Hacking

China-linked LuminousMoth APT targets entities from Southeast Asia

LuminousMoth: Kaspersky uncovered an ongoing and large-scale APT campaign that targeted government entities in Southeast Asia, including Myanmar and the Philippines.

Kaspersky experts uncovered an ongoing and large-scale cyber espionage campaign, tracked as LuminousMoth, aimed at government entities from Southeast Asia, including Myanmar and the Philippines government entities.

The LuminousMoth campaign has been linked by the experts to a China-linked APT group tracked as HoneyMyte.

Researchers pointed out that this campaign outstands for its large-scale nature, a modus operating that is usually not associated with APT groups who surgically hit high-profile targets.

The campaign dates back to at least October 2020, but experts pointed out that the threat actors were most active recently.

They are also both known to launch wide-scale attacks against significant numbers of targets with the end goal of hitting just a small subset matching their interests.

The researchers spotted approximately 100 victims in Myanmar, while the number of victims in the Philippines was at least 1,400. Anyway experts speculate that the actual targets were only a subset of these that included high-profile organizations, namely government entities located both within those countries and abroad.

Threat actors were able to spread to other hosts through the use of USB drives, experts also noticed the deployment of a signed, but fake version of the application Zoom, which was a data stealing malware.

Kaspersky experts identified two infection vectors used by LuminousMoth, one leverages spear-phishing messages containing a Dropbox download link, the second one used once gained access to the target network, leverages on removable USB drives.

The Dropbox link leads to a RAR archive that masquerades as a Word document by setting the “file_subpath” parameter to point to a filename with a .DOCX extension.

“The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” or “DACU Projects.r01” (MOTC is Myanmar’s Ministry of Transport and Communications, and DACU refers to the Development Assistance Coordination Unit of the Foreign Economic Relations Department (FERD) in Myanmar).” reads the analysis published by Kaspersky.

The C2 infrastructure includes domains impersonating news outlets to evade detection.

“LuminousMoth represents a formerly unknown cluster of activity that is affiliated to a Chinese-speaking actor. As described in this report, there are multiple overlaps between resources used by LuminousMoth and those sighted in previous activity of HoneyMyte. Both groups, whether related or not, have conducted activity of the same nature – large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest.” concludes.

The report includes a list of indicators of compromise (IOCs) for the attacks spotted by Kaspersky.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

CISA’s 11-Month extension ensures continuity of MITRE’s CVE Program

MITRE’s U.S.-funded CVE program, a core cybersecurity tool for tracking vulnerabilities, faces funding expiry Wednesday,…

7 hours ago

Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps

Cheap Chinese Android phones ship with trojanized WhatsApp and Telegram clones hiding crypto clippers, active…

16 hours ago

Cyber Threats Against Energy Sector Surge as Global Tensions Mount

Resecurity warns of rising cyberattacks on the energy sector, some linked to large-scale campaigns targeting…

19 hours ago

Government contractor Conduent disclosed a data breach

The business services provider Conduent told the SEC a January cyberattack exposed personal data, including…

19 hours ago

Critical Apache Roller flaw allows to retain unauthorized access even after a password change

A critical flaw (CVE-2025-24859, CVSS 10) in Apache Roller lets attackers keep access even after…

2 days ago

Meta will use public EU user data to train its AI models

Meta announced that it will use public EU user data to train AI, resuming plans…

2 days ago