LuckyStrike Agent Malware Targets Russian IT Firms in Space Pirates Cyberattack
Russian IT organizations are in the crosshairs of a newly uncovered cyber threat as the hacker group Space Pirates launches a fresh wave of attacks. The malicious campaign, first detected in November 2024 by Solar, the cybersecurity division of Russia’s Rostelecom, leverages a previously unknown malware strain called LuckyStrike Agent. This sophisticated cyber-espionage operation, tracked under the codename Erudite Mogwai, underscores an ongoing effort to infiltrate high-value targets in Russia's tech sector.
Table of Contents
Who Are the Space Pirates?
Space Pirates is an Advanced Persistent Threat (APT) group known for its focus on cyber espionage, primarily targeting government agencies and high-tech industries. The group has been active since at least 2017, with its campaigns extending beyond Russia to countries such as Georgia and Mongolia. It shares notable tactical overlaps with another China-linked APT group, Webworm, hinting at potential ties to state-sponsored cyber activities.
Inside the LuckyStrike Agent Attack
Initial Intrusion and Lateral Movement
According to Solar researchers, the attack began with the compromise of a publicly accessible web service no later than March 2023. The attackers moved cautiously, conducting reconnaissance and gradually spreading across the network over a staggering 19-month period. By November 2024, they had gained access to critical network segments related to system monitoring.
The Role of LuckyStrike Agent
The newly discovered LuckyStrike Agent malware is a multi-functional .NET backdoor that uses Microsoft OneDrive for command-and-control (C2) communication. This allows attackers to covertly issue commands and exfiltrate sensitive data while blending in with legitimate network traffic.
Additional Tools in the Attack
In addition to LuckyStrike Agent, Space Pirates employed:
- Deed RAT (ShadowPad Light) – A stealthy remote access Trojan that provides persistent access.
- Modified Stowaway Proxy – A customized proxy utility optimized for encrypted communications, using LZ4 compression, XXTEA encryption, and QUIC protocol support to evade detection.
By carefully modifying Stowaway, the attackers removed unnecessary functions and altered structure sizes—likely in an effort to bypass signature-based detection systems.
A Persistent and Evolving Threat
APT groups like Space Pirates operate with long-term objectives, often maintaining access to compromised environments for months or even years. Their ability to remain undetected while steadily expanding their foothold highlights the importance of continuous threat monitoring and proactive cybersecurity defenses.
As cyber threats evolve, organizations must adopt a multi-layered security approach, including network segmentation, endpoint monitoring, and regular vulnerability assessments. The use of cloud services like OneDrive for C2 operations also raises concerns about traditional security tools failing to detect threats hidden within legitimate platforms.
The Space Pirates' Erudite Mogwai campaign is a stark reminder that no organization is immune to cyber espionage. With advanced malware like LuckyStrike Agent and customized hacking tools, APT groups continue to refine their tactics, making early detection more critical than ever. Russian IT firms—and high-tech industries worldwide—must stay vigilant against such stealthy and persistent threats.
