{ "id": "ffc49b76-87df-4a14-b0d0-78e6fe45f983", "created_at": "2026-04-06T00:14:20.769185Z", "updated_at": "2026-04-10T03:31:42.096188Z", "deleted_at": null, "sha1_hash": "4b8f7124b1cd543796c395f10df4933202f2183b", "title": "RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication Efforts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 400557, "plain_text": "RAT Trapped? LuminosityLink Falls Foul of Vermin Eradication\r\nEfforts\r\nBy Simon Conant\r\nPublished: 2018-02-07 · Archived: 2026-04-05 22:26:35 UTC\r\nSummary\r\nIn July 2016 Unit 42 analyzed the LuminosityLink Remote Access Tool (RAT) which first appeared in April 2015.\r\nLuminosityLink was once a popular, cheap, full-featured commodity RAT. Now, however, LuminosityLink\r\nappears to have died – or been killed off – over half a year ago.\r\nWe recently noticed that the sites luminosity[.]link and luminosityvpn[.]com had been taken down and were\r\nlooking into the possibility that it was indeed “dead”, when we saw on February 5, 2018 Europol published a press\r\nrelease that stated “A hacking tool allowing cybercriminals to remotely and surreptitiously gain complete control\r\nover a victim’s computer is no longer available as a result of an UK-led operation targeting hackers linked to the\r\nRemote Access Trojan (RAT) Luminosity Link.”.\r\nIn this blog we look at how LuminosityLink indeed appears to have died, go into some details on\r\nLuminosityLink’s prevalence, and discuss LuminosityLink’s capabilities and how they belie claims sometimes\r\nmade that it was a legitimate tool.\r\n  M.I.A.\r\nUp until July 2017, the LuminosityLink RAT software was sold at the website luminosity[.]link (Figure 1).\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nPage 1 of 8\n\nFigure 1 - luminosity[.]link website\r\n \r\nCustomers complained that their licensing systems were no longer working (Figure 2).\r\n \r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nPage 2 of 8\n\nFigure 2 - Customers noticing licensing down\r\n \r\nThe author of LuminosityLink, “KFC Watermelon”, was indeed keeping a low profile – closing his forum thread\r\nselling the software (Figure 3).\r\n \r\nFigure 3 - KFC Watermelon MIA\r\n \r\nAs shown in Figures 4 and 5, although unrelated to LuminosityLink, the arrest of the author of the Nanocore RAT\r\nearlier in 2017 fueled speculation on forums that the LuminosityLink author had also been arrested and may have\r\nhanded over his customer list.\r\n \r\nFigure 4 - Speculation\r\n \r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nPage 3 of 8\n\nFigure 5 - Arrest\r\n \r\nHowever, even though sales and licensing of LuminosityLink have ceased, despite the rumors, there has been no\r\nreport of an arrest in the case of the LuminosityLink author to date.\r\nInterestingly, the Europol press release seems to focus upon the users of LuminosityLink, and noticeably omits\r\nany mention of the author. Our own investigation into the LuminosityLink author suggests that the individual\r\nbehind LuminosityLink RAT (and previously Plasma RAT) lives in Kentucky. In light of the fact that “KFC”\r\noriginally stood for “Kentucky Fried Chicken”, the “KFC” in “KFC Watermelon” may have a deeper significance\r\nand not be a random handle.\r\n  Prevalence of LuminosityLink\r\nOur oldest sample of this malware dates to mid-April 2015, very shortly after the domain luminosity[.]link was\r\nregistered. In the just-over two years that this RAT was sold, Palo Alto Networks collected over 43,000 unique\r\nLuminosityLink samples through various methods. In total, Palo Alto Networks observed over 72,000\r\nsubmissions to Wildfire (Figure 6), of over 6000 unique samples, by almost 2500 Palo Alto Networks customers.\r\nThe most prolific of these individual samples were observed in over 2000 attacks each.\r\n \r\nFigure 6 - LuminosityLink Attack Observations\r\n \r\nLuminosityLink Command and Control (C2) servers contact the author’s licensing server to verify their\r\nlegitimacy. We note a sharp drop after July 2017, with the licensing server down, though samples continue to be\r\nobserved. Although we note a couple of noticeable spikes, the observation of new LuminosityLink samples is on a\r\nsteady decline. Based on other examples, we believe the continued presence LuminosityLink in the wild, even\r\nthough it’s no longer under development, may be due to cracked versions of it being in use.\r\n  Malware, or legitimate tool?\r\nCustomers of these services, users on underground forums, have expressed concern that arrests of RAT authors\r\nmight lead law enforcement to their own doors (we see similar sentiments echoed by the customers of DDoS\r\n“booter” / “stresser” services).\r\nRAT authors and customers alike claim that RATs represent legitimate “administration tools” – despite the fact\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nPage 4 of 8\n\nthat the support thread itself is in under “Hacks, Exploits, and Various Discussions » Hacking Tools and\r\nPrograms”, on a hacking forum (Figure 7).\r\n \r\nFigure 7 - What is obvious\r\n \r\nFurther undermining these claims, the help forum on the luminosity[.]link site included an article (Figure 8) about\r\n“support regarding a third-party product (VPN, Crypter, etc)” – suggesting that the use of such detection\r\navoidance techniques was in the front of the mind of the author.