APT27 (Mandiant), Iron Tiger (TrendMicro), Emissary Panda (CS), BRONZE UNION, Budworm, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Lucky Mouse, Red Phoenix, TEMP.Hippo, TG-3390, ZipToken
LuckyMouse, also known as APT27 or EmissaryPanda, is a sophisticated cyber espionage group active since at least 2010. For over a decade, it has primarily targeted companies and subcontractors in sectors such as defense, aerospace, telecommunications, manufacturing, energy, technology, and education, as well as diplomatic institutions. Believed to be sponsored by the Chinese government, LuckyMouse is known for employing advanced tactics, techniques, and procedures (TTPs) to compromise its targets. These include the use of zero-day vulnerabilities, custom malware, and complex multi-stage attacks. The group utilizes a variety of custom malware in its operations, including HyperBRO (a remote access trojan for information gathering and command execution), PlugX (a RAT for remote control of infected machines), QuarkBandit (a modular malware platform), Mirage (enabling the creation of fake network drives for data exfiltration), and ShadowPad (for establishing covert backdoors). LuckyMouse often exploits web applications like Microsoft SharePoint, Microsoft Exchange, and MySQL to infiltrate networks. Once inside, the group establishes a foothold and works to expand its access, sometimes remaining undetected for months or even years.