Chinese ‘Space Pirates’ are hacking Russian aerospace
firms
By Bill Toulas
Published: 2022-05-18 · Archived: 2026-04-06 03:31:47 UTC
A previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry
with phishing emails to install novel malware on their systems.
The threat group is believed to have started operating in 2017, and while it has links to known groups like APT41 (Winnti),
Mustang Panda, and APT27, it is thought to be a new cluster of malicious activity.
Russian threat analysts at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing
on stealing confidential information from companies in the aerospace field.
https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/
Page 1 of 6

0:00
https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/
Page 2 of 6

Visit Advertiser websiteGO TO PAGE
In the wild detections
The Space Pirates APT group has been seen targeting government agencies and enterprises involved in IT services,
aerospace, and electric power industries located in Russia, Georgia, and Mongolia.
The threat analysts first discovered signs of Space Pirates' activity last summer during incident response and quickly
confirmed that the threat actors used the same malware and infrastructure against at least four more domestic entities since
2019.
Two of these cases concern Russian companies with state participation, which the hackers successfully compromised.
In the first case, the threat actors maintained their access to 20 servers for ten months, stealing over 1,500 documents,
employee details, and other sensitive data.
In the second case, the Chinese hackers stayed in the network of the compromised company for over a year, siphoning
confidential information and installing their malware to 12 corporate network nodes in three distinct regions.
Novel malware
The arsenal of Space Pirates consists of custom loaders hiding behind decoy documents, slightly modified backdoors that
have been around for years, the Chinese trademark malware PlugX, and tailored spins of the PcShare backdoor.
Moreover, Space Pirates' attacks have also employed ShadowPad, Zupdax, PoisonIvy, and ReVBShell in attacks.
In addition to the above, the newly discovered APT uses three previously undocumented modular malware tools, namely
Deed RAT, BH_A006, and MyKLoadClient.
MyKLoadClient is a loader using SFX archives combined with DLL side-loading through an auxiliary launcher library
signed by McAfee Inc. The launcher supports commands that give the threat actors close control over the infection.
BH_A006 is a heavily modified version of the Gh0st backdoor, featuring many layers of obfuscation to bypass security
protections and thwart analysis.
Its features include network service creation, UAC bypassing, and shellcode unpacking and launching in the memory.
https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/
Page 3 of 6

BH_A006 shellcode loading (PT)
Another interesting custom tool is Deed RAT, which features an unusual, intelligent method of transferring control to the
shellcode.
Deed RAT's functions depend on which plugins are fetched and loaded. For example, PT has seen eight plugins for startup,
C2 config, installation, code injection into processes, network interactions, connection management, registry editing,
registry monitoring, and proxy sniffing.
The supported protocols for C2 communication include TCP, TLS, HTTP, HTTPS, UDP, and DNS, so there's generally a
high level of versatility.
The commands supported by Deed RAT are the following:
Collect system information
Create a separate communication channel for a plugin
Self-remove
Ping
Deactivate connection
Update the shellcode for an injection stored in the registry
Update the main shellcode on disk and delete all plugins
Chinese convolution
The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common
phenomenon for hackers in the region.
Using shared tools further obscures the traces of distinct threat groups and makes the work of analysts a lot harder, so
Chinese APTs have multiple reasons to follow this practice.
https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/
Page 4 of 6

Various links between Chinese APTs (PT)
Space Pirates has also been seen deploying their custom malware on some Chinese firms for financial gains, so the threat
group might have a dual function.
Chinese hackers have been very aggressive against Russian targets lately, as confirmed by recent findings of analysts at
Secureworks and Google.
Espionage is a standard operation for Chinese APTs, and Russia is a valid target that excels in aerospace, weapons, electrical
engineering, shipbuilding, and nuclear technology.
https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/
Page 5 of 6

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/
https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/
Page 6 of 6