Home
Groups
LuminousMoth

LuminousMoth

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020.LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection betweenLuminousMoth andMustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.^[1]^[2]

ID: G1014

Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet; Zaw Min Htun, @Z3TAE

Version: 1.0

Created: 23 February 2023

Last Modified: 16 April 2025

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1557	.002	Adversary-in-the-Middle:ARP Cache Poisoning	LuminousMoth has used ARP spoofing to redirect a compromised machine to an actor-controlled website.^[2]
Enterprise	T1071	.001	Application Layer Protocol:Web Protocols	LuminousMoth has used HTTP for C2.^[1]
Enterprise	T1560		Archive Collected Data	LuminousMoth has manually archived stolen files from victim machines before exfiltration.^[2]
Enterprise	T1547	.001	Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder	LuminousMoth has used malicious DLLs that setup persistence in the Registry Key`HKCU\Software\Microsoft\Windows\Current Version\Run`.^[1]^[2]
Enterprise	T1005		Data from Local System	LuminousMoth has collected files and data from compromised machines.^[1]^[2]
Enterprise	T1030		Data Transfer Size Limits	LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.^[2]
Enterprise	T1587	.001	Develop Capabilities:Malware	LuminousMoth has used unique malware for information theft and exfiltration.^[1]^[2]
Enterprise	T1041		Exfiltration Over C2 Channel	LuminousMoth has used malware that exfiltrates stolen data to its C2 server.^[1]
Enterprise	T1567	.002	Exfiltration Over Web Service:Exfiltration to Cloud Storage	LuminousMoth has exfiltrated data to Google Drive.^[2]
Enterprise	T1083		File and Directory Discovery	LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.^[1]^[2]
Enterprise	T1564	.001	Hide Artifacts:Hidden Files and Directories	LuminousMoth has used malware to store malicious binaries in hidden directories on victim's USB drives.^[1]
Enterprise	T1574	.001	Hijack Execution Flow:DLL	LuminousMoth has used legitimate executables such as`winword.exe` and`igfxem.exe` to side-load their malware.^[1]^[2]
Enterprise	T1105		Ingress Tool Transfer	LuminousMoth has downloaded additional malware and tools onto a compromised host.^[1]^[2]
Enterprise	T1036	.005	Masquerading:Match Legitimate Resource Name or Location	LuminousMoth has disguised their exfiltration malware as`ZoomVideoApp.exe`.^[1]
Enterprise	T1112		Modify Registry	LuminousMoth has used malware that adds Registry keys for persistence.^[1]^[2]
Enterprise	T1588	.001	Obtain Capabilities:Malware	LuminousMoth has obtained and used malware such asCobalt Strike.^[1]^[2]
		.002	Obtain Capabilities:Tool	LuminousMoth has obtained an ARP spoofing tool from GitHub.^[2]
		.004	Obtain Capabilities:Digital Certificates	LuminousMoth has used a valid digital certificate for some of their malware.^[1]
Enterprise	T1566	.002	Phishing:Spearphishing Link	LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.^[1]
Enterprise	T1091		Replication Through Removable Media	LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines.^[1]^[2]
Enterprise	T1053	.005	Scheduled Task/Job:Scheduled Task	LuminousMoth has created scheduled tasks to establish persistence for their tools.^[2]
Enterprise	T1608	.001	Stage Capabilities:Upload Malware	LuminousMoth has hosted malicious payloads on Dropbox.^[1]
		.004	Stage Capabilities:Drive-by Target	LuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.^[2]
		.005	Stage Capabilities:Link Target	LuminousMoth has created a link to a Dropbox file that has been used in their spear-phishing operations.^[1]
Enterprise	T1539		Steal Web Session Cookie	LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.^[1]
Enterprise	T1553	.002	Subvert Trust Controls:Code Signing	LuminousMoth has signed their malware with a valid digital signature.^[1]
Enterprise	T1033		System Owner/User Discovery	LuminousMoth has used a malicious DLL to collect the username from compromised hosts.^[2]
Enterprise	T1204	.001	User Execution:Malicious Link	LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.^[1]

