HQ/EMEAFind out how we can help your business
LuckyStrike Agent malware has been identified in a new cyber espionage campaign targeting Russian IT organisations. The campaign has been linked to a known threat actor group called Space Pirates, which has been active for several years and is known for conducting cyber attacks against government agencies, technology companies, and high-tech industries.
The latest campaign, discovered in November 2024 by Solar, the cybersecurity division of Russia’s state-owned telecom company Rostelecom, revealed that the LuckyStrike Agent malware was deployed to infiltrate IT infrastructure. Solar is tracking this activity under the name Erudite Mogwai, identifying it as part of an ongoing espionage campaign.
Space Pirates, operating under the Erudite Mogwai umbrella, are believed to have been active since at least 2017. Their targets include government agencies, IT departments, and aerospace and electric power industries. The group was first publicly documented in 2022 by Positive Technologies, which highlighted its use of Deed RAT, also known as ShadowPad Light. The group also shares similarities with another threat actor called Webworm, with both groups primarily targeting organisations in Russia, Georgia, and Mongolia.
The LuckyStrike Agent malware, a multi-functional .NET backdoor, uses Microsoft OneDrive for its command-and-control (C2) communications.
This new malware was deployed alongside other tools, including a customised version of the Stowaway proxy utility. The modified Stowaway retains only proxy functions, uses the LZ4 compression algorithm, and incorporates the XXTEA encryption algorithm with support for the QUIC transport protocol. These changes were likely made to help evade detection and disrupt existing security signatures.
The attack chain started when the hackers hacked into a publicly accessible web service no later than March 2023. Over the following 19 months, the attackers gradually moved laterally across the compromised network. By November 2024, they had reached key network segments connected to monitoring systems, enabling further espionage opportunities.
The discovery of LuckyStrike Agent malware highlights the ongoing threat posed by Space Pirates and their evolving toolkit. Their ability to modify existing tools, such as Stowaway, and deploy new malware like LuckyStrike Agent malware demonstrates their focus on long-term infiltration, data theft, and espionage.
