The cyber threat group known as Space Pirates has recently launched a sophisticated campaign targeting Russian information technology (IT) firms. This operation involves deploying a previously undocumented malware called LuckyStrike Agent. Solar, the cybersecurity division of Rostelecom, a state-owned telecom company in Russia, identified these malicious activities in November 2024. Researchers have classified this campaign under the codename Erudite Mogwai.
Solar researchers categorize Erudite Mogwai as an advanced persistent threat (APT) group specializing in espionage and the theft of sensitive information. Since at least 2017, this group has targeted various entities, including government agencies and high-tech industries such as aerospace and electric power. Their operations have primarily focused on organizations within Russia, Georgia, and Mongolia.
Tools and Techniques Used
In addition to LuckyStrike Agent, the attackers have employed several other tools, including Deed RAT (also known as ShadowPad Light) and a customized version of a proxy utility named Stowaway. Notably, Stowaway has previously been associated with other hacking groups linked to China.
LuckyStrike Agent functions as a multi-functional .NET backdoor that utilizes Microsoft OneDrive for its command-and-control (C2) operations. This innovative approach allows the malware to blend in with legitimate traffic, making detection more challenging for cybersecurity defenses.
One notable aspect of this campaign is the modification of the Stowaway proxy utility. The attackers streamlined its functionality to focus solely on proxy capabilities while implementing LZ4 as a compression algorithm and XXTEA for encryption. Additionally, they incorporated support for the QUIC transport protocol, enhancing the tool’s effectiveness.
Attack Vector and Progression
The attackers gained initial access to their target’s infrastructure by compromising a publicly accessible web service as early as March 2023. Following this breach, they meticulously searched for vulnerabilities within the system, targeting what Solar researchers referred to as “low-hanging fruit.” Over a span of 19 months, the attackers gradually infiltrated the customer’s systems, ultimately reaching network segments associated with monitoring by November 2024.
To evade detection, Erudite Mogwai made several minor modifications to the Stowaway utility, including renaming functions and altering the sizes of data structures. These changes likely aim to circumvent existing detection signatures, allowing the group to operate with greater stealth.
