA0002 – T1059 Command and Scripting Interpreter): Initial setup and configuration often rely on invoking cmd.exe or powershell.exe with highly obfuscated or base64-encoded arguments to download and execute the tunnel client software.
  • Defense Evasion (TA0005 – T1036 Masquerading): The use of legitimate, high-reputation software (like VSCode or other dual-use tools) helps the attackers blend in with benign activity, avoiding detection by security baselines focused purely on known malicious artifacts.

Controls' Observables

Effective detection requires a holistic view across the entire security architecture. Organizations must identify and enrich telemetry from the following controls to observe the distinct behaviors associated with the PaaS setup and subsequent utilization.


Endpoint Controls

  • EDR/XDR telemetry must capture all process creation events, specifically including the full command-line arguments for all native Windows binaries and scripting interpreters.
  • Detailed logging of file creation and modification, particularly within user profile directories (e.g., AppData) where portable or single-file remote access tools are often dropped and executed.
  • Mandatory PowerShell script block logging and transcription should be enforced across all high-value hosts to reveal obfuscated commands used during the setup phase.
  • Sysmon configuration should include rules to monitor for the creation of new auto-start keys in the registry (Event IDs 12/13/14) and raw access to disk that bypasses the file system.

Network Controls

  • Deep Packet Inspection (DPI) or TLS inspection is necessary to analyze the content and volume of encrypted traffic flowing to known residential, VPS, or cloud-hosting IP space, searching for C2 artifacts.
  • Firewall logs and IDS/IPS should be leveraged to identify outbound connections to non-standard ports or suspicious geolocations, even when using common ports like 443.
  • NetFlow/IPFIX data should be analyzed for session metadata, looking for long-lived, bi-directional connections initiated by non-browser applications that consistently transfer small amounts of data, indicative of beaconing.

Identity & Access Controls

  • Review Windows Event Logs for logon types (Type 5 - Service, Type 10 - RemoteInteractive) that do not align with the account's intended function, suggesting the attacker has configured a new persistence mechanism.
  • Active Directory audit logs must be enabled and reviewed for unusual account privilege modifications, such as adding low-privilege users to sensitive groups like Remote Desktop Users.
  • Identity Provider (IdP) logs (e.g., Okta, Azure AD) should be monitored for suspicious multi-factor authentication (MFA) enrollment changes or session hijacking indicators immediately preceding a major operational change.

Cloud & SaaS

  • Cloud provider audit logs (AWS CloudTrail, Azure Activity Log) must be collected and ingested to detect the creation of new user roles, external sharing links, or virtual machine images that could serve as external staging or C2 infrastructure.
  • Review Office 365 or G Suite audit logs for mail forwarding rules, external tenant access, or unexpected creation of cloud storage buckets used for initial data staging prior to exfiltration.
  • Cloud-native security tools must be configured to alert on API calls from non-federated identities or those exhibiting high-risk behavior such as resource creation and rapid deletion.

Application & Service Logs

  • DNS query logs should be hunted for connections to newly registered domains (NRDs) or domains associated with known cloud hosting/tunneling services that are not part of the standard corporate allow list.
  • Proxy logs should be examined for connections that have bypassed the corporate proxy, often achieved by malware or tunneling tools that leverage direct IP communication.
  • Database audit logs should be checked for large, unexpected database queries or bulk data exports performed by non-service accounts at unusual times.

Insights and Recommendation

If the Premier Pass-as-a-Service model is successfully implemented, the consequence is a prolonged, systemic compromise. The difficulty in attributing activity to two distinct threat groups means that simply removing the initial access vector (Earth Estries) will not eradicate the long-term persistence mechanism (Earth Naga), requiring complex, full-network reimaging and credential rotation.

To address this strategic threat, CISOs should prioritize improving internal segmentation and mandatory logging of all process creation with full command lines, especially for developer and administrative tools like VSCode and SSH clients. Organizations may benefit from engaging external threat hunting capabilities to proactively search for multi-layered persistence mechanisms and hidden, dual-purpose 'operational boxes' that standard security tools often overlook.

Source and Credits

This summary is based on Trend Micro's research article "The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns" published on October 22, 2025.

Threat Hunting IOCs & Queries

This section contains known Indicators of Compromise (IOCs) along with Microsoft Log Analytics (KQL) and Splunk queries designed to translate behavioral indicators into actionable detection logic associated with the PaaS methodology.

