{ "id": "c9a37844-525f-4274-92da-775c2d67ab6c", "created_at": "2026-04-06T03:37:08.865154Z", "updated_at": "2026-04-10T03:36:33.790813Z", "deleted_at": null, "sha1_hash": "c8b149a5adf91abf6ea383657c5ee1906438f85f", "title": "Chinese \u0026lsquo;Space Pirates\u0026rsquo; are hacking Russian aerospace firms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1855466, "plain_text": "Chinese \u0026lsquo;Space Pirates\u0026rsquo; are hacking Russian aerospace\r\nfirms\r\nBy Bill Toulas\r\nPublished: 2022-05-18 · Archived: 2026-04-06 03:31:47 UTC\r\nA previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry\r\nwith phishing emails to install novel malware on their systems.\r\nThe threat group is believed to have started operating in 2017, and while it has links to known groups like APT41 (Winnti),\r\nMustang Panda, and APT27, it is thought to be a new cluster of malicious activity.\r\nRussian threat analysts at Positive Technologies named the group \"Space Pirates\" due to their espionage operations focusing\r\non stealing confidential information from companies in the aerospace field.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nIn the wild detections\r\nThe Space Pirates APT group has been seen targeting government agencies and enterprises involved in IT services,\r\naerospace, and electric power industries located in Russia, Georgia, and Mongolia.\r\nThe threat analysts first discovered signs of Space Pirates' activity last summer during incident response and quickly\r\nconfirmed that the threat actors used the same malware and infrastructure against at least four more domestic entities since\r\n2019.\r\nTwo of these cases concern Russian companies with state participation, which the hackers successfully compromised.\r\nIn the first case, the threat actors maintained their access to 20 servers for ten months, stealing over 1,500 documents,\r\nemployee details, and other sensitive data.\r\nIn the second case, the Chinese hackers stayed in the network of the compromised company for over a year, siphoning\r\nconfidential information and installing their malware to 12 corporate network nodes in three distinct regions.\r\nNovel malware\r\nThe arsenal of Space Pirates consists of custom loaders hiding behind decoy documents, slightly modified backdoors that\r\nhave been around for years, the Chinese trademark malware PlugX, and tailored spins of the PcShare backdoor.\r\nMoreover, Space Pirates' attacks have also employed ShadowPad, Zupdax, PoisonIvy, and ReVBShell in attacks.\r\nIn addition to the above, the newly discovered APT uses three previously undocumented modular malware tools, namely\r\nDeed RAT, BH_A006, and MyKLoadClient.\r\nMyKLoadClient is a loader using SFX archives combined with DLL side-loading through an auxiliary launcher library\r\nsigned by McAfee Inc. The launcher supports commands that give the threat actors close control over the infection.\r\nBH_A006 is a heavily modified version of the Gh0st backdoor, featuring many layers of obfuscation to bypass security\r\nprotections and thwart analysis.\r\nIts features include network service creation, UAC bypassing, and shellcode unpacking and launching in the memory.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/\r\nPage 3 of 6\n\nBH_A006 shellcode loading (PT)\r\nAnother interesting custom tool is Deed RAT, which features an unusual, intelligent method of transferring control to the\r\nshellcode.\r\nDeed RAT's functions depend on which plugins are fetched and loaded. For example, PT has seen eight plugins for startup,\r\nC2 config, installation, code injection into processes, network interactions, connection management, registry editing,\r\nregistry monitoring, and proxy sniffing.\r\nThe supported protocols for C2 communication include TCP, TLS, HTTP, HTTPS, UDP, and DNS, so there's generally a\r\nhigh level of versatility.\r\nThe commands supported by Deed RAT are the following:\r\nCollect system information\r\nCreate a separate communication channel for a plugin\r\nSelf-remove\r\nPing\r\nDeactivate connection\r\nUpdate the shellcode for an injection stored in the registry\r\nUpdate the main shellcode on disk and delete all plugins\r\nChinese convolution\r\nThe threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common\r\nphenomenon for hackers in the region.\r\nUsing shared tools further obscures the traces of distinct threat groups and makes the work of analysts a lot harder, so\r\nChinese APTs have multiple reasons to follow this practice.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/\r\nPage 4 of 6\n\nVarious links between Chinese APTs (PT)\r\nSpace Pirates has also been seen deploying their custom malware on some Chinese firms for financial gains, so the threat\r\ngroup might have a dual function.\r\nChinese hackers have been very aggressive against Russian targets lately, as confirmed by recent findings of analysts at\r\nSecureworks and Google.\r\nEspionage is a standard operation for Chinese APTs, and Russia is a valid target that excels in aerospace, weapons, electrical\r\nengineering, shipbuilding, and nuclear technology.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/" ], "report_names": [ "chinese-space-pirates-are-hacking-russian-aerospace-firms" ], "threat_actors": [ { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446628, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c8b149a5adf91abf6ea383657c5ee1906438f85f.pdf", "text": "https://archive.orkl.eu/c8b149a5adf91abf6ea383657c5ee1906438f85f.txt", "img": "https://archive.orkl.eu/c8b149a5adf91abf6ea383657c5ee1906438f85f.jpg" } }