{ "id": "aad2dda8-b20d-4713-89c8-c33b00d7b59e", "created_at": "2026-04-06T00:16:26.309723Z", "updated_at": "2026-04-10T13:12:40.106678Z", "deleted_at": null, "sha1_hash": "556300e1150497aff2f95406dea1c8e32d0346c5", "title": "LuckyMouse hits national data center to organize country-level waterholing campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 199715, "plain_text": "LuckyMouse hits national data center to organize country-level\r\nwaterholing campaign\r\nBy Denis Legezo\r\nPublished: 2018-06-13 · Archived: 2026-04-05 17:27:22 UTC\r\nWhat happened?\r\nIn March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we\r\nbelieve has been active since autumn 2017. The choice of target made this campaign especially significant – it\r\nmeant the attackers gained access to a wide range of government resources at one fell swoop. We believe this\r\naccess was abused, for example, by inserting malicious scripts in the country’s official websites in order to\r\nconduct watering hole attacks.\r\nThe operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The\r\ntimestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and\r\ndecompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression.\r\nKaspersky Lab products detect the different artifacts used in this campaign with the following verdicts:\r\nTrojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. A full technical report,\r\nIoCs and YARA rules are available from our intelligence reporting service (contact us\r\nintelligence@kaspersky.com).\r\nWho’s behind it?\r\nDue to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as\r\nEmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns.\r\nThe tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and\r\ncouldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously.\r\nGovernment entities, including the Central Asian ones also were a target for this actor before. Due to\r\nLuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of\r\nthe aims of this campaign is to access web pages via the data center and inject JavaScripts into them.\r\nHow did the malware spread?\r\nThe initial infection vector used in the attack against the data center is unclear. Even when we observed\r\nLuckyMouse using weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used\r\nby Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. It’s\r\npossible the actor used a waterhole to infect data center employees.\r\nhttps://securelist.com/luckymouse-hits-national-data-center/86083/\r\nPage 1 of 5\n\nThe main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the\r\nUkrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1\r\non board. We suspect this router was hacked as part of the campaign in order to process the malware’s HTTP\r\nrequests. The Sonypsps[.]com domain was last updated using GoDaddy on 2017-05-05 until 2019-03-13.\r\nFMikrotik router with two-year-old firmware and SMBv1 on board used in this campaign\r\nIn March 2017, Wikileaks published details about an exploit affecting Mikrotik called ChimayRed. According to\r\nthe documentation, however, it doesn’t work for firmware versions higher than 6.30. This router uses version 6.34.\r\nThere were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different\r\nusers in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the\r\nwaterholing of government websites. These events suggest that the data center infected with HyperBro and the\r\nwaterholing campaign are connected.\r\nWhat did the malware do in the data center?\r\nhttps://securelist.com/luckymouse-hits-national-data-center/86083/\r\nPage 2 of 5\n\nAnti-detection stages. Different colors show the three dropped modules: legit app (blue), launcher (green), and\r\ndecompressor with the Trojan embedded (red)\r\nThe initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere\r\n(IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor\r\n(thumb.db). As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory.\r\nThe launcher module, obfuscated with the notorious Metasploit’s shikata_ga_nai encoder, is the same for all the\r\ndroppers. The resulting deobfuscated code performs typical side loading: it patches pcAnywhere’s image in\r\nmemory at its entry point. The patched code jumps back to the decryptor’s second shikata_ga_nai iteration, but\r\nthis time as part of the allowlisted application.\r\nThis Metasploit’s encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API\r\nand maps thumb.db into the same process’s (pcAnywhere) memory. The first instructions in the mapped thumb.db\r\nare for a new shikata_ga_nai iteration. The decrypted code resolves the necessary API functions, decompresses the\r\nembedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory.\r\nWhat does the resulting watering hole look like?\r\nThe websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were\r\nimplemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.\r\nhttps://securelist.com/luckymouse-hits-national-data-center/86083/\r\nPage 3 of 5\n\nResulting script on the compromised government websites\r\nUsers were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code.\r\nConclusions\r\nLuckyMouse appears to have been very active recently. The TTPs for this campaign are quite common for\r\nChinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected\r\nwith shikata_ga_nai in this case) around their RATs (HyperBro).\r\nThe most unusual and interesting point here is the target. A national data center is a valuable source of data that\r\ncan also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we\r\nbelieve was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier\r\napproach.\r\nSome indicators of compromise\r\nDroppers\r\n22CBE2B0F1EF3F2B18B4C5AED6D7BB79\r\n0D0320878946A73749111E6C94BF1525\r\nLauncher\r\nac337bd5f6f18b8fe009e45d65a2b09b\r\nHyperBro in-memory Trojan\r\n04dece2662f648f619d9c0377a7ba7c0\r\nhttps://securelist.com/luckymouse-hits-national-data-center/86083/\r\nPage 4 of 5\n\nDomains and IPs\r\nbbs.sonypsps[.]com\r\nupdate.iaacstudio[.]com\r\nwh0am1.itbaydns[.]com\r\ngoogle-updata[.]tk\r\nwindows-updata[.]tk\r\nSource: https://securelist.com/luckymouse-hits-national-data-center/86083/\r\nhttps://securelist.com/luckymouse-hits-national-data-center/86083/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/luckymouse-hits-national-data-center/86083/" ], "report_names": [ "86083" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434586, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/556300e1150497aff2f95406dea1c8e32d0346c5.pdf", "text": "https://archive.orkl.eu/556300e1150497aff2f95406dea1c8e32d0346c5.txt", "img": "https://archive.orkl.eu/556300e1150497aff2f95406dea1c8e32d0346c5.jpg" } }