Known Indicators of Compromise

The following IOCs have been identified and can be used for threat hunting. Given the use of legitimate tools and cloud services, the emphasis should be on behavioral detection over static artifacts:

  • File Hashes:
    sha256 bd6988826d26c986912a07837c69775359cdb05b4db9ad300052e81391d5678d Cobalt Strike payload (Earth Estries)
    sha256 b053e8694ab492b0051d4c18f56d9da7e4ce13b3cd2daa023a031e8e58b36a22 DRACULOADER (Earth Estries)
    sha256 21442da01117afc571c25f3944c3f05796f73920af850027ac75a17e45942eb2 CrowDoor Payload (Earth Estries)
    sha256 fe216710b8579c314008bbda96a5e302bd75e3543c57a2f4318cf490470858d6 DRACULOADER (Earth Estries)
    sha256 b5b2cba6da79e608a7009bfa702d56eeba23b26d159646b250f5a32222b6395b DRACULOADER (Earth Estries)
    sha256 4a0a776fb69f90837eb03ad394273e187f0466fd8293268e5d4896bd2722e356 DRACULOADER (Earth Estries)
    sha256 1bd50c76cbe79111d3df12f812b4ac4a53a3f8fba3266a04721d964a5c125323 CrowDoor Payload (Earth Estries)
    sha256 68525e41f3faaa1b03dc8cbdd4f428d1f9f0242421f704862461c4ac350afb71 BLINDSIGHT (Earth Estries)
    sha256 843f8aea7842126e906cadbad8d81fa456c184fb5372c6946978a4fe115edb1c DRACULOADER (Earth Estries)
    sha256 cc008024faf71eed6f2e7bc4efeea1df2238fd5947bf369015edb6efd46bd906 DRACULOADER (Earth Estries)
    sha256 07b1f5d83b83f9fb38efbee596b508099bfe4b986f3701a6cf1e093b65a27eeb CrowDoor Payload (Earth Estries)
    sha256 2b617962b5691f27bd6c48700496710b9a82326a89499308dfdb7b505a585e6f CrowDoor Payload (Earth Estries)
    sha256 c76009638e6e36785fcaea9eb25214c5a0d25eb4fa49d725984ef44d953228b9 Earthworm (Earth Estries)
    sha256 000f30792da01647cf040c0734bfa968af24b430e8bfa0886b1b4fe8b1caa753 ShadowPad loader (Earth Naga)
    sha256 ac29c2dbec74dd4c05fa4ea4544c2e619f62cfe3b874746d94a13cf7ce3cbeff ShadowPad loader (Earth Naga)
  • IP Addresses:
    ipv4 45[.]92[.]158[.]50 ShadowPad C&C (Earth Naga)
  • Domains:
    domain myoffice[.]techralsolution[.]com CrowDoor C&C (Earth Estries)
    domain helpdesk[.]athenatechlabs[.]com CrowDoor C&C (Earth Estries)
    domain updata[.]mgil01[.]workers[.]dev Cobalt Strike C&C (Earth Estries)
    domain back-trust-aurora[.]cluster-ctrjumtpbmf[.]mnl-east-2.timcorpnet[.]com CrowDoor C&C (Earth Estries)
    domain service[.]oneipsoft[.]com Cobalt Strike C&C (Earth Estries)
    domain afddd9d14453d4f9-1e185df7e4.ap-southeast-mnl[.]timcorpnet[.]com CrowDoor C&C (Earth Estries)
  • File Paths:
    Suspicious execution from non-standard folders such as C:\Users\Public\Downloads or new sub-folders in AppData\Local.

Log Analytics and Splunk Queries

The following queries translate the core behavioral indicators of the Premier Pass model—tunneling, persistence, and defense evasion—into actionable detection logic for modern SIEM/XDR platforms.

Query 1: VSCode Remote Tunnel Execution (The Operational Box)

  • Behavior Targeted: Execution of the VSCode Remote Tunnel service, a common feature abused for persistent C2 and access sharing.
  • MITRE ATT&CK: T1572 - Protocol Tunneling, T1059 - Command and Scripting Interpreter
  • Expected Results: Hosts where code.exe or its associated service is run with the tunnel flag outside of known, sanctioned developer machines.
  • False Positive Likelihood: Medium – VSCode is a legitimate tool; tune by creating an exclusion list for known developer accounts and hosts.

