{ "id": "b3332add-60d6-4838-bbe3-315cbe390436", "created_at": "2026-04-06T00:07:16.000151Z", "updated_at": "2026-04-10T03:22:12.976099Z", "deleted_at": null, "sha1_hash": "7e9daad350d3f16c89b39113046abb890ab49ddc", "title": "Luckycat Redux Campaign Attacks Multiple Targets in India and Japan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 105662, "plain_text": "Luckycat Redux Campaign Attacks Multiple Targets in India and\r\nJapan\r\nArchived: 2026-04-05 13:54:17 UTC\r\n open on a new tabDownload the full research paper: Luckycat\r\nRedux: Inside an APT Campaign with Multiple Targets in India and Japan\r\nThe number of targeted attacks has dramatically increased. Unlike largely indiscriminate attacks that focus on\r\nstealing credit card and banking information associated with cybercrime, targeted attacks noticeably differ and are\r\nbetter characterized as “cyber espionage.” Highly targeted attacks are computer intrusions threat actors stage in\r\nrder to aggressively pursue and compromise specific targets, often leveraging social engineering, in order to\r\nmaintain persistent presence within the victim’s network so they can move laterally and extract sensitive\r\ninformation.\r\nIn a typical targeted attack, a target receives a contextually relevant email that encourages a potential victim to\r\nclick a link or open a file. The links and files the attackers send contain malicious code that exploits vulnerabilities\r\nin popular software. The exploits’ payload is a malware that is silently executed on the target’s computer. This\r\nexploitation allows the attackers to take control of and obtain data from the compromised computer. In other\r\ncases, the attackers send disguised executable files, usually compressed in archives that, if opened, also\r\ncompromise the target’s computer. The malware connects back to command-and-control (C\u0026C) servers under the\r\nattackers’ control from which they can command the compromised computer to download additional malware and\r\ntools that allow them to move laterally throughout the target’s network. These attacks are, however, not isolated\r\n“smash-and-grab” incidents but are part of consistent campaigns that aim to establish covert presence in a target’s\r\nnetwork so that information can be extracted as needed.\r\nTargeted attacks are rarely isolated events. In fact, they are constant. It is more useful to think of them as\r\ncampaigns—a series of failed and successful attempts to compromise a target’s network over a certain period of\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan\r\nPage 1 of 3\n\ntime. The attackers, in fact, often keep track of the different attacks within a campaign in order to determine which\r\nindividual attack compromised a specific victim’s network. As the attackers learn more about their targets from\r\nopen source research—relying on publicly available information, as well as previous attacks, the specificity of the\r\nattacks may sharply increase.\r\nCyber-espionage campaigns often focus on specific industries or communities of interest in addition to a\r\ngeographic focus. Different positions of visibility often yield additional sets of targets pursued by the same threat\r\nactors. We have been tracking the campaign dubbed “Luckycat” and found that in addition to targeting Indian\r\nmilitary research institutions, as previously revealed by Symantec, the same campaign targeted entities in Japan as\r\nwell as the Tibetan community.\r\nThe Luckycat campaign attacked a diverse set of targets using a variety of malware, some of which have been\r\nlinked to other cyber-espionage campaigns. The attackers behind this campaign maintain a diverse set of C\u0026C\r\ninfrastructure and leverages anonymity tools to obfuscate their operations. We were able to track elements of this\r\ncampaign to hackers based in China.\r\nLuckycat Quick Profile:\r\nFirst Seen:\r\nThe Luckycat campaign has been active since at least June 2011.\r\nVictims and Targets:\r\nThe Luckycat campaign has been linked to 90 attacks against the following industries and/or communities in\r\nJapan and India:\r\nAerospace\r\nEnergy\r\nEngineering\r\nShipping\r\nMilitary research\r\nTibetan activists\r\nOperations:\r\nTargeted emails that are contextually relevant (i.e., emails containing a decoy document of radiation dose\r\nmeasurement results sent some time after the Great East Japan Earthquake\r\nExploited CVE-2010-3333 (aka, Rich Text Format [RTF] Stack Buffer Overflow Vulnerability) in several\r\ninstances, although Adobe Reader and Flash Player vulnerabilities were also exploited\r\nUsed TROJ_WIMMIE or VBS_WIMMIE—malware that take advantage of the Windows Management\r\nInstrumentation (WMI), making the backdoor component undetectable through file scanning\r\nThe WIMMIE malware, once inside the network, connects to a command-and-control (C\u0026C) server via\r\nHTTP over port 80\r\nAttackers heavily used free web-hosting services but also used virtual private servers (VPSs) for more\r\nstable operations\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan\r\nPage 2 of 3\n\nPossible Indicators of Compromise\r\nWIMMIE malware do not leave much network fingerprint. However, the following is an identifiable HTTP C\u0026C\r\ncommunication fingerprint—count.php?m=c\u0026n=[HOSTNAME]_[MAC_ADDRESS]_[CAMPAIGN_CODE]@.\r\nThis format can also be seen in the URL inside the script when /namespace:\\\\root\\subscription path\r\n__eventconsumer is typed in the command line for WMI.\r\nRelationship with Other APT Campaigns\r\nMalware identified with the ShadowNet, Duojeen, Sparksrv, and Comfoo campaigns were used or found hosted\r\non the same dedicated server used by the LuckyCat campaign.\r\n* The campaign codes we have seen so far are detailed in the Trend Micro research paper, “Luckycat Redux:\r\nInside an APT Campaign with Multiple Targets in India and Japan.” The characteristics highlighted in this APT\r\ncampaign profile reflect the results of our investigation as of March 2012\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japa\r\nn\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan" ], "report_names": [ "luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan" ], "threat_actors": [], "ts_created_at": 1775434036, "ts_updated_at": 1775791332, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e9daad350d3f16c89b39113046abb890ab49ddc.pdf", "text": "https://archive.orkl.eu/7e9daad350d3f16c89b39113046abb890ab49ddc.txt", "img": "https://archive.orkl.eu/7e9daad350d3f16c89b39113046abb890ab49ddc.jpg" } }