A sham version of the Zoom App distributed by the “LuminousMoth” APT

A recently discovered threat actor from China has been spotted launching large-scale attacks, but then carefully picking selected targets to infect and exfiltrate data from.


Codenamed LuminousMoth, this new APT has been actively operating since October 2020 and has been focused mostly on Myanmar, but recently it is spreading its reach in the Philippines. The large-scale malware campaign launched by this group has made an impression on security researchers not only with its dynamic, but also with its selectiveness when it comes to its targets.

As per the reports, the LuminousMoth virus spreads by replicating itself to portable USB drives attached to the system, which results in a high infection rate. However, only selected targets are being attacked with the malware.

Researchers explain the recent successes of the malware in the Philippines with the presence of another, undiscovered infection vector in the country, as well as the desire of the attackers to go after targets in the Philippines.

Professionals who are keeping a close eye on the threat are noting that LuminousMoth attackers are using a different tool set and malware dissemination strategies. There are a number of ways to get infected with the LuminousMoth virus.

The malicious campaign starts with sending an email that seems to be a spear-phishing email to the recipient. A Dropbox download link is typically included in the email, which is fetching a RAR archive. There are dangerous DLLs hidden in that archive that are camouflaged as a .DOCX file. As soon as the system is compromised, two new executables are downloaded along the DLLs, as well as a copy of Cobalt Strike, which are then installed into portable devices.

Something unusual that has been spotted is that, in some instances, the initial infection is followed by deployment of a signed, but fraudulent, version of the popular Zoom software. This infection vector is mostly seen in the Myanmar attacks.

LuminousMoth targets

As per the available details, initially, the LuminousMoth threat actors targeted big organizations in Myanmar, where over 100 victims were registered. The malicious campaign ramped up in the Philippines, where researchers discovered almost 1,400 victims of the attacks.

The true targets, however, were a tight selection of high-profile government entities both in Myanmar and the Philippines. Myanmar’s Ministry of Transport and Communications and the country’s Development Assistance Coordination Unit of the Foreign Economic Relations Department were some of the victims that researchers discovered to be listed on archives included within two malicious DLL libraries.

About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment

SSL Certificate

Web Safety Checker

About Us

HowToRemove.Guide is your daily source for online security news and tutorials. We also provide comprehensive and easy-to-follow malware removal guides. Watch our videos on interesting IT related topics.

Contact Us: info@howtoremove.guide

HowToRemove.Guide © 2024. All Rights Reserved.

Exit mobile version