← threatfilter.dev / all groups / LuminousMoth
LuminousMoth
Overview
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.
Targets
Civil society
Regions
Germany · United States
TTPs — 28 techniques across 12 tactics
Resource Development
-
T1587.001Malware -
T1588.001Malware -
T1588.002Tool -
T1588.004Digital Certificates -
T1608.001Upload Malware -
T1608.004Drive-by Target -
T1608.005Link Target
Initial Access
-
T1566.002Spearphishing Link
Execution
-
T1053.005Scheduled Task -
T1204.001Malicious Link
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1036.005Match Legitimate Resource Name or Location -
T1564.001Hidden Files and Directories -
T1574.001DLL
Defense Impairment
-
T1112Modify Registry -
T1553.002Code Signing
Credential Access
-
T1539Steal Web Session Cookie -
T1557.002ARP Cache Poisoning
Discovery
Lateral Movement
Collection
-
T1005Data from Local System -
T1560Archive Collected Data
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Exfiltration
-
T1030Data Transfer Size Limits -
T1041Exfiltration Over C2 Channel -
T1567.002Exfiltration to Cloud Storage
Tools & malware (2)
PlugX · Cobalt Strike
Reporting (2)
- LuminousMoth - PlugX, File Exfiltration and Persistence Revisited — Botezatu, B and etl
- LuminousMoth APT: Sweeping attacks for the chosen few — Lechtik, M, and etl