LuminousMoth

LuminousMoth is a threat actor with ties to HoneyMyte, as evidenced by their similar targeting and Tactics, Techniques, and Procedures (TTPs). These include the use of DLL side-loading, Cobalt Strike loaders, and Chrome cookie stealers. The malware's operation begins with the execution of "explorer.exe" to reveal the victim's hidden directory, followed by the copying of four LuminousMoth samples to a specific system path. The malware then propagates itself to removable drives connected to the system, indicating a high rate of infections due to this spreading mechanism. This propagation branch is activated in the context of a compromised removable drive when "USB Driver.exe" is double-clicked. Links between LuminousMoth and Mustang Panda are suggested through shared resources such as the malicious URL http://microsoft.updatecatalogs[.]com/Microsoft Update Catalog.htm and the IP address 2.58.230.5, which resolves to the domain mmtimes.org. This domain was previously associated with Mustang Panda operations. The LuminousMoth campaign deploys various tools for data collection and exfiltration, including the well-known Remote Access Tool PlugX and ARP spoofing for HTML code injection. These techniques redirect victims to a page hosted by the threat actor. The LuminousMoth activity cluster, previously unknown, is affiliated with a Chinese-speaking actor and has been linked to HoneyMyte with medium to high confidence based on these findings. Infrastructure overlaps were found between the Command and Control (C2) servers used in the LuminousMoth campaign and an older one attributed to HoneyMyte. Additionally, there are numerous similarities between resources used by LuminousMoth and those observed in previous HoneyMyte activities, suggesting a persistent and evolving threat landscape.