An Advanced Persistent Threat (APT) Group, dubbed as LuminousMoth, was observed to be conducting a large-scale campaign targeting government entities and organizations from South East Asian countries, including Myanmar and the Philippines. The APT group is also associated with a known Chinese-speaking threat group, HoneyMyte/Mustang Panda, which was attributed to malicious campaigns targeting local high profile government organizations of Asian and African countries. 

In the recent ongoing cyber espionage campaign, which was dated back to October 2020, the threat group was seen to be using spear phishing emails to allow their malware to infiltrate victim’s machines that will ultimately lead to sensitive information being exfiltrated to the attacker-controlled infrastructure.


A. Nature of Attack

Description of the attack:

The threat group was identified to be spreading malicious emails containing a Dropbox download link, which will download an archive file masquerading as a Word document. The RAR file contains malicious executable and DLLs files, wherein if executed will infect user’s system to gain persistence and foothold via auto-start techniques and deployment of Cobalt Strike’s beacon. 

The malware will then try to check for available removable USB and external drives to propagate outside the victim’s machine by hiding the content of the drives and putting an executable file in its content. If a user clicks and runs the executable file, the malware will also infect the user’s machine and will try to propagate to other USB and external drives, thus continuously infecting users from the organization.

Additionally, the malware will drop two additional malicious files that will serve as its gathering and exfiltration mechanism. First is the use of an executable file that grabs a copy of files with specific extensions on a list of directories to a malware-created directory, along with the file’s metadata. The stolen files will then be archived and exfiltrated to the malware’s command-and-control. Second is a file dedicated to stealing cookies from the victim’s Chrome browser, which are used by Google for user authentication. Once stolen, these cookies can then be used by threat actors to hijack and impersonate the Gmail sessions of the victim.


B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Check systems and devices for known vulnerabilities, and if applicable, apply the necessary patches and updates to mitigate security threats.
  • It is highly advised to check for any indicators of compromise, such as suspicious files and unusual external communication. (Please see details below for reference.)
  • Proactively monitor and secure systems and devices for any suspicious/malicious activities.
  • Secure and ensure backups of critical data are always available and can be deployed, if an incident will occur.
  • Provide employees with ample knowledge and training with regards to good cyber hygiene practices


C. List of Indicators of Compromise (IOC)

Item TypeIndicator TypeIndication value
Command-and-ControlIP Address103.15.28[.]195
Command-and-ControlIP Address202.59.10[.]253