Luckycat

LuckyCat, also known as TA413, is a threat actor with a history of malicious cyber activities. This group has been consistently targeting Tibetan entities, including individuals, organizations, and the exiled Tibetan government. Its activities have been linked to the use of ExileRAT and LuckyCat Android malware, with its infrastructure and email sender domains reported in public cybersecurity literature. The group's activities have shown significant overlaps with other threat actors, demonstrating a complex web of shared resources and tactics. In December 2018, LuckyCat executed a campaign targeting the Tibetan community using an email address historically associated with TA413 activity. This campaign also demonstrated overlaps with the command and control (C2) infrastructure of the domain peopleoffreeworld[.]tk, which was previously noted in a Cisco Talos LuckyCat campaign. The infection chain used in this campaign loaded a custom backdoor known as TClient, a tactic seen in past activities attributed to another threat group called Tropic Trooper. Both TA413 and Tropic Trooper-associated activities utilized the URI string /qqqzqa, further highlighting their interconnected operations. By 2022, LuckyCat's persistent targeting of Tibetan entities continued unabated. The group's techniques were found to be used by other threat groups such as DriftingCloud and Ragnarok ransomware family. Furthermore, at least four named threat actors, including Fancy Bear, Wizard Spider, Luckycat, and UAC-0098, are known to have used similar tactics, techniques, and procedures (TTPs), indicating a broader landscape of threat actors sharing resources and strategies for their malicious campaigns.