🇨🇳

Lucky Cat

APT Group Information theft and espionage 11 zero-day CVEs ETDA ✓

Also Known As 2 names

TA413 White Dev 9

Target Countries 5

Countries highlighted in red

Australia India Japan Malaysia United States

Sectors Targeted

Defense Civic and Social Organizations 8134 Tibetan activists Aerospace Computer Systems Design and Related Services 54151 Shipping and Logistics Engineering

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

MITRE ATT&CK 39

T1010 - Application Window Discovery T1012 - Query Registry T1027 T1033 T1040 - Network Sniffing T1041 T1045 - Software Packing T1047 - Windows Management Instrumentation T1055 - Process Injection T1057 - Process Discovery T1059 T1071 - Application Layer Protocol T1071.001 T1078 T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 - Account Discovery T1090 T1095 - Non-Application Layer Protocol T1102 T1105 - Ingress Tool Transfer T1119 - Automated Collection T1125 - Video Capture T1129 - Shared Modules T1132 T1140 - Deobfuscate/Decode Files or Information T1158 - Hidden Files and Directories T1176 T1190 T1203 T1497 - Virtualization/Sandbox Evasion T1505 T1518 - Software Discovery T1547 T1566 T1571 - Non-Standard Port T1573 - Encrypted Channel T1595 T1614 - System Location Discovery

Related Zero-Days 11

CVE-2017-0144 CVE-2018-0802 CVE-2022-1040 CVE-2022-30190 CVE-2024-50302 CVE-2024-55591 CVE-2025-1316 CVE-2025-22224 CVE-2025-22225 CVE-2025-22226 CVE-2025-49704

Known Names 1 entries

Lucky Cat Symantec

Observed Target Countries 4

Based on ETDA data — countries highlighted in red

India Japan Malaysia Tibet

Description

(Symantec) A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP). The vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous. The attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.

Tools Used 4

Comfoo Lucky Cat Sojax WMI Ghost

Reports & References 2

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf

ETDA Profile

Lucky Cat

Origin

China

First Seen 2011

Motivation

Information theft and espionage

View on ETDA APT Groups ↗