Premier Pass-as-a-Service: How Two China-Aligned APT Groups Are Sharing Access to Stretch Espionage Campaigns
China-linked threat groups Earth Estries and Earth Naga are collaborating through a 'Premier Pass-as-a-Service' model where one group acts as an access broker, handing compromised networks to the other for continued exploitation.
Two China-aligned advanced persistent threat groups have been observed operating a novel collaboration model that Trend Micro researchers have dubbed 'Premier Pass-as-a-Service.' In this arrangement, the group known as Earth Estries acts as an access broker, compromising targeted organizations and then handing over access to Earth Naga (also tracked as Flax Typhoon, RedJuliett, or Ethereal Panda) for continued exploitation.
The model represents a significant evolution in state-aligned cyber espionage. By decoupling initial compromise from follow-on operations, the two groups complicate attribution and detection efforts. Security teams that identify indicators associated with Earth Estries may clear an incident as a known intrusion set, unaware that Earth Naga has already moved laterally into the same environment with different tools and techniques.
Trend Micro researchers documented two concrete instances of this hand-off. In November 2024, a major retail company in APAC was first compromised by Earth Estries, and subsequent forensic evidence showed Earth Naga operating on the same network. A second case in March 2025 involved a Southeast Asian government agency where the same pattern was observed. In both incidents, Earth Estries appeared to have established initial footholds before Earth Naga moved in.
The campaign is not limited to these two sectors. Both groups have historically targeted telecommunications providers, government agencies, military-related manufacturers, technology companies, media outlets, and academic institutions. While Earth Estries has focused on targets across the US, Asia-Pacific, Middle East, South America, and South Africa, Earth Naga has concentrated heavily on Taiwan-based organizations since at least 2021, with expanding operations into broader APAC, NATO member countries, and Latin America.
To help defenders understand this evolving threat, Trend Micro introduced a four-tier framework for categorizing collaborative attacks. The tiers range from simple tool reuse to full operational coordination, with Premier Pass representing one of the highest levels of inter-group cooperation. The framework is designed to help security practitioners recognize when they are dealing with a joint operation rather than a single intrusion set.
'The collaboration discussed in this case study between Earth Estries and Earth Naga marks a pivotal shift in the landscape of cyberespionage, demanding a re-evaluation of attribution strategies and highlighting the intricate web of alliances within the cyber threat landscape,' Trend Micro researchers wrote.
The Premier Pass model is just one example of a broader trend toward specialization and collaboration among China-aligned threat actors. As attribution becomes more complex, defenders must move beyond purely technical indicators and incorporate behavioral analysis, victimology, and cross-campaign correlations to identify when multiple groups are working together on the same target.