LuckyMouse

Threat Actor updated 23 days ago (2024-11-29T14:54:02.889Z)
Download STIX
Preview STIX
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, and iOS. In 2020 and 2021, new malware samples attributed to LuckyMouse were discovered by Talent-Jump. In addition to this, the group has shown an inclination towards exploiting recent vulnerabilities, as indicated by ESET Research's findings that LuckyMouse, along with other threat actors such as Tick, Winnti Group, and Calypso, likely used Microsoft Exchange vulnerabilities to compromise email servers globally. In February and March of 2021, LuckyMouse was noted for its involvement in exploiting these vulnerabilities, compromising the email servers of governmental entities in the Middle East and South America. It was observed that the group had access to the exploit as a zero day, indicating their advanced capabilities. Moreover, LuckyMouse has also been implicated in the deployment of a previously unseen variant of its SysUpdate backdoor, demonstrating the group's active development of cyber-espionage tools. More recently, in September 2022, ESET detected LuckyMouse using a malicious update of the Cobra DocGuard software to implant a variant of the Korplug malware into the systems of a Hong Kong-based gambling company. This attack was not the first against the same company; LuckyMouse had compromised it a year earlier in September 2021. Further, in June 2023, the group was reported to have compromised CCTV cameras of the Directorate General of Highways in Taiwan. These instances illustrate the persistent threat posed by LuckyMouse and its ongoing efforts to infiltrate and compromise key infrastructure and organizations worldwide.
Description last updated: 2024-05-04T17:41:05.780Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Emissary Panda is a possible alias for LuckyMouse. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive
4
APT27 is a possible alias for LuckyMouse. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the
4
Budworm is a possible alias for LuckyMouse. Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41,
2
Cobra Docguard is a possible alias for LuckyMouse. Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst
2
SysUpdate is a possible alias for LuckyMouse. SysUpdate is a malicious software (malware) predominantly utilized by the Budworm group, also known as APT27, Emissary Panda, LuckyMouse, among other names. This malware variant is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites w
2
Winnti Group is a possible alias for LuckyMouse. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers a
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cobra Malware is associated with LuckyMouse. Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrupUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Calypso Threat Actor is associated with LuckyMouse. Calypso is a recognized threat actor, likely linked to the Chinese state-sponsored group APT41. Other groups possibly connected to this network include Hafnium, LuckyMouse, Tick, Calypso, and Winnti Group (tracked by X-Force as Hive0088). Calypso has been associated with various malicious activitiesUnspecified
2