ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > LuminousMoth

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: LuminousMoth

NamesLuminousMoth (Kaspersky)
CountryChina China
MotivationInformation theft and espionage
First seen2020
Description(Kaspersky) APT actors are known for the frequently targeted nature of their attacks. Typically, they will handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims’ identities or environment. It’s not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers.

We recently came across unusual APT activity that exhibits the latter trait – it was detected in high volumes, albeit most likely aimed at a few targets of interest. This large-scale and highly active campaign was observed in South East Asia and dates back to at least October 2020, with the most recent attacks seen around the time of writing. Most of the early sightings were in Myanmar, but it now appears the attackers are much more active in the Philippines, where there are more than 10 times as many known targets.

Further analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows an affinity to the Mustang Panda, Bronze President (HoneyMyte) group. This is evident in both network infrastructure connections, and the usage of similar TTPs to deploy the Cobalt Strike Beacon as a payload. In fact, our colleagues at ESET and Avast recently assessed that HoneyMyte was active in the same region. The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth.
ObservedCountries: Myanmar, Philippines.
Tools usedCobalt Strike.
Information<https://securelist.com/apt-luminousmoth/103332/>

Last change to this card: 08 August 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key