A notorious cyber-espionage group known as Space Pirates has been linked to a stealthy attack campaign targeting Russian IT companies using a previously undocumented malware variant called LuckyStrike Agent.
The sophisticated cyber operation was first detected in November 2024 by Solar, the cybersecurity division of Russian state-owned telecom provider Rostelecom. Security researchers are tracking the campaign under the moniker Erudite Mogwai.
🎯 Advanced Cyber Espionage Tools at Play
In addition to LuckyStrike Agent, the APT (Advanced Persistent Threat) group is leveraging a customized version of the Deed RAT malware—also known as ShadowPad Light—and a modified proxy tool called Stowaway, which has been historically linked to China-based hacking collectives.
"Erudite Mogwai is an active APT group focused on cyber espionage and data theft," said Solar’s cybersecurity team. "Since at least 2017, this threat actor has targeted government agencies, IT firms, and enterprises in high-tech sectors, including aerospace and energy industries."
🕵️♂️ Persistent Threat: A Timeline of Attacks
The Erudite Mogwai group was first publicly identified in 2022 by Positive Technologies, which highlighted its exclusive use of Deed RAT. Researchers believe this group shares similarities with another threat actor known as Webworm, frequently launching cyberattacks on organizations in Russia, Georgia, and Mongolia.
During an attack on a government sector target, security analysts observed the hackers deploying various tools for reconnaissance before unleashing LuckyStrike Agent—a highly adaptable .NET-based backdoor that exploits Microsoft OneDrive for command-and-control (C2) operations.
📌 How the Attack Unfolded
- Initial Compromise: The hackers infiltrated a public-facing web service as early as March 2023.
- Lateral Movement: Over 19 months, the attackers quietly expanded their access, moving across internal systems.
- Final Breach: By November 2024, they successfully reached network segments tied to system monitoring, giving them deep insight into the organization’s infrastructure.
🔥 Modified Stowaway: A Custom Proxy for Stealth Operations
Security experts also uncovered a customized version of Stowaway, tweaked by Erudite Mogwai for maximum stealth and efficiency:
✔️ Proxy-Only Functionality – Unused features were removed to streamline operations.
✔️ Enhanced Encryption – The attackers incorporated XXTEA encryption to secure communication.
✔️ Optimized Compression – They deployed LZ4 compression to speed up data transmission.
✔️ QUIC Protocol Support – Allowing more resilient and faster C2 communication.
"The hackers systematically modified Stowaway by stripping unnecessary functions, renaming key components, and tweaking structure sizes," Solar researchers noted. "This evolution suggests they were actively working to evade detection and signature-based defenses."
🚀 Conclusion
The LuckyStrike Agent campaign highlights the growing sophistication of cyber threats targeting critical IT infrastructures. With APT groups refining their tactics to stay undetected for extended periods, cybersecurity teams must prioritize proactive threat hunting, implement robust monitoring, and enhance endpoint security defenses.
💬 What are your thoughts on this new malware strain? Let us know in the comments!
📢 Stay updated on the latest cybersecurity threats – follow our blog for real-time threat intelligence!