Splunk (SPL)


// Search for processes (code.exe) executed with remote tunnel arguments
// Tune by excluding known authorized hostnames/users
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational 
(EventCode=1 OR EventCode=4688) 
(ProcessName="code.exe" OR Image="*\\code.exe")
| search CommandLine="*tunnel*" OR CommandLine="*serve-web*"
| table _time, ComputerName, User, CommandLine

Microsoft Defender/Sentinel (KQL)


// Search for VSCode tunnel process execution across the enterprise
// Data Tables: DeviceProcessEvents
// Tune by adding a filter for sanctioned users or devices (e.g., DeviceName !in ("DEV-001", "DEV-002"))
DeviceProcessEvents
| where FileName =~ "code.exe"
| where ProcessCommandLine has "tunnel" or ProcessCommandLine has "serve-web"
| where InitiatingProcessFileName != "explorer.exe" // Exclude user-initiated process
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessFileName

Query 2: Outbound Network Connections to Generic Cloud Providers

  • Behavior Targeted: Detection of beaconing/tunneling traffic from suspicious processes to uncommonly used generic cloud/VPS infrastructure.
  • MITRE ATT&CK: T1071 - Application Layer Protocol
  • Expected Results: High-volume, low-traffic connections from a single non-browser executable to a non-corporate, high-reputation public IP range.
  • False Positive Likelihood: High – Requires careful tuning and whitelisting of corporate SaaS and cloud services.

Splunk (SPL)


// Look for network traffic originating from non-standard processes to common cloud ports (443)
// Requires a lookup table of known cloud provider CIDR ranges (optional)
sourcetype=stream:tcp OR sourcetype=pan:traffic
dest_port=443 NOT src_process IN ("chrome.exe", "msedge.exe", "outlook.exe")
| stats count by dest_ip, src_process, dest_port
| where count > 100 // High volume threshold for beaconing
| table dest_ip, src_process, count

Microsoft Defender/Sentinel (KQL)


// Identify non-standard processes making connections to generic, foreign network segments
// Data Tables: DeviceNetworkEvents
// Tuning guidance: Identify high count of distinct connections from a single, suspicious process.
let foreign_ips = DeviceNetworkEvents
| summarize TotalConnections = count() by RemoteIP, InitiatingProcessFileName
| where TotalConnections > 50 
| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "teams.exe", "outlook.exe") 
| distinct RemoteIP, InitiatingProcessFileName;
// Join with full events to review context
DeviceNetworkEvents
| join kind=inner (foreign_ips) on RemoteIP, InitiatingProcessFileName
| summarize min(Timestamp), max(Timestamp), count() by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| order by count_ desc

Query 3: Unauthorized Scheduled Task Creation for Persistence

  • Behavior Targeted: Persistence mechanism frequently used by APTs to ensure their implant or C2 tool, like the tunnel service, survives system reboots.
  • MITRE ATT&CK: T1053 - Scheduled Task/Job
  • Expected Results: New scheduled tasks created by non-administrative users, or tasks that execute files in non-standard locations (e.g., C:\Users\Public).
  • False Positive Likelihood: Low – Task creation by non-standard processes or users is highly suspicious and should be investigated immediately.

Splunk (SPL)


// Search for Scheduled Task creation (EventCode 4698/4702) 
// Focus on tasks that execute binaries in high-risk paths
sourcetype=WinEventLog:Security EventCode IN (4698, 4702)
| search TaskContent="*\\Users\\Public\\*" OR TaskContent="*\\AppData\\*" 
| table _time, ComputerName, TargetUserName, EventCode, TaskContent

Microsoft Defender/Sentinel (KQL)


// Find instances of new scheduled tasks created in high-risk directories
// Data Tables: DeviceProcessEvents, DeviceRegistryEvents (for Persistence)
// We will look for schtasks.exe being executed to create the task
DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| where ProcessCommandLine has_any (@"C:\Users\Public", @"AppData\Local")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| join kind=leftouter (
    DeviceFileEvents
    | where ActionType == "FileCreation"
    | project TargetFileName, FolderPath, DeviceName, InitiatingProcessFileName
) on DeviceName
| project-away DeviceName1
Back to Hunting off the Red