Budworm

Threat Actor updated 5 months ago (2024-05-04T20:21:33.214Z)
Download STIX
Preview STIX
Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41, typically in cyber espionage attacks. The group's activities have raised concerns in the cybersecurity industry due to their involvement in software supply chain attacks, posing significant threats to organizations across sectors. Notably, Budworm was implicated in the 2022 attack on a gambling company, using the same technique they had previously employed in September 2021. Budworm's operations are not confined to one sector or region; they have targeted a Middle Eastern telecom organization, an Asian government, and even a U.S. state legislature. Their toolset continues to evolve, as demonstrated by the deployment of a previously unseen variant of its SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll). Additionally, they have been linked to the use of HyperBro loader, a tool associated with state-backed groups, leading Dutch cybersecurity firm EclecticIQ to attribute their campaign to China. There remain unanswered questions about Budworm's activities, particularly concerning their potential links to other actors such as Carderbee. The motives behind their attacks are also unclear, although the use of tools like PlugX/Korplug suggests a focus on cyber espionage. In recent times, Symantec's Threat Hunter Team discovered Budworm targeting a Middle Eastern telecommunications organization and an Asian government using an updated version of one of its key tools. Given these developments, it is evident that Budworm continues to be an active and evolving threat in the realm of cybersecurity.
Description last updated: 2024-05-04T17:41:00.319Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT27 is a possible alias for Budworm. APT27, also known as Iron Taurus, is a threat actor group suspected to be attributed to China. Engaging in cyber operations with the primary goal of intellectual property theft, APT27 targets organizations globally, with a focus on North and South America, Europe, and the Middle East. The group's mo
2
LuckyMouse is a possible alias for Budworm. LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
2
Emissary Panda is a possible alias for Budworm. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Backdoor
Espionage
Malware
Symantec
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The SysUpdate Malware is associated with Budworm. SysUpdate is a malicious software (malware) predominantly utilized by the Budworm group, also known as APT27, Emissary Panda, LuckyMouse, among other names. This malware variant is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites wUnspecified
2
The inicore_v2.3.30.dll Malware is associated with Budworm. The malware inicore_v2.3.30.dll is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for Unspecified
2
Source Document References
Information about the Budworm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
8 months ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago