A massive ongoing attack campaign has been discovered that already targeted hundreds of victims in Southeast Asia. The campaign is being operated by the LuminousMoth APT, which is believed to be affiliated with China.

What happened?

According to the Kaspersky researchers, recent malicious activities are conducted against targets in the Philippines. The threat actor is suspected to be linked with the Mustang Panda APT group with medium-high confidence.
  • The common links between the two groups are the C2 servers being used and the use of similar tactics, techniques, and procedures to drop the Cobalt Strike beacon payloads.
  • Both the threat groups are known to launch wide-scale attacks against significant numbers of targets and then proceed with further attacks by targeting only a small number of victims aligned with their interests.
  • While analyzing LuminousMoth's attacks against multiple Asian governments that started at least October last year, researchers spotted a total of 100 victims in Myanmar and 1,400 in the Philippines.

The use of USB drives for infection

The reason behind a large number of attacks could be due to the involvement of two infection vectors: via spear-phishing emails and via USB drives.
  • Attackers are using spear-phishing emails with malicious Dropbox links that spread RAR archives disguised as Word documents and bundled the malicious payloads for gaining access to the victim's systems.
  • After being executed on a victim's device, the malware can make its way onto other systems with the use of removable USB drives, along with files stolen from infected computers.
  • LuminousMoth has post-exploitation tools that can be used for further movement inside victims' networks. One such tool disguises as a fake Zoom app, while another one can steal Chrome browser cookies.


The activities of the LuminousMoth APT group and its connections with MustangPanda indicate the wider interests of China-based hackers toward Southeast Asian governments. Furthermore, it indicates that Chinese APTs are focusing on developing new and innovative malware implants for malicious purposes. Current trends indicate that more sophisticated tools can be observed in the near future.

Cyware Publisher