Ta413

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the Sophos Firewall product (CVE-2022-1040), weaponized the "Follina" vulnerability (CVE-2022-30190) shortly after its discovery and publication, and utilized a custom backdoor named LOWZERO in campaigns against Tibetan entities. The group's adoption of both zero-day and recently published vulnerabilities reflects broader trends within Chinese cyber-espionage groups. TA413 appears to be part of a shared capability development pipeline serving multiple Chinese state-sponsored groups. This is evidenced by their continued use of the Royal Road RTF builder, a shared zero-day exploit in Sophos Firewall used by several China-linked groups, and their access to other shared malware families such as the TClient backdoor. A lure in the Tibetan language was used by TA413 in conjunction with the Royal Road tool, further indicating their specific targeting of the Tibetan community. Further analysis of TA413’s activities revealed the use of an IP address, 134.122.129[.]102, for post-exploitation purposes. At the time of activity, this IP address hosted applestatic[.]com, which has historical hosting overlaps with the TA413 domain newsindian[.]xyz. An additional group targeting the Tibetan community has been identified, suggesting that TA413 is not alone in its relentless pursuit of these targets. The group's custom backdoor, LOWZERO, was used to execute Base64-encoded PowerShell commands and download follow-on payloads, highlighting their advanced capabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Luckycat
3
LuckyCat, also known as TA413, is a threat actor with a history of malicious cyber activities. This group has been consistently targeting Tibetan entities, including individuals, organizations, and the exiled Tibetan government. Its activities have been linked to the use of ExileRAT and LuckyCat And
Lowzero
2
Lowzero is a custom backdoor malware introduced by TA413, a deviation from their usual practice of using well-known or open-source tools. Throughout the first half of 2022, TA413 exploited various vulnerabilities, including a patched zero-day vulnerability in Sophos Firewall product (CVE-2022-1040),
KeyBoy
1
KeyBoy is a malicious software (malware) primarily linked to the cyber espionage group known as TA413, which has historically targeted Tibetan entities. The malware is designed with an array of functionalities that allow it to infiltrate and exploit computer systems, including screen grabbing, deter
Tropic Trooper
1
Tropic Trooper, a threat actor with suspected ties to China, has been identified as a significant cybersecurity concern. Their activities date back to at least 2013, when Trend Micro noted similarities in the encoding algorithms used by Tropic Trooper's malware and the KeyBoy versions from that year
Pirate Panda
1
Pirate Panda, also known as Tropic Trooper or Keyboy, is a threat actor primarily involved in targeting Tibetan entities. As a threat actor, Pirate Panda represents a human entity, potentially a single individual, a private company, or a government organization, that executes actions with malicious
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Proxy
State Sponso...
Exploit
Backdoor
Malware
Android
Phishing
Vulnerability
exploitation
Payload
Zero Day
Espionage
Exploits
Firefox
Chinese
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-1040Unspecified
1
None
FollinaUnspecified
1
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2022-30190Unspecified
1
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
Source Document References
Information about the Ta413 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future