LuckyMouse

Threat Actor updated 7 months ago (2024-05-04T21:03:22.467Z)

Download STIX

Preview STIX

LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, and iOS. In 2020 and 2021, new malware samples attributed to LuckyMouse were discovered by Talent-Jump. In addition to this, the group has shown an inclination towards exploiting recent vulnerabilities, as indicated by ESET Research's findings that LuckyMouse, along with other threat actors such as Tick, Winnti Group, and Calypso, likely used Microsoft Exchange vulnerabilities to compromise email servers globally. In February and March of 2021, LuckyMouse was noted for its involvement in exploiting these vulnerabilities, compromising the email servers of governmental entities in the Middle East and South America. It was observed that the group had access to the exploit as a zero day, indicating their advanced capabilities. Moreover, LuckyMouse has also been implicated in the deployment of a previously unseen variant of its SysUpdate backdoor, demonstrating the group's active development of cyber-espionage tools. More recently, in September 2022, ESET detected LuckyMouse using a malicious update of the Cobra DocGuard software to implant a variant of the Korplug malware into the systems of a Hong Kong-based gambling company. This attack was not the first against the same company; LuckyMouse had compromised it a year earlier in September 2021. Further, in June 2023, the group was reported to have compromised CCTV cameras of the Directorate General of Highways in Taiwan. These instances illustrate the persistent threat posed by LuckyMouse and its ongoing efforts to infiltrate and compromise key infrastructure and organizations worldwide.

Description last updated: 2024-05-04T17:41:05.780Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Emissary Panda is a possible alias for LuckyMouse. Emissary Panda, also known as APT27, Iron Tiger, Bronze Union, Budworm, Lucky Mouse, and Red Phoenix, is a threat actor linked to China. This group has been involved in cyberespionage activities with the primary goal of stealing intellectual property from organizations in sectors that China perceive	4
APT27 is a possible alias for LuckyMouse. APT27, also known as Emissary Panda or Iron Taurus, is a threat actor suspected to be associated with China and has been involved in cyber operations primarily aimed at intellectual property theft. The group targets organizations globally, including those in North and South America, Europe, and the	4
Budworm is a possible alias for LuckyMouse. Budworm, also known as LuckyMouse or APT 27, is a threat actor that has been associated with various high-profile cyber attacks. This group has been found to utilize tools such as the Korplug backdoor, which is commonly used by multiple Advanced Persistent Threats (APTs) including Budworm and APT41,	2
Cobra Docguard is a possible alias for LuckyMouse. Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst	2
SysUpdate is a possible alias for LuckyMouse. SysUpdate is a malicious software (malware) predominantly utilized by the Budworm group, also known as APT27, Emissary Panda, LuckyMouse, among other names. This malware variant is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites w	2
Winnti Group is a possible alias for LuckyMouse. The Winnti Group, a threat actor associated with the Chinese state-sponsored hacking activities, has been active since at least 2007, according to researchers from Kaspersky Lab who first identified the group in 2013. The group initially gained notoriety for its attacks on computer game developers a	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cobra Malware is associated with LuckyMouse. Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrup	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Calypso Threat Actor is associated with LuckyMouse. Calypso is a recognized threat actor, likely linked to the Chinese state-sponsored group APT41. Other groups possibly connected to this network include Hafnium, LuckyMouse, Tick, Calypso, and Winnti Group (tracked by X-Force as Hive0088). Calypso has been associated with various malicious activities	Unspecified	2

Source Document References

Information about the LuckyMouse Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org - Cyber Security Review
InfoSecurity-magazine	a year ago	Budworm APT Evolves Toolset, Targets Telecoms and Government
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	Leftover Links 27/08/2023: Windows TCO Stories and Linux Foundation 'Masters'
BankInfoSecurity	a year ago	Threat Actor Targets Hong Kong With Korplug Backdoor
CERT-EU	a year ago	Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack
CERT-EU	a year ago	New ‘Carderbee’ APT Targeted Chinese Security Software in Supply Chain Attack
CERT-EU	a year ago	Matthieu Faou \| WeLiveSecurity
MITRE	2 years ago	Exchange servers under siege from at least 10 APT groups \| WeLiveSecurity
MITRE	2 years ago	Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
MITRE	2 years ago	LuckyMouse hits national data center to organize country-level waterholing campaign
MITRE	2 years ago	Chinese Hackers Carried Out Country-Level Watering Hole Attack