A malicious campaign has been identified, targeting Russian information technology (IT) organizations with a previously unknown malware known as LuckyStrike Agent. This campaign has been linked to the threat actor Space Pirates.
In November 2024, Solar, the cybersecurity arm of Russian state-owned telecom company Rostelecom, detected this activity and has been tracking it under the name Erudite Mogwai.
Other tools used in these attacks include Deed RAT, also referred to as ShadowPad Light, and a customized version of the proxy utility named Stowaway. The latter has been previously utilized by other China-linked hacking groups.
Erudite Mogwai is described as an active APT group that specializes in stealing confidential information and conducting espionage. Since 2017, the group has targeted government agencies, IT departments, and high-tech industries such as aerospace and electric power, according to Solar researchers.
The threat actor Space Pirates was first publicly documented by Positive Technologies in 2022 for their exclusive use of Deed RAT malware. The group shares tactical overlaps with another hacking group called Webworm and primarily targets organizations in Russia, Georgia, and Mongolia.
In an attack targeting a government sector customer, Solar discovered the deployment of various tools for reconnaissance, as well as the use of LuckyStrike Agent, a multi-functional .NET backdoor that utilizes Microsoft OneDrive for command-and-control (C2) purposes.
The attackers gained access to the infrastructure by compromising a publicly accessible web service no later than March 2023. They then began searching for vulnerable targets within the infrastructure, gradually spreading across the customer’s systems over 19 months until they reached the network segments connected to monitoring in November 2024, as reported by Solar.
Notably, the attackers used a modified version of Stowaway, retaining only its proxy functionality, and incorporated LZ4 as a compression algorithm, XXTEA as an encryption algorithm, and added support for the QUIC transport protocol.
According to Solar, Erudite Mogwai modified the Stowaway utility by removing unnecessary functionality and making minor edits, such as renaming functions and changing structure sizes, likely to evade detection signatures. The version of Stowaway used by this group can be considered a full-fledged fork.
