Lucky Mouse is a threat actor that has developed a Linux version of a malware toolkit called SysUpdate. This expands on its ability to target devices running the Linux operating system. The oldest version of the updated artifact dates back to July 2022. The malware incorporates new features designed to evade security software and resist reverse engineering.
Cybersecurity company Trend Micro said it observed the equivalent Windows variant in June 2022, nearly one month after the command-and-control (C2) infrastructure was set up.
Lucky Mouse is also tracked under the monikers APT27, Bronze Union, Emissary Panda, and Iron Tiger. It is known to utilize a variety of malware such as SysUpdate, HyperBro, PlugX, and a Linux backdoor dubbed rshell. Over the past two years, campaigns orchestrated by the threat group have embraced supply chain compromises of legitimate apps like Able Desktop and MiMi Chat to obtain remote access to compromised systems.
In October 2022, Intrinsec detailed an attack on a French company that utilized ProxyLogon vulnerabilities in Microsoft Exchange Server to deliver HyperBro as part of a months-long operation that exfiltrated "gigabytes of data." The targets of the latest campaign include a gambling company in the Philippines, a sector that has repeatedly come under onslaught from Iron Tiger since 2019.