Ta413

TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the Sophos Firewall product (CVE-2022-1040), weaponized the "Follina" vulnerability (CVE-2022-30190) shortly after its discovery and publication, and utilized a custom backdoor named LOWZERO in campaigns against Tibetan entities. The group's adoption of both zero-day and recently published vulnerabilities reflects broader trends within Chinese cyber-espionage groups. TA413 appears to be part of a shared capability development pipeline serving multiple Chinese state-sponsored groups. This is evidenced by their continued use of the Royal Road RTF builder, a shared zero-day exploit in Sophos Firewall used by several China-linked groups, and their access to other shared malware families such as the TClient backdoor. A lure in the Tibetan language was used by TA413 in conjunction with the Royal Road tool, further indicating their specific targeting of the Tibetan community. Further analysis of TA413’s activities revealed the use of an IP address, 134.122.129[.]102, for post-exploitation purposes. At the time of activity, this IP address hosted applestatic[.]com, which has historical hosting overlaps with the TA413 domain newsindian[.]xyz. An additional group targeting the Tibetan community has been identified, suggesting that TA413 is not alone in its relentless pursuit of these targets. The group's custom backdoor, LOWZERO, was used to execute Base64-encoded PowerShell commands and download follow-on payloads, highlighting their advanced capabilities.