G1014: LuminousMoth
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[1][2]
Analyst context for executives and security teams
LuminousMoth matters because ATT&CK links this espionage group to behaviors that can expose sensitive data, sustain access, and blend command-and-control or exfiltration into normal web and cloud activity. The supplied ATT&CK record describes targeting of high-profile organizations, including government entities, in Southeast Asia, and notes reported similarities with Mustang Panda; those details should be treated as intelligence context, not proof of current exposure. For leaders, the practical value is to validate whether email/link defenses, endpoint persistence monitoring, removable media controls, cloud-storage egress visibility, and incident response evidence collection can withstand this style of intrusion activity.
Executive priority
Prioritize this as a data protection and resilience question rather than a single malware question. The related techniques include spearphishing links, removable media replication, local data collection, archiving, C2 over web protocols, exfiltration over C2, and exfiltration to cloud storage. Executives should ask whether the organization can prove visibility across endpoints, email, identity/session activity, web egress, and sanctioned or unsanctioned cloud storage use. For regulated or government-adjacent environments, this also supports audit evidence around monitoring, access control, data loss prevention, and incident response readiness.
Technical view
ATT&CK does not provide a dedicated detection section for LuminousMoth, so SOC validation should be driven by the mapped software and techniques. Focus on Windows persistence and evasion behaviors tied to Scheduled Task, Registry Run Keys/Startup Folder, Modify Registry, DLL abuse, hidden files/directories, and legitimate-looking names or locations. Validate monitoring for PlugX and Cobalt Strike where those tools are relevant to local detections, while avoiding tool-name-only logic because Cobalt Strike is also used for authorized adversary simulation. For collection and exfiltration, correlate file and directory discovery, local data access, archive creation, unusual chunked transfers, web-protocol C2 patterns, and cloud-storage uploads. Include removable media telemetry because ATT&CK maps LuminousMoth to replication through removable media, which can be material for disconnected or segmented environments.
Likely telemetry
- Email security and web proxy logs for spearphishing links and user click-through activity
- Endpoint process creation, command-line, module load, file creation, and persistence telemetry
- Windows Task Scheduler, Registry, Run Key, and Startup Folder change logs
- File system telemetry for hidden files, suspicious archives, renamed or legitimate-looking binaries, and local data staging
- EDR or host telemetry for DLL abuse and signed or suspicious binaries
Detection direction
- Build detections around behavior chains, not only indicators: phishing link activity followed by tool transfer, persistence creation, discovery, collection, archive creation, and outbound transfer is higher value than any single event.
- Tune Windows detections for scheduled task creation, Run Key or Startup Folder persistence, registry modification, hidden files, suspicious DLL loading, and executables placed or named to resemble legitimate resources.
- Correlate discovery commands or file enumeration with subsequent archive creation and outbound web or cloud-storage traffic.
- Review cloud-storage egress baselines; exfiltration to common services can be missed when those services are broadly allowed for business use.
- Treat Cobalt Strike detections carefully: distinguish approved security testing infrastructure from unexpected beacons or post-exploitation behavior.
Mitigation priorities
- Reduce initial access risk by strengthening phishing-link protections, user reporting workflows, browser isolation or safe-link controls where used, and rapid triage of suspicious click events.
- Harden endpoint persistence paths: monitor and restrict unauthorized scheduled tasks, Registry Run Keys, Startup Folder entries, and suspicious registry modifications.
- Control removable media use according to business need, with logging and restrictions for sensitive or disconnected environments.
- Improve egress governance for web protocols and cloud storage: define allowed services, inspect or log proxy activity where appropriate, and alert on unusual upload patterns or destinations.
- Protect identity and session material by limiting browser/session exposure, enforcing strong authentication, and ensuring SaaS/session activity is logged for investigation.
Analyst notes and limits
The ATT&CK object identifies LuminousMoth as a Chinese-speaking cyber espionage group active since at least October 2020, with reported targeting of high-profile organizations including government entities in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. ATT&CK also notes that some researchers have concluded there is a connection to Mustang Panda based on similar targeting, TTPs, and infrastructure overlaps. This take uses the supplied ATT&CK relationships to PlugX, Cobalt Strike, and the listed techniques to frame defensive validation priorities.
Platforms and tactics are not specified on the intrusion-set object itself, and no official detection text is provided. Platform references in this take come only from related software and technique records. The supplied data supports defensive prioritization and telemetry validation, but not claims of current exploitation, specific victim exposure, guaranteed detection coverage, or definitive attribution beyond the official ATT&CK description.
LuminousMoth
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1539 | Steal Web Session Cookie | LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | LuminousMoth has exfiltrated data to Google Drive.CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1588.001 | Malware Sub-technique | LuminousMoth has obtained and used malware such as Cobalt Strike.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1030 | Data Transfer Size Limits | LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | LuminousMoth has used malware to store malicious binaries in hidden directories on victim's USB drives.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | LuminousMoth has hosted malicious payloads on Dropbox.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1091 | Replication Through Removable Media | LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | LuminousMoth has used malware that exfiltrates stolen data to its C2 server.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | LuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1608.005 | Link Target Sub-technique | LuminousMoth has created a link to a Dropbox file that has been used in their spear-phishing operations.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1587.001 | Malware Sub-technique | LuminousMoth has used unique malware for information theft and exfiltration.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | LuminousMoth has used HTTP for C2.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | LuminousMoth has downloaded additional malware and tools onto a compromised host.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1557.002 | ARP Cache Poisoning Sub-technique | LuminousMoth has used ARP spoofing to redirect a compromised machine to an actor-controlled website.CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1588.002 | Tool Sub-technique | LuminousMoth has obtained an ARP spoofing tool from GitHub.CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1005 | Data from Local System | LuminousMoth has collected files and data from compromised machines.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1574.001 | DLL Sub-technique | LuminousMoth has used legitimate executables such as `winword.exe` and `igfxem.exe` to side-load their malware.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | LuminousMoth has used malicious DLLs that setup persistence in the Registry Key `HKCU\Software\Microsoft\Windows\Current Version\Run`.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1083 | File and Directory Discovery | LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1033 | System Owner/User Discovery | LuminousMoth has used a malicious DLL to collect the username from compromised hosts.CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1560 | Archive Collected Data | LuminousMoth has manually archived stolen files from victim machines before exfiltration.CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | LuminousMoth has disguised their exfiltration malware as `ZoomVideoApp.exe`.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1112 | Modify Registry | LuminousMoth has used malware that adds Registry keys for persistence.CitationKaspersky LuminousMoth July 2021CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | LuminousMoth has created scheduled tasks to establish persistence for their tools.CitationBitdefender LuminousMoth July 2021 |
| Enterprise | T1588.004 | Digital Certificates Sub-technique | LuminousMoth has used a valid digital certificate for some of their malware.CitationKaspersky LuminousMoth July 2021 |
| Enterprise | T1553.002 | Code Signing Sub-technique | LuminousMoth has signed their malware with a valid digital signature.CitationKaspersky LuminousMoth July 2021 |
Groups, software, and campaigns
S0013: PlugX
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1d14c20bca59… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky LuminousMoth July 2021
Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
Open source URL -
[2]
Bitdefender LuminousMoth July 2021
Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
Open source URL -
[3]
mitre-attack G1014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.