Budworm

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41, typically in cyber espionage attacks. The group's activities have raised concerns in the cybersecurity industry due to their involvement in software supply chain attacks, posing significant threats to organizations across sectors. Notably, Budworm was implicated in the 2022 attack on a gambling company, using the same technique they had previously employed in September 2021. Budworm's operations are not confined to one sector or region; they have targeted a Middle Eastern telecom organization, an Asian government, and even a U.S. state legislature. Their toolset continues to evolve, as demonstrated by the deployment of a previously unseen variant of its SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll). Additionally, they have been linked to the use of HyperBro loader, a tool associated with state-backed groups, leading Dutch cybersecurity firm EclecticIQ to attribute their campaign to China. There remain unanswered questions about Budworm's activities, particularly concerning their potential links to other actors such as Carderbee. The motives behind their attacks are also unclear, although the use of tools like PlugX/Korplug suggests a focus on cyber espionage. In recent times, Symantec's Threat Hunter Team discovered Budworm targeting a Middle Eastern telecommunications organization and an Asian government using an updated version of one of its key tools. Given these developments, it is evident that Budworm continues to be an active and evolving threat in the realm of cybersecurity.
What's your take? (Question 1 of 5)
e7756a7c-7dcb-49a5-808e-4ee4619d4fab Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT27
2
APT27, also known as Iron Taurus, is a threat actor suspected to be originating from China. The group primarily engages in cyber operations with the goal of intellectual property theft, targeting organizations globally including those in North and South America, Europe, and the Middle East. APT27 ut
LuckyMouse
2
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
Emissary Panda
2
Emissary Panda, also known as Iron Tiger, Bronze Union, Budworm, APT27, Lucky Mouse, and Red Phoenix, is a threat actor group known for its malicious cyber activities. The group has been active since at least 2013, targeting a wide range of industries and organizations across Europe, North and South
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Backdoor
Espionage
Malware
Symantec
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SysUpdateUnspecified
2
SysUpdate is a malicious software variant that has been exclusively used by Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix. In December 2020, a sample of the SysUpdate malware variant was found, with its payload being a new version of SysUpdate.
inicore_v2.3.30.dllUnspecified
2
The malware inicore_v2.3.30.dll is a harmful program designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Budworm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
8 months ago
Budworm APT Evolves Toolset, Targets Telecoms and Government
CERT-EU
8 months ago
Budworm hackers target telcos and govt orgs with custom malware
CERT-EU
8 months ago
China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies
CERT-EU
9 months ago
Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
CERT-EU
8 months ago
Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org - Cyber Security Review
CERT-EU
8 months ago
Asian government, telco targeted by Chinese APT
CERT-EU
8 months ago
Budworm APT Attacking Telecoms Org With New Custom Tools
CERT-EU
8 months ago
Cyber Security Week in Review: September 29, 2023
Checkpoint
8 months ago
2nd October – Threat Intelligence Report - Check Point Research
CERT-EU
9 months ago
Carderbee Hacking Group Uses Legitimate Software in Supply Chain Attack
InfoSecurity-magazine
8 months ago
Curl Releases Fixes For High-Severity Vulnerability
CERT-EU
9 months ago
New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack
CERT-EU
8 months ago
China-based spies are hacking East Asian semiconductor companies, report says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
9 months ago
Chinese APT Targets Hong Kong in Supply Chain Attack
DARKReading
3 months ago
iSoon's Secret APT Status Exposes China's Foreign Hacking Machination
CERT-EU
9 months ago
Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack
CERT-EU
8 months ago
DDoS attack hits Russian flight booking system claimed by Ukrainian hackers
CERT-EU
9 months ago
Leftover Links 27/08/2023: Windows TCO Stories and Linux Foundation 'Masters'
CERT-EU
9 months ago
Novel Carderbee supply chain attack impacts Asian organizations