Home » APT27 (LuckyMouse, EmissaryPanda)

APT27 (LuckyMouse, EmissaryPanda)

LuckyMouse (APT27 or EmissaryPanda) is a sophisticated cyber espionage group that has been active since at least 2010.
For more than ten years, its operations have primarily targeted companies and subcontractors operating in the defense, aerospace, telecommunications, manufacturing, energy, technology, education sectors, but also diplomatic institutions.
LuckyMouse is thought to be sponsored by the Chinese government. And, it is known for using advanced tactics, techniques, and procedures (TTPs) to compromise its targets, including the use of zero-day vulnerabilities, custom malware, and complex multi-stage attacks.

Watch the replay of the Webinar on Sigma Correlation

LuckyMouse (APT27) operates from variety of custom malware and tools in its attacks. Some of the group’s known malware includes:

  • HyperBRO malware : a remote access trojan that can be used to gather information, execute commands, and perform other actions on an infected machine.
  • PlugX: A remote access trojan (RAT) that allows the attacker to remotely control an infected machine.
  • QuarkBandit: A modular malware platform that can be used to gather information, execute commands, and perform other actions on an infected machine.
  • Mirage: A malware that allows the attacker to create a fake network drive on an infected machine, which can be used to exfiltrate data from the victim’s network.
  • ShadowPad: A malware that allows the attacker to create a covert backdoor on an infected machine.

To infiltrate the networks of its victims, it favors web applications such as Microsoft SharePoint, Microsoft Exchange, MySQL…
Once the group has gained access to a network, it will often establish a foothold and then work to expand its access, sometimes going undetected for months or even years.

Recently, our TDR team discovered that LuckyMouse uses a backdoored Electron app to target MacOS.

She revealed also how the SOC platform Sekoia.io leverages our detection rules and intelligence to enable SOC teams to unmask LuckyMouse before impact : https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/

Explore Sekoia.io SOC platform through an interactive demo

On our website you can consult other contents of our glossary: XDR, SOAR, SIEM, SOC, EDR, CERT, STIX, IoC, Data Loss Prevention.

Others Terms

CTI(Cyber Threat Intelligence)

Cyber ​​Threat Intelligence (CTI) defines cyber threat research, analysis and modeling. It'is used to prevent and detect computer attacks.

APT(Advanced Persistent Threat)

APT (Advanced Persistent Threat) is a sophisticated attack on an organization that can take months to identify and remove. It is also used as a term for malware designed to steal information from a targeted organization.

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ?
Vous voulez découvrir nos produits de XDR et de CTI ?
Vous avez un projet de cybersécurité dans votre organisation ?
Prenez rendez-vous et rencontrons-nous !

Chat with our team !

Would you like to know more about our solutions ?
Do you want to discover our XDR and CTI products ?
Do you have a cyber security project in your organization ?
Make an appointment and meet us !