{ "id": "cc342dc3-9cf5-4364-a0d6-480a0d7f13e3", "created_at": "2026-04-06T00:18:28.320749Z", "updated_at": "2026-04-10T13:12:36.072977Z", "deleted_at": null, "sha1_hash": "b1cbc5a600b3fbfb5a9ee6b12860adff9c3d2c2e", "title": "LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 299857, "plain_text": "LuckyMouse signs malicious NDISProxy driver with certificate of\r\nChinese IT company\r\nBy GReAT\r\nPublished: 2018-09-10 · Archived: 2026-04-05 15:05:15 UTC\r\nWhat happened?\r\nSince March 2018 we have discovered several infections where a previously unknown Trojan was injected into\r\nthe lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network\r\nfiltering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to Chinese\r\ncompany LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the\r\ncompany about the issue via CN-CERT.\r\nThe campaign described in this report was active immediately prior to Central Asian high-level meeting and we\r\nsuppose that actor behind still follows regional political agenda.\r\nWhich malicious modules are used?\r\nThe malware consists of three different modules:\r\nA custom C++ installer that decrypts and drops the driver file in the corresponding system directory,\r\ncreates a Windows autorun service for driver persistence and adds the encrypted in-memory Trojan to the\r\nsystem registry.\r\nA network filtering driver (NDISProxy) that decrypts and injects the Trojan into memory and filters port\r\n3389 (Remote Desktop Protocol, RDP) traffic in order to insert the Trojan’s C2 communications into it.\r\nA last-stage C++ Trojan acting as HTTPS server that works together with the driver. It waits passively for\r\ncommunications from its C2, with two possible communication channels via ports 3389 and 443.\r\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nPage 1 of 8\n\nNDISProxy driver and RAT work together once the installer has set up all the modules\r\nThese modules allow attackers to silently move laterally in the infected infrastructure, but don’t allow them to\r\ncommunicate with an external C2 if the new infected host only has a LAN IP. Because of this, the operators used\r\nan Earthworm SOCKS tunneler in order to connect the LAN of the infected host to the external C2. They also\r\nused the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) which they use to\r\nspread malware with administrative passwords, compromised with keyloggers.\r\nWe assess with high confidence that NDISProxy is a new tool used by LuckyMouse. Kaspersky Lab products\r\ndetect the described artefacts. For more information please contact: intelreports@kaspersky.com\r\nHow does it spread?\r\nWe detected the distribution of the 32-bit dropper used for this campaign among different targets by the end of\r\nMarch 2018. However, we didn’t observe any spear phishing or watering hole activity. We believe the operators\r\nspread their infectors through networks that were already compromised instead.\r\nHow does it work?\r\nCustom installer\r\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nPage 2 of 8\n\nInstaller MD5 hash Timestamp (GMT) Size Bits\r\ndacedff98035f80711c61bc47e83b61d 2018.03.29 07:35:55 572 244 32\r\n9dc209f66da77858e362e624d0be86b3 2018.03.26 04:16:00 572 244 32\r\n3cbeda2c5ac41cca0b0d60376a2b2511 2018.03.26 04:16:00 307 200 32\r\nThe initial infectors are 32-bit portable executable files capable of installing 32-bit or 64-bit drivers depending on\r\nthe target. The installer logs all the installation process steps in the load.log file within the same directory. It\r\nchecks if the OS is Windows Vista or above (major version equal to 6 or higher) and decrypts its initial\r\nconfiguration using the DES (Data Encryption Standard) algorithm.\r\nThe set of well-known port numbers (HTTP, HTTPS, SMB, POP3S, MSSQL, PPTP and RDP) in the\r\nconfiguration is not used, which along with the “[test]” strings in messages suggests this malware is still under\r\ndevelopment.\r\nThe installer creates a semaphore (name depending on configuration) Global\\Door-ndisproxy-mn and checks if\r\nthe service (name also depends on configuration) ndisproxy-mn is already installed. If it is, the dropper writes\r\n“door detected” in load.log. The autorun Windows service running NDISProxy is the “door” in developer terms.