\r\n“KFC Watermelon” even states as much on forums “I do cater to crypter coders now and are in contact with\r\nnumerous developers to ensure Luminosity works great while crypted. 1.3.1 is further proof of this.”.\r\n \r\nFigure 8 - luminosity[.]link support article\r\n \r\nEven more to the point, LuminosityLink boasted feature sets such as “Surveillance: Remote Desktop, Remote\r\nWebcam, Remote Microphone”, “Smart Keylogger: Records all Keystrokes, Specify Websites and Programs to\r\nRecord Separately, Keylogger Viewer, Organized and easy-to-use, Search Keylogs Easily”. These all heavily\r\nsuggest a purpose other than legitimate remote administration. And other features would seem to have no\r\nlegitimate purpose at all: “Crypto Currency Miner: Supports Scrypt, SHA256 and More, Custom Miner Support\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nPage 5 of 8\n\n(For Alt Coins), Set amount of CPU to use, Supports CPU and GPU Mining, Proxy Support, Update mining\r\nconfig at anytime” (Figure 9).\r\nFigure 9 - Coin Miner\r\n \r\nIt’s also hard to imagine a legitimate-use scenario for launching a DDoS attack (Figure 10):\r\n \r\nFigure 10 - DDoS feature\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nPage 6 of 8\n\nPer “KFC Watermelon” himself “I also re-coded the DDoS modules in 1.0.0.1 and made the Layer 7 attacks more\r\neffective.”.\r\nAnother forum was quite accurately prophetic about the risks the author of LuminosityLink was taking in April\r\n2017, about three months before the site was parked (Figure 11).\r\n \r\nFigure 11 – Forum Comment on Risks LuminosityLink Author Was Taking\r\n \r\nConclusion\r\nBased on our analysis and the recent Europol announcement, it does seem though that LuminosityLink is indeed\r\ndead, and we await news of what has indeed happened to the author of this malware. In support of this, we have\r\nseen LuminosityLink prevalence drop significantly and we believe any remaining observable instances are likely\r\ndue to cracked versions.\r\nFinally, a review of most recent feature sets and capabilities for LuminosityLink show that even if some of its\r\ncapabilities could be put to legitimate purposes, taken as a whole, the preponderance of questionable or outright\r\nillegitimate features discredit any claims to legitimacy.\r\n  Coverage\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\n1. WildFire accurately identifies LuminosityLink RAT samples as malicious.\r\n2. Traps prevents this threat on endpoints, based upon WildFire prevention.\r\nAutoFocus users can view LuminosityLink RAT samples using the “LuminosityLinkRAT” tag.\r\nIOCs can be found in the appendices of this report.\r\n \r\nAppendix I – Top 20 samples\r\n07b4b11940baa619c0c6ec91b1a73715f4a1ece29ad85287b7db97718a60aea5 2260\r\nefdf2238c091f4ff3fa9b2eea8cfa5c9edad70434fc81cba5a81d2b3fe188276 2142\r\n73f7967d53fe124a028311db97b2b1c0a53acffe269c37d20e31f2a4a068ab28 1769\r\n45657413799e9481eff4c83bf183b9343b3f7ed1ecde6724b1a7d2c2c6e4839c 1260\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nPage 7 of 8\n\ndf5a90d5dac6c3a4286230e0b0d4835ec936b11bbacf6b031b25ff6545ed153e 1007\r\n8785ef18b75605bd659a346ec890b4888749c6015b729cd3363fd8289e55faf3 959\r\nf3aacd6a47fd6655408507446ff53b946108f29e2a3dc0bb2f496b8e36927ce7 890\r\nadd98a6912601551634239a6867ea10136fd6cf770cd25eecde576a3853738d8 823\r\nc4eee35f0e51a04a7daca1431c4926d02720590ce62200c8362bacc66eb574b1 764\r\n53d817e8a824488a622cf653c9d48164c3d741aa19f2e2d89a713005f81109ef 751\r\na3dd71e5bd2d9edad31252d3d6049b5ffb1d6bd11fe6215f9d2c8cf093ba8ab7 749\r\n82151d68ae5ec5e00e81998785371ff694b37bfe6093fe3bd8c9932ed21651c7 731\r\n68a599d2658096ff9c529c5aeb9644119c47e1c744b07323a3df8a8e5e94c4da 725\r\n1f79ac7f0201584d6ea7d6b0c96d2285572ed4a191e765a20f5ccae6ebb2f34d 718\r\n50349613c6fbac2b344f5b7753a165620be112a674763153a6de497df43589af 712\r\n79a6a3c5ae196a1874234f5870fc8c6d07059c85cb1fca73d21c8eb51c0d41b1 680\r\n8329f8176e926053fc9a4db2f9eb09aff6fec31c197e919ae26cb9501926c516 674\r\nf8f58cc1095ea29e2c365fa64fdccdebce5113b44e3d7032e96f0ebb3dfd5e9c 669\r\n09681a9054f9f04e270b0ae390c7b697748405d4c29a589ff45a4b485baa18c4 652\r\n0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87 524\r\n \r\nAppendix 2 – full sample hash list\r\nA full list of SHA256 hashes for all known LuminosityLink samples, as of 1 February 2018, can be found here.\r\nSource: https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/" ], "report_names": [ "unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "31da1b1f-743b-40ef-bd17-1e07c5500392", "created_at": "2024-06-19T02:00:04.382822Z", "updated_at": "2026-04-10T02:00:03.655982Z", "deleted_at": null, "main_name": "UAC-0020", "aliases": [ "SickSync", "Vermin" ], "source_name": "MISPGALAXY:UAC-0020", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434460, "ts_updated_at": 1775791902, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b8f7124b1cd543796c395f10df4933202f2183b.pdf", "text": "https://archive.orkl.eu/4b8f7124b1cd543796c395f10df4933202f2183b.txt", "img": "https://archive.orkl.eu/4b8f7124b1cd543796c395f10df4933202f2183b.jpg" } }