Luckycat

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
LuckyCat, also known as TA413, is a threat actor with a history of malicious cyber activities. This group has been consistently targeting Tibetan entities, including individuals, organizations, and the exiled Tibetan government. Its activities have been linked to the use of ExileRAT and LuckyCat Android malware, with its infrastructure and email sender domains reported in public cybersecurity literature. The group's activities have shown significant overlaps with other threat actors, demonstrating a complex web of shared resources and tactics. In December 2018, LuckyCat executed a campaign targeting the Tibetan community using an email address historically associated with TA413 activity. This campaign also demonstrated overlaps with the command and control (C2) infrastructure of the domain peopleoffreeworld[.]tk, which was previously noted in a Cisco Talos LuckyCat campaign. The infection chain used in this campaign loaded a custom backdoor known as TClient, a tactic seen in past activities attributed to another threat group called Tropic Trooper. Both TA413 and Tropic Trooper-associated activities utilized the URI string /qqqzqa, further highlighting their interconnected operations. By 2022, LuckyCat's persistent targeting of Tibetan entities continued unabated. The group's techniques were found to be used by other threat groups such as DriftingCloud and Ragnarok ransomware family. Furthermore, at least four named threat actors, including Fancy Bear, Wizard Spider, Luckycat, and UAC-0098, are known to have used similar tactics, techniques, and procedures (TTPs), indicating a broader landscape of threat actors sharing resources and strategies for their malicious campaigns.
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Ta413
3
TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the So
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Luckycat Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
CERT-EU
a year ago
Most Weaponized Vulnerabilities of 2022 and 5 Key Risks: Report
CERT-EU
8 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online