\r\nThe installer also decrypts (using the same DES) the shellcode of the last stage Trojan and saves it in three registry\r\nvalues named xxx0, xxx1, xxx2 in key HKLM\\SOFTWARE\\Classes\\32ndisproxy-mn (or 64ndisproxy-mn for 64-\r\nbit hosts). The encrypted configuration is saved as the value filterpd-ndisproxy-mn in the registry key\r\nHKCR\\ndisproxy-mn.\r\nInitial installer saves XOR-encrypted Trojan’s shellcode and DES-encrypted configuration in system registry\r\nThe installer creates the corresponding autostart service and registry keys. The “Altitude” registry value (unique\r\nID for the minifilter driver) is set to 321 000, which means “FSFilter Anti-Virus” in Windows terms:\r\nNDISProxy network filtering driver\r\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nPage 3 of 8\n\nDriver MD5 hash Timestamp Size Bits\r\n8e6d87eadb27b74852bd5a19062e52ed 2018.03.29 07:33:58 40400 64\r\nd21de00f981bb6b5094f9c3dfa0be533 2018.03.29 07:33:52 33744 32\r\na2eb59414823ae00d53ca05272168006 2018.03.26 04:15:28 40400 64\r\n493167e85e45363d09495d0841c30648 2018.03.26 04:15:21 33744 32\r\nad07b44578fa47e7de0df42a8b7f8d2d 2017.11.08 08:04:50 241616 64\r\nThis digitally signed driver is the most interesting artefact used in this campaign. The network filtering modules\r\nserve two purposes: first they decrypt and inject the RAT; second, they set its communication channel through\r\nRDP port 3389.\r\nThe drivers are signed with a digital certificate issued by VeriSign to LeagSoft, a company developing information\r\nsecurity software such as data loss prevention (DLP) solutions.\r\nThis driver makes extensive use of third-party publicly available C source code, including from the Blackbone\r\nrepository available at GitHub.\r\nFeature Public repository\r\nDriver memory\r\ninjection\r\nBlackbone https://github.com/DarthTon/Blackbone\r\nNDIS network\r\nfiltering driver\r\nMicrosoft Windows Driver Kit (WDK) sample code “Windows Filtering Platform\r\nStream Edit Sample/C++/sys/stream_callout.c”\r\nParse HTTP\r\npackets\r\nHttp-parser https://github.com/nodejs/http-parser\r\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nPage 4 of 8\n\nThe driver again checks if the Windows version is higher than Vista, then creates a device named\r\n\\\\Device\\\\ndisproxy-%s (where the word after “-” varies – see Appendix for all variants) and its corresponding\r\nsymbolic link \\\\DosDevices\\\\Global\\\\ndisproxy-%s.\r\nThe driver combines all the Trojan-related registry values from HKLM\\SOFTWARE\\Classes\\32ndisproxy-mn and\r\nde-XORs them with a six-byte hardcoded value. It then injects the resulting Trojan executable shellcode into\r\nlsass.exe memory using Blackbone library functions.\r\nNDISProxy works as a network traffic filter engine, filtering the traffic going through RDP port 3389 (the port\r\nnumber is hardcoded) and injecting messages into it.\r\nThe communication between the user-mode in-memory Trojan and the driver goes through the custom control\r\ncodes used by the DeviceIoControl() Windows API function. Apart from the auxiliary codes, there are two codes\r\nworth mentioning:\r\nDriver control code Meaning\r\n0x222400 Start traffic filtering at RDP port 3389\r\n0x22240C Inject given data into filtering TCP stream. Used for Trojan communication with C2\r\nIn-memory C++ Trojan\r\nSHA256 c69121a994ea8ff188510f41890208625710870af9a06b005db817934b517bc1\r\nMD5 6a352c3e55e8ae5ed39dc1be7fb964b1\r\nCompiled 2018.03.26 04:15:48 (GMT)\r\nType I386 Windows GUI DLL\r\nSize 175 616\r\nPlease note this Trojan exists in memory only; the data above is for the decrypted Windows registry content\r\nwithout the initial shellcode\r\nThis RAT is decrypted by the NDISProxy driver from the system registry and injected into the lsass.exe process\r\nmemory. Code starts with a shellcode – instead of typical Windows portable executable files loader this malware\r\nimplements memory mapping by itself.\r\nThis Trojan is a full-featured RAT capable of executing common tasks such as command execution and\r\ndownloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile,\r\nCMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same\r\nclasses. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands.\r\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nPage 5 of 8\n\nThe Trojan is an HTTP server, allowing LAN connection. It uses a SOCKS tunneler to communicate with the C2\r\nThis Trojan is used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to\r\ntheir C2 using the Earthworm tunneler. This tool is publicly available and popular among Chinese-speaking\r\nactors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets\r\nwithout an external IP, so the C2 is able to send commands.\r\nWho’s behind it and why?\r\nWe found that this campaign targeted Middle Asian governments’ entities. We believe the attack was highly\r\ntargeted and was linked to a high-level meeting. We assess with high confidence that the Chinese-speaking\r\nLuckyMouse actor is responsible for this new campaign using the NDISProxy tool described in this report.\r\nIn particular, the choice of the Earthworm tunneler is typical for Chinese-speaking actors. Also, one of the\r\ncommands used by the attackers (“-s rssocks -d 103.75.190[.]28 -e 443”) creates a tunnel to a previously known\r\nLuckyMouse C2. The choice of victims in this campaign also aligns with the previous interests shown by this\r\nactor.\r\nConsistent with current trends\r\nWe have observed a gradual shift in several Chinese-speaking campaigns towards a combination of publicly\r\navailable tools (such as Metasploit or CobaltStrike) and custom malware (like the C++ last stage RAT described in\r\nthis report). We have also observed how different actors adopt code from GitHub repositories on a regular basis.\r\nAll this combines to make attribution more difficult.\r\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nPage 6 of 8\n\nThis campaign appears to demonstrate once again LuckyMouse’s interest in Central Asia and the political agenda\r\nsurrounding the Shanghai Cooperation Organization.\r\nIndicators of Compromise\r\nNote: The indicators in this section are valid at the time of publication. Any future changes will be updated\r\ndirectly in the corresponding .ioc file.\r\nFile Hashes\r\nDroppers-installers\r\n9dc209f66da77858e362e624d0be86b3\r\ndacedff98035f80711c61bc47e83b61d\r\nDrivers\r\n8e6d87eadb27b74852bd5a19062e52ed\r\nd21de00f981bb6b5094f9c3dfa0be533\r\na2eb59414823ae00d53ca05272168006\r\n493167e85e45363d09495d0841c30648\r\nad07b44578fa47e7de0df42a8b7f8d2d\r\nAuxiliary Earthworm SOCKS tunneler and Scanline network scanner\r\n83c5ff660f2900677e537f9500579965\r\n3a97d9b6f17754dcd38ca7fc89caab04\r\nDomains and IPs\r\n103.75.190[.]28\r\n213.109.87[.]58\r\nSemaphores\r\nGlobal\\Door-ndisproxy-mn\r\nGlobal\\Door-ndisproxy-help\r\nGlobal\\Door-ndisproxy-notify\r\nServices\r\nndisproxy-mn\r\nndisproxy-help\r\nndisproxy-notify\r\nRegistry keys and values\r\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nPage 7 of 8\n\nHKLM\\SOFTWARE\\Classes\\32ndisproxy-mn\r\nHKLM\\SOFTWARE\\Classes\\64ndisproxy-mn\r\nHKCR\\ndisproxy-mn\\filterpd-ndisproxy-mn\r\nHKLM\\SOFTWARE\\Classes\\32ndisproxy-help\r\nHKLM\\SOFTWARE\\Classes\\64ndisproxy-help\r\nHKCR\\ndisproxy-mn\\filterpd-ndisproxy-help\r\nHKLM\\SOFTWARE\\Classes\\32ndisproxy-notify\r\nHKLM\\SOFTWARE\\Classes\\64ndisproxy-notify\r\nHKCR\\ndisproxy-mn\\filterpd-ndisproxy-notify\r\nDriver certificate\r\nA lot of legitimate LeagSoft products are signed with the following certificate. Please don’t consider all signed\r\nfiles as malicious.\r\nSubject ShenZhen LeagSoft Technology Co.,Ltd.\r\nSerial number 78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21\r\nIssuer VeriSign Class 3 Code Signing 2010 CA\r\nValid to 2018-07-19\r\nSource: https://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nhttps://securelist.com/luckymouse-ndisproxy-driver/87914/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/luckymouse-ndisproxy-driver/87914/" ], "report_names": [ "87914" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434708, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b1cbc5a600b3fbfb5a9ee6b12860adff9c3d2c2e.pdf", "text": "https://archive.orkl.eu/b1cbc5a600b3fbfb5a9ee6b12860adff9c3d2c2e.txt", "img": "https://archive.orkl.eu/b1cbc5a600b3fbfb5a9ee6b12860adff9c3d2c2e.jpg" } }