{"id":2926,"date":"2021-07-19T14:56:37","date_gmt":"2021-07-19T12:56:37","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2926"},"modified":"2026-06-08T22:42:36","modified_gmt":"2026-06-08T22:42:36","slug":"luminousmoth-china-apt","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/luminousmoth-china-apt\/","title":{"rendered":"China APT: LuminousMoth"},"content":{"rendered":"\n<p style=\"text-align: justify\">Recently, malware campaigns executed by a <em><strong>threat actor<\/strong><\/em> associated with the Chinese government have been identified. This actor conducts large-scale attacks followed by targeted activities involving deployment of malware and data exfiltration operations.<\/p>\n<p style=\"text-align: justify\"><span>The campaign, which dates back at least to October of the previous year, targets Myanmar and the Philippines.<\/span><\/p>\n\n\n\n<p style=\"text-align: justify\">Analysts who <a href=\"https:\/\/securelist.com\/apt-luminousmoth\/103332\/\" class=\"ek-link\">identified the activities<\/a> have designated the <em>threat actor<\/em> as &#8220;<strong>LuminousMoth<\/strong>&#8220;.<\/p>\n<p style=\"text-align: justify\">LuminousMoth employs a unique set of tools and propagation methods, including malware replication across all connected USB devices, though their offensive infrastructure shares components with another notorious Chinese hacker group known as <strong>Mustang Panda<\/strong>, also tracked as <strong>HoneyMyte<\/strong>, <strong>TA416<\/strong>, or <strong>RedDelta<\/strong>.<\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Mustang Panda TTPs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Typical behavior and compromise chain attributed to Mustang Panda: <\/p>\n\n\n\n<ol>\n<li>Connection to a <strong>Google Drive<\/strong> folder, obfuscated using the &#8220;link shortener&#8221; service <em>goo.gl<\/em>.<br>When accessed, the Google Drive link retrieves a zip file containing a .<em>lnk<\/em> file masqueraded as a .pdf file (double extension).<br>This <em>file<\/em> redirects the user to a <strong>Windows Scripting Component<\/strong> (.<em>wsc<\/em>) hosted on a microblogging page controlled by the adversary. <br>MUSTANG PANDA has previously used the microblogging site to host malicious <strong>PowerShell<\/strong> scripts and <strong>Microsoft Office<\/strong> documents in targeted attacks against <strong>NGOs<\/strong> focused on Mongolia.<\/li>\n<li>The .<em>lnk<\/em> file uses a <strong>VBScript<\/strong> component to retrieve a PDF (decoy) file and a <strong>PowerShell<\/strong> script from the attacker-controlled web page.<\/li>\n<li>The <strong>PowerShell<\/strong> script creates a <strong>Cobalt Strike<\/strong> stager payload and an XOR-encoded beacon.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\">Additional Similarities<\/h4>\n\n\n\n<p style=\"text-align: justify\">Among the criminal groups, notable similarities are evident in tactics, techniques, and procedures (TTPs) employed beyond the use of Cobalt Strike beacons. Last month, Avast attributed to Mustang Panda a <em><strong>supply chain<\/strong><\/em> attack against the website of the office of the president of <strong>Myanmar<\/strong>, demonstrating specific interest in the same regions targeted by <strong>LuminousMoth<\/strong>. The two APTs also share use of <em><strong>DLL sideloading<\/strong><\/em>, as well as employment of <em>dumping<\/em> techniques for Chrome authentication cookies. Through <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> analysis, we have tracked consistent patterns in their operational infrastructure.<\/p>\n\n\n\n<p style=\"text-align: justify\">The targets, in both cases, are a selection of high-profile <strong>government entities<\/strong> within the two targeted countries: the <strong>Ministry of Transport and Communications of Myanmar<\/strong> and the <strong>Development Assistance Coordination Unit<\/strong> of the country&#8217;s department for foreign economic relations.&nbsp;<\/p>\n\n\n<h2 style=\"text-align: center\">Attack Structure<\/h2>\n\n\n<p style=\"text-align: justify\">Compromises begin with <strong>spear-phishing<\/strong> emails sent to targets. The email contains a link to download a <strong>rar<\/strong> archive via <strong>Dropbox<\/strong> related to Covid-19. Inside are a pair of malicious <strong>DLLs<\/strong>, masqueraded as .<em>DOCX<\/em> files. Following initial infection, the DLLs are loaded by two executables to propagate across removable devices and launch Cobalt Strike beacons.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-15.png\" alt=\"\" class=\"wp-image-2933\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">In some cases in Myanmar attacks, the initial infection was followed by deployment of a signed and fraudulent version of the popular <strong>Zoom<\/strong> application. The installation was actually malware that enabled attackers to exfiltrate files from compromised systems. The valid certificate is owned by <strong>Founder Technology<\/strong>, a subsidiary of the <strong>Founder Group<\/strong> of <strong>Peking University<\/strong>, based in Shanghai.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-16.png\" alt=\"\" class=\"wp-image-2934\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Assessment<\/h2>\n\n\n\n<p style=\"text-align: justify\">As observed, there are differences between the attack chains of <strong>LuminousMoth<\/strong> and <strong>MustangPanda<\/strong>. However, it is highly probable that this new <strong><em>operator<\/em><\/strong> is nonetheless the same <strong>Mustang Panda<\/strong> implementing new techniques in an effort to obscure its operational footprint by reorganizing and deploying new malware variants. Attribution confidence remains high when infrastructure and targeting patterns are considered holistically across campaigns.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>LuminousMoth: China-aligned APT operations against Southeast Asian government and telecom targets, USB-based propagation, custom backdoors and infrastructure overlaps.<\/p>\n","protected":false},"author":1,"featured_media":2615,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3186,3065,3187,207,238,239,350,3188],"class_list":["post-2926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-china-apt","tag-espionage","tag-government-targeting","tag-luminousmoth","tag-mustang","tag-mustangpanda","tag-threat","tag-usb-spread"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2926"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2926\/revisions"}],"predecessor-version":[{"id":9863,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2926\/revisions\/9863"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}