On December 10, 2020, ESET researchers announce they have found that a chat software called Able Desktop (Able)—part of a widely used business management suite in Mongolia including 430 Mongolian government agencies—was exploited to deliver the HyperBro backdoor, the Korplug RAT (remote access trojan), and another RAT named Tmanger. They also found and identified a connection with the ShadowPad backdoor, used by at least five threat actors in the exploit. Two installers were infected with the trojan and the compromised Able update system was installed with the malicious software. Evidence shows that the Able system had been compromised since June 2020, while the malware‐infected installers were delivered as far back as May 2018.

The post explains that HyperbBro is commonly attributed to the cybercriminal group named “LuckyMouse,” a Chinese‐speaking threat actor known for highly targeted cyberattacks. Primarily active in South East and Central Asia, many of their attacks have a political aim. Tmanger is attributed to TA428, also a Chinese Advanced Persistent Threat (APT) group. Because these two applications are used normally by different APTs and are now together in one attack, the ESET team theorizes that LuckyMouse and TA428 are sharing data and weapons; they are also likely the subgroup of a larger APT. Given the region and threat actors, it is considered to be a political attack that had been planned as early as May 2018, yet not carried out in ...