Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 14:49:01 UTC
Home > List all groups > List all tools > List all groups using tool OwaAuth
 Tool: OwaAuth
Names
OwaAuth
luckyowa
Category Malware
Type Backdoor, Credential stealer
Description
(SecureWorks) A web shell and credential stealer deployed to Microsoft Exchange
servers. It is installed as an ISAPI filter. Captured credentials are DES-encrypted using
the password '12345678' and are written to the log.txt file in the root directory. Like the
China Chopper web shell, the OwaAuth web shell requires a password. However, the
OwaAuth web shell password contains the victim organization's name.
Information
MITRE ATT&CK Malpedia Last change to this tool card: 14 May 2020
Download this tool card in JSON format
All groups using tool OwaAuth
Changed Name Country Observed
APT groups
 Emissary Panda, APT 27, LuckyMouse, Bronze Union 2010-Aug 2023
1 group listed (1 APT, 0 other, 0 unknown)
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0dd041d7-9044-4ec3-b5cc-485b6bf92f8f
Page 1 of 2

Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0dd041d7-9044-4ec3-b5cc-485b6bf92f8f
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0dd041d7-9044-4ec3-b5cc-485b6bf92f8f
Page 2 of 2