Space Pirates - Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 16:23:46 UTC
Home > List all groups > Space Pirates
 APT group: Space Pirates
Names
Space Pirates (Positive Technologies)
Webworm (Symantec)
Erudite Mogwai (Solar)
Country China
Motivation Information theft and espionage
First seen 2017
Description
(BleepingComputer) A previously unknown Chinese hacking group known as 'Space
Pirates' targets enterprises in the Russian aerospace industry with phishing emails to
install novel malware on their systems.
The threat group is believed to have started operating in 2017, and while it has links
to known groups like APT 41 (Winnti), Mustang Panda, Bronze President, and
Emissary Panda, APT 27, LuckyMouse, Bronze Union, it is thought to be a new
cluster of malicious activity.
Russian threat analysts at Positive Technologies named the group 'Space Pirates' due
to their espionage operations focusing on stealing confidential information from
companies in the aerospace field.
Observed
Sectors: Aerospace, Energy, IT.
Countries: Georgia, Mongolia, Serbia, Russia.
Tools used
9002 RAT, BH_A006, Deed RAT, Gh0st RAT, MyKLoadClient, PCShare, PlugX,
Poison Ivy, ShadowPad Winnti, Trochilus RAT, Zupdax.
Operations performed
Sep 2022
Webworm: Espionage Attackers Testing and Using Older Modified
RATs
<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats>
Nov 2024 Space Pirates Targets Russian IT Firms With New LuckyStrike
Agent Malware
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0ca08038-12b4-4023-977f-ba63b4471cdb
Page 1 of 2

Information
Last change to this card: 02 March 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0ca08038-12b4-4023-977f-ba63b4471cdb
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0ca08038-12b4-4023-977f-ba63b4471cdb
Page 2 of 2