Chinese APT group, LuminousMoth targets governments in Asia

July 20, 2021
LuminousMoth APT SouthEast Asia Philippines

A massive ongoing cyberattack campaign that already targeted hundreds of victims in Southeast Asia was discovered by a cybersecurity firm. The discovered campaign is being operated by an APT hacking group known as LuminousMoth, possibly affiliated with the Chinese government.

According to the cybersecurity researchers, recent activities were conducted against selected targets in the Philippines. The threat actors behind the group are linked to the MustangPanda APT group based on the gathered evidence.

The two groups were linked using shared C2 servers to operate and use similar techniques, tactics, and procedures to plant the Cobalt Strike malware payloads. Both hacking groups are known to conduct large-scale attacks against many targets and then proceed with more minor attacks by targeting a select smaller number of victims aligned to their goals. During the analysis of the LuminousMoth attack, researchers have spotted victims coming from multiple Asian governments that total to 100 victims in Myanmar and 1400 in the Philippines since October.

Many of the victims could be affected by two main infection vectors: spear-phishing emails and using a USB storage drive.

The threat actors used spear-phishing emails containing a malicious Dropbox link that will spread RAR archive files that pose as Word documents that contain malicious scripts and payloads that will enable access to their victim’s computer system.

LuminousMoth seems to have post-exploitation features that the threat actor can use to further move into their victim’s internal networks. One tool is disguised as a fake Zoom meetings app. Another one can steal Chrome web browser’s cookies. The malware can also get executed via a removable USB device which will spread onto other connected systems with the files it had stolen from the other infected computers.


The malicious activities conducted by LuminousMoth APT hacking group and its similarity and connection with MustangPanda APT indicate a broader interest of Chinese hackers against Southeast Asian governments.


This also concludes that Chinese APT groups are developing and innovating new malware implants and variants to conduct devious campaigns. The observed trend indicates that more sophisticated tools and new tactics are expected to be used soon.

About the author

Leave a Reply