Software

ID	Name	References	Techniques
S0154	Cobalt Strike	^[1]^[2]	Abuse Elevation Control Mechanism:Sudo and Sudo Caching,Abuse Elevation Control Mechanism:Bypass User Account Control,Access Token Manipulation:Parent PID Spoofing,Access Token Manipulation:Token Impersonation/Theft,Access Token Manipulation:Make and Impersonate Token,Account Discovery:Domain Account,Application Layer Protocol:DNS,Application Layer Protocol:Web Protocols,Application Layer Protocol:File Transfer Protocols,BITS Jobs,Browser Session Hijacking,Command and Scripting Interpreter:JavaScript,Command and Scripting Interpreter:Visual Basic,Command and Scripting Interpreter:PowerShell,Command and Scripting Interpreter:Python,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data Encoding:Standard Encoding,Data from Local System,Data Obfuscation:Protocol or Service Impersonation,Data Transfer Size Limits,Deobfuscate/Decode Files or Information,Encrypted Channel:Asymmetric Cryptography,Encrypted Channel:Symmetric Cryptography,Exploitation for Client Execution,Exploitation for Privilege Escalation,File and Directory Discovery,Hide Artifacts:Process Argument Spoofing,Impair Defenses:Disable or Modify Tools,Indicator Removal:Timestomp,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Native API,Network Service Discovery,Network Share Discovery,Non-Application Layer Protocol,Obfuscated Files or Information:Indicator Removal from Tools,Obfuscated Files or Information,Office Application Startup:Office Template Macros,OS Credential Dumping:LSASS Memory,OS Credential Dumping:Security Account Manager,Permission Groups Discovery:Domain Groups,Permission Groups Discovery:Local Groups,Process Discovery,Process Injection:Dynamic-link Library Injection,Process Injection:Process Hollowing,Process Injection,Protocol Tunneling,Proxy:Domain Fronting,Proxy:Internal Proxy,Query Registry,Reflective Code Loading,Remote Services:Remote Desktop Protocol,Remote Services:SSH,Remote Services:Windows Remote Management,Remote Services:SMB/Windows Admin Shares,Remote Services:Distributed Component Object Model,Remote System Discovery,Scheduled Transfer,Screen Capture,Software Discovery,Subvert Trust Controls:Code Signing,System Binary Proxy Execution:Rundll32,System Network Configuration Discovery,System Network Connections Discovery,System Service Discovery,System Services:Service Execution,Use Alternate Authentication Material:Pass the Hash,Valid Accounts:Domain Accounts,Valid Accounts:Local Accounts,Windows Management Instrumentation
S0013	PlugX	^[1]^[2]	Application Layer Protocol:Web Protocols,Application Layer Protocol:DNS,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data Staged:Local Data Staging,Debugger Evasion,Deobfuscate/Decode Files or Information,Encrypted Channel:Symmetric Cryptography,Execution Guardrails:Mutual Exclusion,Exfiltration Over C2 Channel,File and Directory Discovery,Hide Artifacts:Hidden Files and Directories,Hide Artifacts:Hidden Window,Hijack Execution Flow:DLL,Impair Defenses:Disable or Modify System Firewall,Indicator Removal:Clear Persistence,Indicator Removal:File Deletion,Ingress Tool Transfer,Input Capture:Keylogging,Local Storage Discovery,Masquerading:Masquerade Task or Service,Masquerading:Match Legitimate Resource Name or Location,Modify Registry,Native API,Network Share Discovery,Non-Application Layer Protocol,Non-Standard Port,Obfuscated Files or Information:Binary Padding,Obfuscated Files or Information:Dynamic API Resolution,Obfuscated Files or Information,Obfuscated Files or Information:Encrypted/Encoded File,Peripheral Device Discovery,Process Discovery,Query Registry,Reflective Code Loading,Replication Through Removable Media,Scheduled Task/Job:Scheduled Task,Screen Capture,System Information Discovery,System Location Discovery,System Network Configuration Discovery,System Network Connections Discovery,System Owner/User Discovery,System Time Discovery,Trusted Developer Utilities Proxy Execution:MSBuild,User Execution:Malicious File,Virtualization/Sandbox Evasion:System Checks,Web Service:Dead Drop Resolver

References

Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.

Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.

Movatterモバイル変換

LuminousMoth

Enterprise Layer

Techniques Used

Software

References